File http-vhosts

脚本使用类型: portrule
脚本所属分类: discovery, intrusive
脚本下载地址: http://nmap.org/svn/scripts/http-vhosts.nse

User Summary

Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.

Each HEAD request provides a different Host header. The hostnames come from a built-in default list. Shows the names that return a document. Also shows the location of redirections.

The domain can be given as the http-vhosts.domain argument or deduced from the target's name. For example when scanning www.example.com, various names of the form <name>.example.com are tried.

Script Arguments

http-vhosts.filelist

file with the vhosts to try. Default nselib/data/vhosts-default.lst

http-vhosts.collapse

The limit to start collapsing results by status code. Default 20

http-vhosts.path

The path to try to retrieve. Default /.

http-vhosts.domain

The domain that hostnames will be prepended to, for example example.com yields www.example.com, www2.example.com, etc. If not provided, a guess is made based on the hostname.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

Example Usage

执行格式

nmap --script http-vhosts -p 80,8080,443 <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vhosts:
| example.com: 301 -> http://www.example.com/
| www.example.com: 200
| docs.example.com: 302 -> https://www.example.com/docs/
|_images.example.com: 200

Requires

• coroutine
• http
• nmap
• shortport
• stdnse
• string
• table
• datafiles

Author: Carlos Pantelides

License: VER007 整理 http://www.ver007.com

action

action (host, port)

Script action

Parameters

• host: table
• port: table