From 1441aea655b4699e624fc228e8faab101128d853 Mon Sep 17 00:00:00 2001 From: david Date: Sun, 29 Jul 2012 03:39:11 +0000 Subject: [PATCH] Reduce the number of names tried by http-vhosts by default. Vlatko reported that this script was taking an inordinate amount of time even in typical scans. This patch reduces the number of domains tried by default. The new http-vhosts.filelist script argument allows substituting the original list or another of your choosing. Patch by Vlatko. http://seclists.org/nmap-dev/2012/q3/432 --- CHANGELOG | 3 + nselib/data/vhosts-default.lst | 28 +++ nselib/data/vhosts-full.lst | 405 ++++++++++++++++++++++++++++++ scripts/http-vhosts.nse | 434 +-------------------------------- 4 files changed, 448 insertions(+), 422 deletions(-) create mode 100644 nselib/data/vhosts-default.lst create mode 100644 nselib/data/vhosts-full.lst diff --git a/CHANGELOG b/CHANGELOG index bcffec4c2..18811d927 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Reduced the number of names tried by http-vhosts by default. + [Vlatko Kosturjak] + o Linux unreachable routes are now properly ignored. [David Fifield] o [NSE] Added smb-vuln-ms10-054 script which check the target system for MS10-054 diff --git a/nselib/data/vhosts-default.lst b/nselib/data/vhosts-default.lst new file mode 100644 index 000000000..5988dccd2 --- /dev/null +++ b/nselib/data/vhosts-default.lst @@ -0,0 +1,28 @@ +admin +aptest +backup +beta +cvs +dev +devel +development +devtest +ftp +git +help +helpdesk +home +info +intra +intranet +mail +s3 +test +test1 +test2 +testing +web +web2test +wiki +www +www2 diff --git a/nselib/data/vhosts-full.lst b/nselib/data/vhosts-full.lst new file mode 100644 index 000000000..974afcb26 --- /dev/null +++ b/nselib/data/vhosts-full.lst @@ -0,0 +1,405 @@ + +abbot +admin +adserver +alpha +api +aptest +arch +artifactory +assembla +atd +athena +atollon +attask +attix +attix5 +automatedqa +backend +backup +bacula +badboy +basecamp +bazaar +beta +bitkeeper +bkp +branch +brightwork +broadwave +bromine +bugtracker +bugzilla +build +businessdriver +campus +catchlimited +ccc +centraldesktop +cerebro +civicrm +clarizen +clearcase +clearquest +clif +clockingit +codebeamer +codendi +codesourcery +codeville +collabtive +compuware +concordion +conformiq +cppunit +crm +cruisecontrol +cubictest +cucumber +cunit +cvs +cvsnt +darcs +dartenium +dcvs +debbugs +dev +devel +development +devtest +dieseltest +digitaltester +distract +dolibarr +dotproject +dune +durable +duxqa +dynamics +easy +egroupware +eload +elvior +empirix +endeavour +enterprise +epesi +epesibim +etester +eventum +fasttrack +feng +firefly +flumotion +flyspray +fogbugz +foro +forum +fossil +frankenstein +freecast +froglogic +frontend +ftp +functional +functionaltester +fwptt +game +games +gamma +gemini +geniesys +genietcms +genius +git +glasscubes +gnats +goplan +grinder +guitar +gurock +hammerhead +hammerora +harvest +helix +help +helpdesk +home +htmlunit +httpunit +huddle +hudson +hyperoffice +icecast +ikiwiki +images +incisif +inflectra +info +informup +intra +intranet +issuenet +isupport +it +itcampus +jabber +jadeliquid +jbehave +jboss +jcrawler +jemmy +jfunc +jira +jite +jmeter +jotbug +journyx +jtest +jtrack +junit +jwebunit +kayako +kforge +kkoop +launchpad +liberum +libresource +liquidplanner +liquidtest +list +lista +listas +listman +lists +loadrunner +magnetic +mail +mailman +mantis +mantisbt +manual +marathon +matchware +maven +mbt +media +mercurial +mercury +merlin +messagemagic +mingle +mks +mksintegrity +mojo +monotone +mvn +nuevosoft +objentis +opengoo +opengroup +openload +openproj +openqa +opensta +openwebload +optimaltest +orcanos +origsoft +otmgr +otrs +passmark +peercast +perforce +performancetester +phpgroupware +phprojekt +phpunit +pivotal +pjsip +planisware +plastic +postfix +practitest +primavera +principal +prod +project +projecthq +projectpier +projectplace +projectspaces +projektron +projistics +psnext +pureagent +pureload +puretest +pylot +qadirector +qaliber +qaload +qamanager +qatraq +qmetry +qmtest +qpack +qtest +qtronic +qualify +quickbase +quicktest +quicktestpro +quotium +rcs +realese +redmine +remedy +request +research +robot +roundup +rth +s3 +sahi +salome +sap +scarab +sccs +seam +seapine +search +selenium +sendmail +services +severa +sharpforge +shoutcast +siebel +silk +silkcentral +silkperformer +simpletest +simpletestmanagement +simpleticket +simulator +sipp +sipr +smartesoft +smartload +smartqm +smartscript +smartsheet +soap +soapui +software +softwareresearch +sourcesafe +specflow +spiceworks +spiratest +spring +squish +staff +stage +stagging +static +storytestiq +streaming +stub +sugar +sugarcrm +supportworks +svk +svn +synergy +tag +team +teamcenter +teamware +teamwork +teamworkpm +techexcel +telerik +tenrox +test +test1 +test2 +testbench +testcase +testcomplete +testdirector +testdrive +tester +testing +testitools +testlink +testlog +testman +testmanager +testmaster +testmasters +testopia +testoptimal +testpartner +testrail +testrun +testsuite +testtrack +testuff +testup +testworks +texttest +tigris +tomcat +tplan +trac +track +tracker +trackersuite +tricentis +trunk +twist +ubidesk +unawave +unreal +utest +vault +verisium +vnc +vncrobot +vperformer +vpmi +vtest +watin +watir +web +web2project +web2test +webaii +webdriver +webking +webload +webspoc +wiki +windmill +winrunner +wit +workbook +workengine +worklenz +workspace +wowza +wrike +ws +www +www2 +xhtmlunit +xml-simulator +xplanner +xqual +xstudio +youtrack +zentrack +zephyr +zoho diff --git a/scripts/http-vhosts.nse b/scripts/http-vhosts.nse index 2e50c406c..63fba80f4 100644 --- a/scripts/http-vhosts.nse +++ b/scripts/http-vhosts.nse @@ -3,6 +3,7 @@ local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table" +local datafiles = require "datafiles" description = [[ Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. @@ -26,6 +27,7 @@ various names of the form .example.com are tried. -- etc. If not provided, a guess is made based on the hostname. -- @arg http-vhosts.path The path to try to retrieve. Default /. -- @arg http-vhosts.collapse The limit to start collapsing results by status code. Default 20 +-- @arg http-vhosts.filelist file with the vhosts to try. Default nselib/data/vhosts-default.lst -- @output -- PORT STATE SERVICE REASON @@ -59,428 +61,9 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = { "discovery", "intrusive" } - --- List of domains to try. (Will become names like example.com, --- abbot.example.com, admin.example.com, etc.) The list is derived from --- Wikipedia lists of software with a web interface. -local HOSTNAMES = { - "", - "abbot", - "admin", - "adserver", - "alpha", - "api", - "aptest", - "arch", - "artifactory", - "assembla", - "atd", - "athena", - "atollon", - "attask", - "attix", - "attix5", - "automatedqa", - "backend", - "backup", - "bacula", - "badboy", - "basecamp", - "bazaar", - "beta", - "bitkeeper", - "bkp", - "branch", - "brightwork", - "broadwave", - "bromine", - "bugtracker", - "bugzilla", - "build", - "businessdriver", - "campus", - "catchlimited", - "ccc", - "centraldesktop", - "cerebro", - "civicrm", - "clarizen", - "clearcase", - "clearquest", - "clif", - "clockingit", - "codebeamer", - "codendi", - "codesourcery", - "codeville", - "collabtive", - "compuware", - "concordion", - "conformiq", - "cppunit", - "crm", - "cruisecontrol", - "cubictest", - "cucumber", - "cunit", - "cvs", - "cvsnt", - "darcs", - "dartenium", - "dcvs", - "debbugs", - "dev", - "devel", - "development", - "devtest", - "dieseltest", - "digitaltester", - "distract", - "dolibarr", - "dotproject", - "dune", - "durable", - "duxqa", - "dynamics", - "easy", - "egroupware", - "eload", - "elvior", - "empirix", - "endeavour", - "enterprise", - "epesi", - "epesibim", - "etester", - "eventum", - "fasttrack", - "feng", - "firefly", - "flumotion", - "flyspray", - "fogbugz", - "foro", - "forum", - "fossil", - "frankenstein", - "freecast", - "froglogic", - "frontend", - "ftp", - "functional", - "functionaltester", - "fwptt", - "game", - "games", - "gamma", - "gemini", - "geniesys", - "genietcms", - "genius", - "git", - "glasscubes", - "gnats", - "goplan", - "grinder", - "guitar", - "gurock", - "hammerhead", - "hammerora", - "harvest", - "helix", - "help", - "helpdesk", - "home", - "htmlunit", - "httpunit", - "huddle", - "hudson", - "hyperoffice", - "icecast", - "ikiwiki", - "images", - "incisif", - "inflectra", - "info", - "informup", - "intra", - "intranet", - "issuenet", - "isupport", - "it", - "itcampus", - "jabber", - "jadeliquid", - "jbehave", - "jboss", - "jcrawler", - "jemmy", - "jfunc", - "jira", - "jite", - "jmeter", - "jotbug", - "journyx", - "jtest", - "jtrack", - "junit", - "jwebunit", - "kayako", - "kforge", - "kkoop", - "launchpad", - "liberum", - "libresource", - "liquidplanner", - "liquidtest", - "list", - "lista", - "listas", - "listman", - "lists", - "loadrunner", - "magnetic", - "mail", - "mailman", - "mantis", - "mantisbt", - "manual", - "marathon", - "matchware", - "maven", - "mbt", - "media", - "mercurial", - "mercury", - "merlin", - "messagemagic", - "mingle", - "mks", - "mksintegrity", - "mojo", - "monotone", - "mvn", - "nuevosoft", - "objentis", - "opengoo", - "opengroup", - "openload", - "openproj", - "openqa", - "opensta", - "openwebload", - "optimaltest", - "orcanos", - "origsoft", - "otmgr", - "otrs", - "passmark", - "peercast", - "perforce", - "performancetester", - "phpgroupware", - "phprojekt", - "phpunit", - "pivotal", - "pjsip", - "planisware", - "plastic", - "postfix", - "practitest", - "primavera", - "principal", - "prod", - "project", - "projecthq", - "projectpier", - "projectplace", - "projectspaces", - "projektron", - "projistics", - "psnext", - "pureagent", - "pureload", - "puretest", - "pylot", - "qadirector", - "qaliber", - "qaload", - "qamanager", - "qatraq", - "qmetry", - "qmtest", - "qpack", - "qtest", - "qtronic", - "qualify", - "quickbase", - "quicktest", - "quicktestpro", - "quotium", - "rcs", - "realese", - "redmine", - "remedy", - "request", - "research", - "robot", - "roundup", - "rth", - "s3", - "sahi", - "salome", - "sap", - "scarab", - "sccs", - "seam", - "seapine", - "search", - "selenium", - "sendmail", - "services", - "severa", - "sharpforge", - "shoutcast", - "siebel", - "silk", - "silkcentral", - "silkperformer", - "simpletest", - "simpletestmanagement", - "simpleticket", - "simulator", - "sipp", - "sipr", - "smartesoft", - "smartload", - "smartqm", - "smartscript", - "smartsheet", - "soap", - "soapui", - "software", - "softwareresearch", - "sourcesafe", - "specflow", - "spiceworks", - "spiratest", - "spring", - "squish", - "staff", - "stage", - "stagging", - "static", - "storytestiq", - "streaming", - "stub", - "sugar", - "sugarcrm", - "supportworks", - "svk", - "svn", - "synergy", - "tag", - "team", - "teamcenter", - "teamware", - "teamwork", - "teamworkpm", - "techexcel", - "telerik", - "tenrox", - "test", - "test1", - "test2", - "testbench", - "testcase", - "testcomplete", - "testdirector", - "testdrive", - "tester", - "testing", - "testitools", - "testlink", - "testlog", - "testman", - "testmanager", - "testmaster", - "testmasters", - "testopia", - "testoptimal", - "testpartner", - "testrail", - "testrun", - "testsuite", - "testtrack", - "testuff", - "testup", - "testworks", - "texttest", - "tigris", - "tomcat", - "tplan", - "trac", - "track", - "tracker", - "trackersuite", - "tricentis", - "trunk", - "twist", - "ubidesk", - "unawave", - "unreal", - "utest", - "vault", - "verisium", - "vnc", - "vncrobot", - "vperformer", - "vpmi", - "vtest", - "watin", - "watir", - "web", - "web2project", - "web2test", - "webaii", - "webdriver", - "webking", - "webload", - "webspoc", - "wiki", - "windmill", - "winrunner", - "wit", - "workbook", - "workengine", - "worklenz", - "workspace", - "wowza", - "wrike", - "ws", - "www", - "www2", - "xhtmlunit", - "xml-simulator", - "xplanner", - "xqual", - "xstudio", - "youtrack", - "zentrack", - "zephyr", - "zoho" -} --- uncomment and modify this for shorter scans --- local HOSTNAMES = { --- "", --- "www", --- "docs", --- "images" --- } - -- Defines domain to use, first from user and then from host defineDomain = function(host) - if stdnse.get_script_args("http-vhosts.domain") then return stdnse.get_script_args("http-vhosts.domain") end + if stdnse.get_script_args(SCRIPT_NAME..".domain") then return stdnse.get_script_args(SCRIPT_NAME..".domain") end local name = stdnse.get_hostname(host) if name and name ~= host.ip then @@ -517,7 +100,7 @@ end -- @return string local collapse = function(result) local collapsed = {""} - local limit = tonumber(stdnse.get_script_args("http-vhosts.collapse")) or 10 + local limit = tonumber(stdnse.get_script_args(SCRIPT_NAME..".collapse")) or 10 for code, group in next, result do if #group > limit then collapsed[#collapsed + 1] = #group .. " names had status " .. code @@ -539,9 +122,16 @@ portrule = shortport.http action = function(host, port) local service = "http" local domain = defineDomain(host) - local path = stdnse.get_script_args("http-vhosts.path") or "/" + local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/" local result = {} + local filelist = stdnse.get_script_args(SCRIPT_NAME..'filelist') + local status, HOSTNAMES = datafiles.parse_file(filelist or "nselib/data/vhosts-default.lst" , {}) + if not status then + stdnse.print_debug(1, "Can not open file with vhosts file names list") + return {} + end + for _,name in ipairs(HOSTNAMES) do local http_response local targetname