Merge branch 'master' into timk-fuzzy-logic

Author: timkent

.gitignore

@@ -104,4 +104,4 @@ ENV/
 *.suo
 *.pyproj
 *.sln
-*.sqlite
+*.sqlite

README.md

@@ -1,5 +1,5 @@
 # VHostScan
-A virtual host scanner that can pivot over hosts, detect catch-all scenarios, aliases and dynamic default pages.
+A virtual host scanner that can pivot over hosts, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 (![slidedeck](https://docs.google.com/presentation/d/1KDY7bnCpCGabJn8UpmHGSb6z_hi_WGf3ETxzykTNjWY/)).
 
 [![Python 3.2|3.6](https://img.shields.io/badge/python-3.2|3.6-green.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPL3-_red.svg)](https://www.gnu.org/licenses/gpl-3.0.en.html) [![Twitter](https://img.shields.io/badge/twitter-@____timk-blue.svg)](https://twitter.com/__timk) [![Twitter](https://img.shields.io/badge/twitter-@codingo__-blue.svg)](https://twitter.com/codingo_)
 
@@ -11,8 +11,13 @@ A virtual host scanner that can pivot over hosts, detect catch-all scenarios, al
 * Wordlist supports standard words and a variable to input a base hostname (for e.g. dev.%s from the wordlist would be run as dev.BASE_HOST)
 * Work over HTTP and HTTPS
 * Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc
+* Add simple response headers to bypass some WAF products
 
-## Usage
+## Product Comparisons
+
+![VHOSTScan Feature Map](https://github.com/codingo/codingo.github.io/blob/master/assets/featureMap.PNG)
+
+# Usage
 
 | Argument        | Description |
 | ------------- |:-------------|
@@ -27,16 +32,27 @@ A virtual host scanner that can pivot over hosts, detect catch-all scenarios, al
 | --unique-depth UNIQUE_DEPTH | Show likely matches of page content that is found x times (default 1). |
 | --ssl | If set then connections will be made over HTTPS instead of HTTP. |
 
-## Examples
-
+## Usage Examples
+### Quick Example
 The most straightforward example runs the default wordlist against example.com using the default of port 80:
 
 ```bash
 $ VHostScan.py -t example.com
 ```
-
+### Port forwarding
 Say you have an SSH port forward listening on port 4444 fowarding traffic to port 80 on example.com's development machine. You could use the following to make VHostScan connect through your SSH tunnel via localhost:4444 but format the header requests to suit connecting straight to port 80:
 
 ```bash
 $ VHostScan.py -t localhost -b example.com -p 4444 -r 80
 ```
+
+### STDIN
+If you want to pipe information into VHostScan you can use the ```-``` flag:
+```bash
+$ cat vhostname | VHostScan.py -t localhost -
+```
+### STDIN and WordList
+You can still specify a wordlist to use along with stdin. In these cases wordlist information will be appended to stdin. For example:
+```bash
+$ cat vhostname | VhostScan.py -t localhost -w ./wordlists/wordlist.txt -
+```

VHostScan.py

@@ -5,10 +5,11 @@
 from argparse import ArgumentParser
 from lib.core.virtual_host_scanner import *
 from lib.helpers.output_helper import *
+from lib.core.__version__ import __version__
 
 
 def print_banner():
-    print("+-+-+-+-+-+-+-+-+-+  v. 0.3")
+    print("+-+-+-+-+-+-+-+-+-+  v. %s" % __version__)
     print("|V|H|o|s|t|S|c|a|n|  Developed by @codingo_ & @__timk")
     print("+-+-+-+-+-+-+-+-+-+  https://github.com/codingo/VHostScan\n")
 
