PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-23 16:09:02 +00:00
Code Issues Projects Releases Wiki Activity

Reduce the number of names tried by http-vhosts by default.

Browse Source 
Vlatko reported that this script was taking an inordinate amount of time
even in typical scans. This patch reduces the number of domains tried by
default. The new http-vhosts.filelist script argument allows
substituting the original list or another of your choosing.

Patch by Vlatko.
http://seclists.org/nmap-dev/2012/q3/432
This commit is contained in:
david
2012-07-29 03:39:11 +00:00
parent b868e7f3ce
commit 1441aea655
4 changed files with 448 additions and 422 deletions
Download Patch File Download Diff File Expand all files Collapse all files

434
scripts/http-vhosts.nse
View File

@@ -3,6 +3,7 @@ local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local datafiles = require "datafiles"
description = [[
Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.
@@ -26,6 +27,7 @@ various names of the form <name>.example.com are tried.
-- etc. If not provided, a guess is made based on the hostname.
-- @arg http-vhosts.path The path to try to retrieve. Default <code>/</code>.
-- @arg http-vhosts.collapse The limit to start collapsing results by status code. Default <code>20</code>
-- @arg http-vhosts.filelist file with the vhosts to try. Default <code>nselib/data/vhosts-default.lst</code>
-- @output
-- PORT STATE SERVICE REASON
@@ -59,428 +61,9 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = { "discovery", "intrusive" }
-- List of domains to try. (Will become names like example.com,
-- abbot.example.com, admin.example.com, etc.) The list is derived from
-- Wikipedia lists of software with a web interface.
local HOSTNAMES = {
"",
"abbot",
"admin",
"adserver",
"alpha",
"api",
"aptest",
"arch",
"artifactory",
"assembla",
"atd",
"athena",
"atollon",
"attask",
"attix",
"attix5",
"automatedqa",
"backend",
"backup",
"bacula",
"badboy",
"basecamp",
"bazaar",
"beta",
"bitkeeper",
"bkp",
"branch",
"brightwork",
"broadwave",
"bromine",
"bugtracker",
"bugzilla",
"build",
"businessdriver",
"campus",
"catchlimited",
"ccc",
"centraldesktop",
"cerebro",
"civicrm",
"clarizen",
"clearcase",
"clearquest",
"clif",
"clockingit",
"codebeamer",
"codendi",
"codesourcery",
"codeville",
"collabtive",
"compuware",
"concordion",
"conformiq",
"cppunit",
"crm",
"cruisecontrol",
"cubictest",
"cucumber",
"cunit",
"cvs",
"cvsnt",
"darcs",
"dartenium",
"dcvs",
"debbugs",
"dev",
"devel",
"development",
"devtest",
"dieseltest",
"digitaltester",
"distract",
"dolibarr",
"dotproject",
"dune",
"durable",
"duxqa",
"dynamics",
"easy",
"egroupware",
"eload",
"elvior",
"empirix",
"endeavour",
"enterprise",
"epesi",
"epesibim",
"etester",
"eventum",
"fasttrack",
"feng",
"firefly",
"flumotion",
"flyspray",
"fogbugz",
"foro",
"forum",
"fossil",
"frankenstein",
"freecast",
"froglogic",
"frontend",
"ftp",
"functional",
"functionaltester",
"fwptt",
"game",
"games",
"gamma",
"gemini",
"geniesys",
"genietcms",
"genius",
"git",
"glasscubes",
"gnats",
"goplan",
"grinder",
"guitar",
"gurock",
"hammerhead",
"hammerora",
"harvest",
"helix",
"help",
"helpdesk",
"home",
"htmlunit",
"httpunit",
"huddle",
"hudson",
"hyperoffice",
"icecast",
"ikiwiki",
"images",
"incisif",
"inflectra",
"info",
"informup",
"intra",
"intranet",
"issuenet",
"isupport",
"it",
"itcampus",
"jabber",
"jadeliquid",
"jbehave",
"jboss",
"jcrawler",
"jemmy",
"jfunc",
"jira",
"jite",
"jmeter",
"jotbug",
"journyx",
"jtest",
"jtrack",
"junit",
"jwebunit",
"kayako",
"kforge",
"kkoop",
"launchpad",
"liberum",
"libresource",
"liquidplanner",
"liquidtest",
"list",
"lista",
"listas",
"listman",
"lists",
"loadrunner",
"magnetic",
"mail",
"mailman",
"mantis",
"mantisbt",
"manual",
"marathon",
"matchware",
"maven",
"mbt",
"media",
"mercurial",
"mercury",
"merlin",
"messagemagic",
"mingle",
"mks",
"mksintegrity",
"mojo",
"monotone",
