Merge branch 'master' into command-argument-class

Author: codingo

README.md

@@ -39,6 +39,7 @@ $ pip install -r requirements.txt
 | -r REAL_PORT | The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT). |
 | --ignore-http-codes IGNORE_HTTP_CODES | Comma separated list of http codes to ignore with virtual host scans (default 404). |
 | --ignore-content-length IGNORE_CONTENT_LENGTH | Ignore content lengths of specificed amount. |
+| --first-hit | Return first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF). |
 | --unique-depth UNIQUE_DEPTH | Show likely matches of page content that is found x times (default 1). |
 | --ssl | If set then connections will be made over HTTPS instead of HTTP. |
 | --fuzzy-logic | If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it). |
@@ -51,6 +52,7 @@ $ pip install -r requirements.txt
 | -oJ OUTPUT_JSON | JSON output printed to a file when the -oJ option is specified with a filename argument. |
 | - | By passing a blank '-' you tell VHostScan to expect input from stdin (pipe). |
 
+
 ## Usage Examples
 
 _Note that a number of these examples reference 10.10.10.29. This IP refers to BANK.HTB, a retired target machine from HackTheBox (https://www.hackthebox.eu/)._
@@ -98,4 +100,4 @@ pip install -r test-requirements.txt
 pytest
 ```
 
-If you're thinking of adding a new feature to the project, consider also contributing with a couple of tests. A well-tested codebase is a sane codebase. :)
+If you're thinking of adding a new feature to the project, consider also contributing with a couple of tests. A well-tested codebase is a sane codebase. :)

VHostScan.py

@@ -50,23 +50,26 @@ def main():
 
     user_agents = []
     if arguments.user_agent:
-        print('[>] User-Agent specified, using it')
+        print('[>] User-Agent specified, using it.')
         user_agents = [arguments.user_agent]
     elif arguments.random_agent:
-        print('[>] Random User-Agent flag set')
+        print('[>] Random User-Agent flag set.')
         user_agents = load_random_user_agents()
 
     if(arguments.ssl):
-        print("[>] SSL flag set, sending all results over HTTPS")
+        print("[>] SSL flag set, sending all results over HTTPS.")
 
     if(arguments.add_waf_bypass_headers):
-        print("[>] WAF flag set, sending simple WAF bypass headers")
+        print("[>] WAF flag set, sending simple WAF bypass headers.")
 
     print("[>] Ignoring HTTP codes: %s" % (arguments.ignore_http_codes))
-    
+
     if(arguments.ignore_content_length > 0):
         print("[>] Ignoring Content length: %s" % (arguments.ignore_content_length))
 
+    if arguments.first_hit:
+        print("[>] First hit is set.")
+
     if not arguments.no_lookup:
         for ip in Resolver().query(arguments.target_hosts, 'A'):
             host, aliases, ips = gethostbyaddr(str(ip))

lib/core/__version__.py

@@ -3,4 +3,3 @@
 # +-+-+-+-+-+-+-+-+-+  https://github.com/codingo/VHostScan
 
 __version__ = '1.6.1'
-

lib/core/virtual_host_scanner.py

@@ -6,15 +6,27 @@
 import pandas as pd
 import time
 from lib.core.discovered_host import *
+from urllib3.util import ssl_
 
 DEFAULT_USER_AGENT = 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36'
 
+_target_host = None
+_ssl_wrap_socket = ssl_.ssl_wrap_socket
+def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
+                    ca_certs=None, server_hostname=None,
+                    ssl_version=None, ciphers=None, ssl_context=None,
+                    ca_cert_dir=None):
+        ssl_wrap_socket_(sock, keyfile=keyfile, certfile=certfile, cert_reqs=cert_reqs,
+                    ca_certs=ca_certs, server_hostname=_target_host,
+                    ssl_version=ssl_version, ciphers=ciphers, ssl_context=ssl_context,
+                    ca_cert_dir=ca_cert_dir)
+ssl_.ssl_wrap_socket = _ssl_wrap_socket 
 
 class virtual_host_scanner(object):
     """Virtual host scanning class
-    
+
     Virtual host scanner has the following properties:
-    
+
     Attributes:
         wordlist: location to a wordlist file to use with scans
         target: the target for scanning
@@ -38,6 +50,7 @@ def __init__(self, target, wordlist, **kwargs):
         self.add_waf_bypass_headers = kwargs.get('add_waf_bypass_headers', False)
         self.unique_depth = int(kwargs.get('unique_depth', 1))
         self.ignore_http_codes = kwargs.get('ignore_http_codes', '404')
+        self.first_hit = kwargs.get('first_hit')
 
         # this can be made redundant in future with better exceptions
         self.completed_scan=False
@@ -85,6 +98,7 @@ def scan(self):
                 })
 
             dest_url = '{}://{}:{}/'.format('https' if self.ssl else 'http', self.target, self.port)
+            _target_host = hostname
 
             try:
                 res = requests.get(dest_url, headers=headers, verify=False)
@@ -99,26 +113,15 @@ def scan(self):
 
             # hash the page results to aid in identifing unique content
             page_hash = hashlib.sha256(res.text.encode('utf-8')).hexdigest()
-            output = '[#] Found: {} (code: {}, length: {}, hash: {})\n'.format(hostname, res.status_code, 
-                                                                               res.headers.get('content-length'), page_hash)
-            host = discovered_host()
-            host.hostname = hostname
-            host.response_code = res.status_code
-            host.hash = page_hash
-            host.content = res.content
-
-            for key, val in res.headers.items():
-                output += '  {}: {}\n'.format(key, val)
-                host.keys.append('{}: {}'.format(key, val))
-
-            self.hosts.append(host)
-            
-            # print current results so feedback remains in "realtime"
-            print(output)
+
+            self.hosts.append(self.create_host(res, hostname, page_hash))
 
             # add url and hash into array for likely matches
             self.results.append(hostname + ',' + page_hash)
-            
+
+            if len(self.hosts) == 2 and self.first_hit:
+                break
+
             #rate limit the connection, if the int is 0 it is ignored
             time.sleep(self.rate_limit)
 
@@ -141,3 +144,24 @@ def likely_matches(self):
         matches = ((segmented_data["key_col"].values).tolist())
 
         return matches
+
+    def create_host(self, response, hostname, page_hash):
+        """
+        Creates a host using the responce and the hash.
+        Prints current result in real time.
+        """
+        output = '[#] Found: {} (code: {}, length: {}, hash: {})\n'.format(hostname, response.status_code, 
+                                                                    response.headers.get('content-length'), page_hash)
+        host = discovered_host()
+        host.hostname = hostname
+        host.response_code = response.status_code
+        host.hash = page_hash
+        host.content = response.content
+
+        for key, val in response.headers.items():
+            output += '  {}: {}\n'.format(key, val)
+            host.keys.append('{}: {}'.format(key, val))
+
+        print(output)
+
+        return host

lib/helpers/output_helper.py

@@ -67,7 +67,7 @@ def output_json(self, filename):
                                    'Hash': host.hash,
                                    'Headers': headers}
         output['Result'] = result
-        file.write_file(json.dumps(output))
+        file.write_file(json.dumps(output, indent=2))
 
 
     def output_fuzzy(self):

tests/helpers/test_file_helper.py

@@ -39,4 +39,3 @@ def test_get_combined_word_lists(wordlist):
 
     assert wordlist.files == result['file_paths']
     assert wordlist.words == result['words']
-