@@ -17,7 +18,7 @@ def main():
     print_banner()
     parser = ArgumentParser()
     parser.add_argument("-t",   dest="target_hosts", required=True, help="Set a target range of addresses to target. Ex 10.11.1.1-255" )
-    parser.add_argument("-w",   dest="wordlist", required=False, type=str, help="Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt)", default="./wordlists/virtual-host-scanning.txt")
+    parser.add_argument("-w",   dest="wordlist", required=False, type=str, help="Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt)")
     parser.add_argument("-b",   dest="base_host", required=False, help="Set host to be used during substitution in wordlist (default to TARGET).", default=False)
     parser.add_argument("-p",   dest="port", required=False, help="Set the port to use (default 80).", default=80)
     parser.add_argument("-r",   dest="real_port", required=False, help="The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).", default=False)
@@ -27,26 +28,50 @@ def main():
     parser.add_argument('--unique-depth', dest='unique_depth', type=int, help='Show likely matches of page content that is found x times (default 1).', default=1)
     parser.add_argument("--ssl", dest="ssl",   action="store_true", help="If set then connections will be made over HTTPS instead of HTTP (default http).", default=False)
     parser.add_argument("--fuzzy_logic", dest="fuzzy_logic", action="store_true", help="If set then fuzzy match will be performed against unique hosts (default off).", default=False)
+    parser.add_argument("--waf", dest="add_waf_bypass_headers",   action="store_true", help="If set then simple WAF bypass headers will be sent.", default=False)
     parser.add_argument("-oN",   dest="output_normal", help="Normal output printed to a file when the -oN option is specified with a filename argument." )
-    arguments = parser.parse_args()
-
-    if not os.path.exists(arguments.wordlist):
-        print("[!] Wordlist %s doesn't exist, ending scan." % arguments.wordlistt)
-        sys.exit()
-
-    print("[+] Starting virtual host scan for %s using port %s and wordlist %s" % (arguments.target_hosts, 
-                                                                                   str(arguments.port), 
-                                                                                   arguments.wordlist))
+    parser.add_argument("-", dest="stdin", action="store_true", help="By passing a blank '-' you tell VHostScan to expect input from stdin (pipe).", default=False)
+    
+    arguments = parser.parse_args()    
+    wordlist = list()
+    
+    if(arguments.stdin and not arguments.wordlist):
+        input = list(line for line in sys.stdin.read().splitlines())
+        wordlist.extend(input)
+        print("[+] Starting virtual host scan for %s using port %s and stdin data" % (arguments.target_hosts, 
+                                                                                        str(arguments.port)))
+    elif(arguments.stdin and arguments.wordlist):
+        if not os.path.exists(arguments.wordlist):
+            print("[!] Wordlist %s doesn't exist and can't be appended  to stdin." % arguments.wordlist)
+            print("[+] Starting virtual host scan for %s using port %s and stdin data" % (arguments.target_hosts, 
+                                                                                          str(arguments.port)))
+        else:
+            wordlist_file = open(arguments.wordlist).read().splitlines()
+            wordlist.extend(wordlist_file)    
+            print("[+] Starting virtual host scan for %s using port %s, stdin data, and wordlist %s" % (arguments.target_hosts, 
+                                                                                                        str(arguments.port), 
+                                                                                                        arguments.wordlist))
+    else:
+        # if no stdin, or wordlist pass, open default wordlist location
+        wordlist_file = open("./wordlists/virtual-host-scanning.txt").read().splitlines()
+        wordlist.extend(wordlist_file)   
+        print("[+] Starting virtual host scan for %s using port %s and wordlist %s" % (arguments.target_hosts, 
+                                                                                       str(arguments.port), 
+                                                                                       "./wordlists/virtual-host-scanning.txt"))
 
     if(arguments.ssl):
         print("[>] SSL flag set, sending all results over HTTPS")
 
+    if(arguments.add_waf_bypass_headers):
+        print("[>] WAF flag set, sending simple WAF bypass headers")
+
     print("[>] Ignoring HTTP codes: %s" % (arguments.ignore_http_codes))
 
     if(arguments.ignore_content_length > 0):
         print("[>] Ignoring Content length: %s" % (arguments.ignore_content_length))
 
-    scanner = virtual_host_scanner(arguments.target_hosts, arguments.base_host, arguments.port, arguments.real_port, arguments.ssl, arguments.unique_depth, arguments.ignore_http_codes, arguments.ignore_content_length, arguments.wordlist, arguments.fuzzy_logic)
+    scanner = virtual_host_scanner( arguments.target_hosts, arguments.base_host, wordlist, arguments.port, arguments.real_port, arguments.ssl, 
+                                    arguments.unique_depth, arguments.ignore_http_codes, arguments.ignore_content_length, arguments.add_waf_bypass_headers)
 
     scanner.scan()
     output = output_helper(scanner)

lib/core/__version__.py

@@ -0,0 +1,6 @@
+# +-+-+-+-+-+-+-+-+-+  
+# |V|H|o|s|t|S|c|a|n|  Developed by @codingo_ & @__timk
+# +-+-+-+-+-+-+-+-+-+  https://github.com/codingo/VHostScan
+
+__version__ = '0.7'
+

lib/core/virtual_host_scanner.py

@@ -19,8 +19,7 @@ class virtual_host_scanner(object):
         output: folder to write output file to
     """
 