"mvn",
"nuevosoft",
"objentis",
"opengoo",
"opengroup",
"openload",
"openproj",
"openqa",
"opensta",
"openwebload",
"optimaltest",
"orcanos",
"origsoft",
"otmgr",
"otrs",
"passmark",
"peercast",
"perforce",
"performancetester",
"phpgroupware",
"phprojekt",
"phpunit",
"pivotal",
"pjsip",
"planisware",
"plastic",
"postfix",
"practitest",
"primavera",
"principal",
"prod",
"project",
"projecthq",
"projectpier",
"projectplace",
"projectspaces",
"projektron",
"projistics",
"psnext",
"pureagent",
"pureload",
"puretest",
"pylot",
"qadirector",
"qaliber",
"qaload",
"qamanager",
"qatraq",
"qmetry",
"qmtest",
"qpack",
"qtest",
"qtronic",
"qualify",
"quickbase",
"quicktest",
"quicktestpro",
"quotium",
"rcs",
"realese",
"redmine",
"remedy",
"request",
"research",
"robot",
"roundup",
"rth",
"s3",
"sahi",
"salome",
"sap",
"scarab",
"sccs",
"seam",
"seapine",
"search",
"selenium",
"sendmail",
"services",
"severa",
"sharpforge",
"shoutcast",
"siebel",
"silk",
"silkcentral",
"silkperformer",
"simpletest",
"simpletestmanagement",
"simpleticket",
"simulator",
"sipp",
"sipr",
"smartesoft",
"smartload",
"smartqm",
"smartscript",
"smartsheet",
"soap",
"soapui",
"software",
"softwareresearch",
"sourcesafe",
"specflow",
"spiceworks",
"spiratest",
"spring",
"squish",
"staff",
"stage",
"stagging",
"static",
"storytestiq",
"streaming",
"stub",
"sugar",
"sugarcrm",
"supportworks",
"svk",
"svn",
"synergy",
"tag",
"team",
"teamcenter",
"teamware",
"teamwork",
"teamworkpm",
"techexcel",
"telerik",
"tenrox",
"test",
"test1",
"test2",
"testbench",
"testcase",
"testcomplete",
"testdirector",
"testdrive",
"tester",
"testing",
"testitools",
"testlink",
"testlog",
"testman",
"testmanager",
"testmaster",
"testmasters",
"testopia",
"testoptimal",
"testpartner",
"testrail",
"testrun",
"testsuite",
"testtrack",
"testuff",
"testup",
"testworks",
"texttest",
"tigris",
"tomcat",
"tplan",
"trac",
"track",
"tracker",
"trackersuite",
"tricentis",
"trunk",
"twist",
"ubidesk",
"unawave",
"unreal",
"utest",
"vault",
"verisium",
"vnc",
"vncrobot",
"vperformer",
"vpmi",
"vtest",
"watin",
"watir",
"web",
"web2project",
"web2test",
"webaii",
"webdriver",
"webking",
"webload",
"webspoc",
"wiki",
"windmill",
"winrunner",
"wit",
"workbook",
"workengine",
"worklenz",
"workspace",
"wowza",
"wrike",
"ws",
"www",
"www2",
"xhtmlunit",
"xml-simulator",
"xplanner",
"xqual",
"xstudio",
"youtrack",
"zentrack",
"zephyr",
"zoho"
}
-- uncomment and modify this for shorter scans
-- local HOSTNAMES = {
-- "",
-- "www",
-- "docs",
-- "images"
-- }
-- Defines domain to use, first from user and then from host
defineDomain = function(host)
if stdnse.get_script_args("http-vhosts.domain") then return stdnse.get_script_args("http-vhosts.domain") end
if stdnse.get_script_args(SCRIPT_NAME..".domain") then return stdnse.get_script_args(SCRIPT_NAME..".domain") end
local name = stdnse.get_hostname(host)
if name and name ~= host.ip then
@@ -517,7 +100,7 @@ end
-- @return string
local collapse = function(result)
local collapsed = {""}
local limit = tonumber(stdnse.get_script_args("http-vhosts.collapse")) or 10
local limit = tonumber(stdnse.get_script_args(SCRIPT_NAME..".collapse")) or 10
for code, group in next, result do
if #group > limit then
collapsed[#collapsed + 1] = #group .. " names had status " .. code
@@ -539,9 +122,16 @@ portrule = shortport.http
action = function(host, port)
local service = "http"
local domain = defineDomain(host)
local path = stdnse.get_script_args("http-vhosts.path") or "/"
local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
local result = {}
local filelist = stdnse.get_script_args(SCRIPT_NAME..'filelist')
local status, HOSTNAMES = datafiles.parse_file(filelist or "nselib/data/vhosts-default.lst" , {})
if not status then
stdnse.print_debug(1, "Can not open file with vhosts file names list")
return {}
end
for _,name in ipairs(HOSTNAMES) do
local http_response
local targetname