NSE script: http-find-host.nse #1251

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants
@zhovner

zhovner commented Jun 24, 2018

Find website backend behind reverse proxy like Cloudflare by sending specific HTTP Host header and looking for a title.

NSE script: http-find-host.nse
Find website backend behind reverse proxy like Cloudflare by sending specific HTTP Host header and looking for a title.
@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Jul 11, 2018

Thanks for your contribution. Can you explain how this script is different than the existing http-title script? The http library already sets the Host header to the first of the following values it finds:

  1. The target name provided on the command line, e.g. nmap example.com
  2. The reverse-DNS name for the IP, e.g. the same as dig -x X.X.X.X
  3. The IP address.

Is there a reason you can't just use http-title and provide the site domain name on the command line as the target? Maybe we can find a better solution that would improve all of the http scripts.

Thanks for your contribution. Can you explain how this script is different than the existing http-title script? The http library already sets the Host header to the first of the following values it finds:

  1. The target name provided on the command line, e.g. nmap example.com
  2. The reverse-DNS name for the IP, e.g. the same as dig -x X.X.X.X
  3. The IP address.

Is there a reason you can't just use http-title and provide the site domain name on the command line as the target? Maybe we can find a better solution that would improve all of the http scripts.

@zhovner

This comment has been minimized.

Show comment
Hide comment
@zhovner

zhovner Jul 11, 2018

Is there a reason you can't just use http-title and provide the site domain name on the command line as the target?

For example you looking for a backend of example.com that using a CloudFlare http proxy.
So example.com DNS A record pointed to 111.111.111.111 that is cloudflare proxy network.
You suppose that backend of example.com is somewhere in 222.0.0.0/8 network. So you targeting nmap to this network with specific Host: example.com http header. And print the result ONLY when title is matching your string.

The http-title script uses method http.get from nse http library. I can't find how to send a specific Host: header by using this method.
That's why I'm using http.generic_request instead.

Maybe you right, that http-title script can do the same after little modification.

zhovner commented Jul 11, 2018

Is there a reason you can't just use http-title and provide the site domain name on the command line as the target?

For example you looking for a backend of example.com that using a CloudFlare http proxy.
So example.com DNS A record pointed to 111.111.111.111 that is cloudflare proxy network.
You suppose that backend of example.com is somewhere in 222.0.0.0/8 network. So you targeting nmap to this network with specific Host: example.com http header. And print the result ONLY when title is matching your string.

The http-title script uses method http.get from nse http library. I can't find how to send a specific Host: header by using this method.
That's why I'm using http.generic_request instead.

Maybe you right, that http-title script can do the same after little modification.

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Jul 12, 2018

I understand now. Yes, I think we can make a simple override in the form of a script arg like http.host that would override the host header in all cases where it isn't explicitly set. That would affect http-title as well as lots of other scripts, but only if the script arg is set.

In order to set the Host header via http.get, you would pass the header in the options table like so:

http.get(host, port, "/", {header={Host="example.com"}})

I understand now. Yes, I think we can make a simple override in the form of a script arg like http.host that would override the host header in all cases where it isn't explicitly set. That would affect http-title as well as lots of other scripts, but only if the script arg is set.

In order to set the Host header via http.get, you would pass the header in the options table like so:

http.get(host, port, "/", {header={Host="example.com"}})

@nmap-bot nmap-bot closed this in 5318e42 Jul 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment