NSE script: http-find-host.nse

[zhovner]

Find website backend behind reverse proxy like Cloudflare by sending specific HTTP Host header and looking for a title.

[dmiller-nmap]

Thanks for your contribution. Can you explain how this script is different than the existing http-title script? The http library already sets the Host header to the first of the following values it finds:

1. The target name provided on the command line, e.g. nmap example.com
2. The reverse-DNS name for the IP, e.g. the same as dig -x X.X.X.X
3. The IP address.

Is there a reason you can't just use http-title and provide the site domain name on the command line as the target? Maybe we can find a better solution that would improve all of the http scripts.

[zhovner]

Is there a reason you can't just use http-title and provide the site domain name on the command line as the target?

For example you looking for a backend of example.com that using a CloudFlare http proxy.
So example.com DNS A record pointed to 111.111.111.111 that is cloudflare proxy network.
You suppose that backend of example.com is somewhere in 222.0.0.0/8 network. So you targeting nmap to this network with specific Host: example.com http header. And print the result ONLY when title is matching your string.

The http-title script uses method http.get from nse http library. I can't find how to send a specific Host: header by using this method.
That's why I'm using http.generic_request instead.

Maybe you right, that http-title script can do the same after little modification.

[dmiller-nmap]

I understand now. Yes, I think we can make a simple override in the form of a script arg like http.host that would override the host header in all cases where it isn't explicitly set. That would affect http-title as well as lots of other scripts, but only if the script arg is set.

In order to set the Host header via http.get, you would pass the header in the options table like so:

http.get(host, port, "/", {header={Host="example.com"}})