-    def __init__(self, target, base_host, port=80, real_port=80, ssl=False, unique_depth=1, ignore_http_codes='404', ignore_content_length=0, 
-                 wordlist="./wordlists/virtual-host-scanning.txt", fuzzy_logic=False):
+    def __init__(self, target, base_host, wordlist, port=80, real_port=80, ssl=False, unique_depth=1, ignore_http_codes='404', ignore_content_length=0, add_waf_bypass_headers=False):
         self.target = target
         self.base_host = base_host
         self.port = int(port)
@@ -31,6 +30,7 @@ def __init__(self, target, base_host, port=80, real_port=80, ssl=False, unique_d
         self.unique_depth = unique_depth
         self.ssl = ssl
         self.fuzzy_logic = fuzzy_logic
+        self.add_waf_bypass_headers = add_waf_bypass_headers
 
         # this can be made redundant in future with better exceptions
         self.completed_scan=False
@@ -41,22 +41,31 @@ def __init__(self, target, base_host, port=80, real_port=80, ssl=False, unique_d
         # store associated data for discovered hosts in array for oN, oJ, etc'
         self.hosts = []
 
-    def scan(self):
-        virtual_host_list = open(self.wordlist).read().splitlines()
 
+    def scan(self):
         if not self.base_host:
             self.base_host = self.target
 
         if not self.real_port:
             self.real_port = self.port
 
-        for virtual_host in virtual_host_list:
+        for virtual_host in self.wordlist:
             hostname = virtual_host.replace('%s', self.base_host)
 
-            headers = {
-                'Host': hostname if self.real_port == 80 else '{}:{}'.format(hostname, self.real_port),
-                'Accept': '*/*'
-            }
+            if self.add_waf_bypass_headers:
+                headers = {
+                    'Host': hostname if self.real_port == 80 else '{}:{}'.format(hostname, self.real_port),
+                    'Accept': '*/*',
+                    'X-Originating-IP': '127.0.0.1',
+                    'X-Forwarded-For': '127.0.0.1',
+                    'X-Remote-IP': '127.0.0.1',
+                    'X-Remote-Addr': '127.0.0.1'
+                }
+            else:
+                headers = {
+                    'Host': hostname if self.real_port == 80 else '{}:{}'.format(hostname, self.real_port),
+                    'Accept': '*/*'
+                }
 
             dest_url = '{}://{}:{}/'.format('https' if self.ssl else 'http', self.target, self.port)
 

lib/helpers/output_helper.py

@@ -15,10 +15,18 @@ def write_normal(self, filename):
         file.write_file(self.generate_header() + self.output_normal_likely() + self.output_normal_detail())
 
     def output_normal_likely(self):
-        output = "\n[+] Most likely matches with a unique count of {} or less:".format(str(self.scanner.unique_depth))
-        for p in self.scanner.likely_matches(): output += "\n\t[>] {}".format(p)
-
-        return output
+        uniques = False
+        depth = str(self.scanner.unique_depth)
+        output = "\n[+] Most likely matches with a unique count of {} or less:".format(depth)
+        
+        for p in self.scanner.likely_matches(): 
+            output += "\n\t[>] {}".format(p)
+            uniques = True
+        
+        if(uniques):
+            return output
+        else:
+            return "\n[!] No matches with a unique count of {} or less.".format(depth)
 
     def output_normal_detail(self):
         output = "\n\n[+] Full scan results"
@@ -35,4 +43,4 @@ def generate_header(self):
         output += "\n\tReal Port {}\n\tIgnore HTTP Codes: {}".format(self.scanner.real_port,self.scanner.ignore_http_codes)
         output += "\n\tIgnore Content Length: {}\n\tWordlist: {}".format(self.scanner.ignore_content_length, self.scanner.wordlist)
         output += "\n\tUnique Depth: {}\n\tSSL: {}\n\t".format(self.scanner.unique_depth, self.scanner.ssl)
-        return output
+        return output

wordlists/hackthebox.txt

@@ -0,0 +1,41 @@
+apocalyst.htb
+arctic.htb
+bank.htb
+bastard.htb
+beep.htb
+blocky.htb
+blue.htb
+brainfuck.htb
+calamity.htb
+celestial.htb
+charon.htb
+cronos.htb
+devel.htb
+enterprise.htb
+europa.htb
+grandpa.htb
+granny.htb
+haircut.htb
+holiday.htb
+jail.htb
+jeeves.htb
+joker.htb
+kotarak.htb
+lame.htb
+lazy.htb
+legacy.htb
+mantis.htb
+minion.htb
+mirai.htb
+nightmare.htb
+nineveh.htb
+node.htb
+october.htb
+optimum.htb
+popcorn.htb
+shocker.htb
+shrek.htb
+sneaky.htb
+solidstate.htb
+tally.htb
+tenten.htb

wordlists/simple.txt

@@ -0,0 +1,4 @@
+%s
+127.0.0.1
+www.%s
+www