Re: script for virtual host discovery

[Carlos Pantelides <carlos_pantelides () yahoo com>]

David:

> Okay. I did misunderstand how your script works.... request.
> I'm sorry for the confusion. You can forget what I said earlier
> because I didn't see what you were doing.

No problem, don't worry. I always have some trouble communicating, even face to face in my native language.

1)
> You have a todo to qualify script argument names.
> That's easy, just pass the qualified name to 
> stdnse.get_script_args. 

Done

2)
> I don't see the purpose of the "quiet" argument;
> if someone doesn't want to see the results they
> should just not run the script.

I thing of this script as a first step that could feed some other http-* script. There is a "persist" functionality to 
implement.

That brings another question I know nothing about. How to give output to those scripts? We can continue with this later 
in another thread.


3) 
> You're controlling the Host header by actually changing
> host.targetname:
> I suggest that you do it like this instead:
>     http_response = http.head(host, port,
> resource,
>        
> {header={Host=makeTargetName(name, domain)}})

It did not work. I'll investigate http.lua and try again later.

 
4) 
> Can you explain more what the defineNames function does

defineNames() load names from a system provided file, a user provided file and an user provided command line list. It 
uses an associative array in order to keep the keys unique. This names are like 'www', 'wiki'.

5)
> I don't get what you're doing by assigning
> the values 0.0, 0.9, and 1.0 to names.

My idea is to give the names some weight so later I can implement something like --version-intensity, consider that 
there are a lot of names. 

I gave 1.0 and 0.9 to user provided names to keep them on top, and when and if there is feedback on Host: hits, the 
system provided names will have their weight, see item 8 below. We can continue with this later.

6)
> why it is not working in the portrule?

What I wanted was to setup the names only once, just because they don't change between hosts/ports. So I tried calling 
it from prerule(), I thought that every thing stored in nmap.registry would become available later, but it seems that 
it does not apply to prerule().

7)
> For the portrule, just use
>     portrule = shortport.http

My idea is that as you may be searching services outside their normal ports, you can get http and https regardless of 
what you asked to nmap. If you want to restrict http-vhosts to http or https via script args, shortport can not deal 
with that, unless there is something I've missed. 

That is the reason of a previous shameful mail of mine (http://seclists.org/nmap-dev/2010/q4/134). Since then I been 
modifying the code of service_scan.cc and discovered that my best optimization regarding only identifying selected 
services run as fast (or slow) as --version-intensity 0. We can continue with this later in another thread.

-------------------
8) 
Related to 2(quiet arg) and 5(values to names) there is a future argument called "report" that:

"after stripping sensitive info like ip, domain names, hostnames and redirection targets from the result, append it to 
a file that can then be uploaded. If enough info is gathered, the names will be weighted. It can be shared with 
metasploit"


 
> I think this can be a useful script. Let me know what you
> think about
> my suggestions above and we can work on including it. 

Thank you a lot for your tips and suggestions. It seems that there are things that are not working as expected, I hope 
I can help with that. I'll keep working on http.head and prerule suggestions. I am reposting the current version, with 
your list applied and some minor refactorings, but without the names, as it did not change.

Charlie

Attachment: http-vhosts.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/