Skip to content

Commit 97ba861

Browse files
timkenttimkent
committed
Merge branch 'master' into timk-fuzzy-logic
2 parents e4a1ba4 + 8d82d4b commit 97ba861

File tree

2 files changed

+34
-15
lines changed

2 files changed

+34
-15
lines changed

README.md

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# VHostScan
2-
A virtual host scanner that can pivot over hosts, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 (![slidedeck](https://docs.google.com/presentation/d/1KDY7bnCpCGabJn8UpmHGSb6z_hi_WGf3ETxzykTNjWY/)).
2+
A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 ([slidedeck](https://docs.google.com/presentation/d/1KDY7bnCpCGabJn8UpmHGSb6z_hi_WGf3ETxzykTNjWY)).
33

44
[![Python 3.2|3.6](https://img.shields.io/badge/python-3.2|3.6-green.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPL3-_red.svg)](https://www.gnu.org/licenses/gpl-3.0.en.html) [![Twitter](https://img.shields.io/badge/twitter-@____timk-blue.svg)](https://twitter.com/__timk) [![Twitter](https://img.shields.io/badge/twitter-@codingo__-blue.svg)](https://twitter.com/codingo_)
55

@@ -24,21 +24,30 @@ A virtual host scanner that can pivot over hosts, detect catch-all scenarios, al
2424
| -h, --help | Display help message and exit |
2525
| -t TARGET_HOSTS | Set the target host. |
2626
| -b BASE_HOST | Set host to be used during substitution in wordlist (default to TARGET).|
27-
| -w WORDLIST | Set the wordlist to use for generated commands. Ex /usr/share/wordlist.txt |
27+
| -w WORDLIST | Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt) |
2828
| -p PORT | Set the port to use (default 80). |
2929
| -r REAL_PORT | The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT). |
3030
| --ignore-http-codes IGNORE_HTTP_CODES | Comma separated list of http codes to ignore with virtual host scans (default 404). |
3131
| --ignore-content-length IGNORE_CONTENT_LENGTH | Ignore content lengths of specificed amount. |
3232
| --unique-depth UNIQUE_DEPTH | Show likely matches of page content that is found x times (default 1). |
3333
| --ssl | If set then connections will be made over HTTPS instead of HTTP. |
34+
| --waf | If set then simple WAF bypass headers will be sent. |
35+
| -oN OUTPUT_NORMAL | Normal output printed to a file when the -oN option is specified with a filename argument. |
36+
| - | By passing a blank '-' you tell VHostScan to expect input from stdin (pipe). |
3437

3538
## Usage Examples
39+
40+
_Note that a number of these examples reference 10.10.10.29. This IP refers to BANK.HTB, a retired target machine from HackTheBox (https://www.hackthebox.eu/)._
41+
3642
### Quick Example
3743
The most straightforward example runs the default wordlist against example.com using the default of port 80:
3844

3945
```bash
4046
$ VHostScan.py -t example.com
4147
```
48+
49+
![VHOSTScan Wordlist example](https://github.com/codingo/codingo.github.io/blob/master/assets/Bank%20VHOST%20Example.png)
50+
4251
### Port forwarding
4352
Say you have an SSH port forward listening on port 4444 fowarding traffic to port 80 on example.com's development machine. You could use the following to make VHostScan connect through your SSH tunnel via localhost:4444 but format the header requests to suit connecting straight to port 80:
4453

@@ -49,8 +58,11 @@ $ VHostScan.py -t localhost -b example.com -p 4444 -r 80
4958
### STDIN
5059
If you want to pipe information into VHostScan you can use the ```-``` flag:
5160
```bash
52-
$ cat vhostname | VHostScan.py -t localhost -
61+
$ cat bank.htb | VHostScan.py -t 10.10.10.29 -
5362
```
63+
64+
![VHOSTScan STDIN Example](https://github.com/codingo/codingo.github.io/blob/master/assets/Bank%20VHOST%20Pipe%20Example.png)
65+
5466
### STDIN and WordList
5567
You can still specify a wordlist to use along with stdin. In these cases wordlist information will be appended to stdin. For example:
5668
```bash

VHostScan.py

Lines changed: 19 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ def main():
1818
print_banner()
1919
parser = ArgumentParser()
2020
parser.add_argument("-t", dest="target_hosts", required=True, help="Set a target range of addresses to target. Ex 10.11.1.1-255" )
21-
parser.add_argument("-w", dest="wordlist", required=False, type=str, help="Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt)")
21+
parser.add_argument("-w", dest="wordlist", required=False, type=str, help="Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt)", default=False)
2222
parser.add_argument("-b", dest="base_host", required=False, help="Set host to be used during substitution in wordlist (default to TARGET).", default=False)
2323
parser.add_argument("-p", dest="port", required=False, help="Set the port to use (default 80).", default=80)
2424
parser.add_argument("-r", dest="real_port", required=False, help="The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).", default=False)
@@ -36,29 +36,36 @@ def main():
3636
wordlist = list()
3737

3838
if(arguments.stdin and not arguments.wordlist):
39-
input = list(line for line in sys.stdin.read().splitlines())
40-
wordlist.extend(input)
39+
wordlist.extend(list(line for line in sys.stdin.read().splitlines()))
4140
print("[+] Starting virtual host scan for %s using port %s and stdin data" % (arguments.target_hosts,
4241
str(arguments.port)))
4342
elif(arguments.stdin and arguments.wordlist):
4443
if not os.path.exists(arguments.wordlist):
44+
wordlist.extend(list(line for line in sys.stdin.read().splitlines()))
4545
print("[!] Wordlist %s doesn't exist and can't be appended to stdin." % arguments.wordlist)
4646
print("[+] Starting virtual host scan for %s using port %s and stdin data" % (arguments.target_hosts,
4747
str(arguments.port)))
4848
else:
49-
wordlist_file = open(arguments.wordlist).read().splitlines()
50-
wordlist.extend(wordlist_file)
49+
wordlist.extend(list(line for line in open(arguments.wordlist).read().splitlines()))
5150
print("[+] Starting virtual host scan for %s using port %s, stdin data, and wordlist %s" % (arguments.target_hosts,
5251
str(arguments.port),
5352
arguments.wordlist))
5453
else:
55-
# if no stdin, or wordlist pass, open default wordlist location
56-
wordlist_file = open("./wordlists/virtual-host-scanning.txt").read().splitlines()
57-
wordlist.extend(wordlist_file)
58-
print("[+] Starting virtual host scan for %s using port %s and wordlist %s" % (arguments.target_hosts,
59-
str(arguments.port),
60-
"./wordlists/virtual-host-scanning.txt"))
61-
54+
if not arguments.wordlist:
55+
wordlist.extend(list(line for line in open("./wordlists/virtual-host-scanning.txt").read().splitlines()))
56+
print("[+] Starting virtual host scan for %s using port %s and wordlist %s" % ( arguments.target_hosts,
57+
str(arguments.port),
58+
"./wordlists/virtual-host-scanning.txt"))
59+
else:
60+
if not os.path.exists(arguments.wordlist):
61+
print("[!] Wordlist %s doesn't exist, unable to scan." % arguments.wordlist)
62+
sys.exit()
63+
else:
64+
wordlist.extend(list(line for line in open(arguments.wordlist).read().splitlines()))
65+
print("[+] Starting virtual host scan for %s using port %s and wordlist %s" % ( arguments.target_hosts,
66+
str(arguments.port),
67+
str(arguments.wordlist)))
68+
6269
if(arguments.ssl):
6370
print("[>] SSL flag set, sending all results over HTTPS")
6471

0 commit comments

Comments
 (0)