Merge branch 'master' into codingo-refactoring

Author: codingo

README.md

@@ -1,6 +1,19 @@
 # VHostScan
 A virtual host scanner that detects catch-all scenarios and attempts to work around dynamic default pages
 
-# Credit / Origins
+[![Python 3.2|3.6](https://img.shields.io/badge/python-3.2|3.6-green.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPL3-_red.svg)](https://www.gnu.org/licenses/gpl-3.0.en.html) [![Twitter](https://img.shields.io/badge/twitter-@____timk-blue.svg)](https://twitter.com/__timk) [![Twitter](https://img.shields.io/badge/twitter-@codingo__-blue.svg)](https://twitter.com/codingo_)
 
-The original class for this project was taken from [Reconnoitre](https://github.com/codingo/Reconnoitre) which adapted virtual host discovery code from [teknogeek's virtual-host-scan](https://github.com/teknogeek/virtual-host-discovery-py).
+## Usage
+
+| Argument        | Description |
+| ------------- |:-------------|
+| -h, --help | Display help message and exit |
+| -t TARGET_HOSTS | Set the target host. |
+| -b BASE_HOST   | Set host to be used during substitution in wordlist (default to TARGET).|
+| -w WORDLIST | Set the wordlist to use for generated commands. Ex /usr/share/wordlist.txt |
+| -p PORT  | Set the port to use (default 80). |
+| -r REAL_PORT | The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT). |
+| --ignore-http-codes IGNORE_HTTP_CODES | Comma separated list of http codes to ignore with virtual host scans (default 404). |
+| --ignore-content-length IGNORE_CONTENT_LENGTH | Ignore content lengths of specificed amount. |
+| --unique-depth UNIQUE_DEPTH | Show likely matches of page content that is found x times (default 1). |
+| --ssl | If set then connections will be made over HTTPS instead of HTTP. |

VHostScan.py

@@ -7,7 +7,7 @@
 
 
 def print_banner():
-    print("+-+-+-+-+-+-+-+-+-+  v. 0.1")
+    print("+-+-+-+-+-+-+-+-+-+  v. 0.2")
     print("|V|H|o|s|t|S|c|a|n|  Developed by @codingo_ & @__timk")
     print("+-+-+-+-+-+-+-+-+-+  https://github.com/codingo/VHostScan\n")
 
@@ -17,7 +17,9 @@ def main():
     parser = ArgumentParser()
     parser.add_argument("-t",   dest="target_hosts", required=True, help="Set a target range of addresses to target. Ex 10.11.1.1-255" )
     parser.add_argument("-w",   dest="wordlist", required=False, type=str, help="Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt)", default="./wordlists/virtual-host-scanning.txt")
+    parser.add_argument("-b",   dest="base_host", required=False, help="Set host to be used during substitution in wordlist (default to TARGET).", default=False)
     parser.add_argument("-p",   dest="port", required=False, help="Set the port to use (default 80).", default=80)
+    parser.add_argument("-r",   dest="real_port", required=False, help="The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).", default=False)
 
     parser.add_argument('--ignore-http-codes', dest='ignore_http_codes', type=str, help='Comma separated list of http codes to ignore with virtual host scans (default 404).', default='404')
     parser.add_argument('--ignore-content-length', dest='ignore_content_length', type=int, help='Ignore content lengths of specificed amount (default 0).', default=0)
@@ -41,7 +43,7 @@ def main():
     if(arguments.ignore_content_length > 0):
         print("[>] Ignoring Content length: %s" % (arguments.ignore_content_length))
 
-    scanner = virtual_host_scanner(arguments.target_hosts, arguments.port, arguments.ssl, arguments.unique_depth, 
+    scanner = virtual_host_scanner(arguments.target_hosts, arguments.base_host, arguments.port, arguments.real_port, arguments.ssl, arguments.unique_depth, 
                                    arguments.ignore_http_codes, arguments.ignore_content_length, arguments.wordlist)
 
     scanner.scan()
@@ -50,4 +52,4 @@ def main():
     for p in scanner.likely_matches(): print("  [>] %s" % p)
 
 if __name__ == "__main__":
-    main()
+    main()

lib/core/virtual_host_scanner.py

@@ -17,10 +17,12 @@ class virtual_host_scanner(object):
         output: folder to write output file to
     """
 
-    def __init__(self, target, port=80, ssl=False, unique_depth=1, ignore_http_codes='404', ignore_content_length=0, 
+    def __init__(self, target, base_host, port=80, real_port=80, ssl=False, unique_depth=1, ignore_http_codes='404', ignore_content_length=0, 
                  wordlist="./wordlists/virtual-host-scanning.txt"):
         self.target = target
-        self.port = port
+        self.base_host = base_host
+        self.port = int(port)
+        self.real_port = int(real_port)
         self.ignore_http_codes = list(map(int, ignore_http_codes.replace(' ', '').split(',')))
         self.ignore_content_length = ignore_content_length
         self.wordlist = wordlist
@@ -34,11 +36,17 @@ def __init__(self, target, port=80, ssl=False, unique_depth=1, ignore_http_codes
     def scan(self):
         virtual_host_list = open(self.wordlist).read().splitlines()
 
+        if not self.base_host:
+            self.base_host = self.target
+
+        if not self.real_port:
+            self.real_port = self.port
+
         for virtual_host in virtual_host_list:
-            hostname = virtual_host.replace('%s', self.target)
+            hostname = virtual_host.replace('%s', self.base_host)
 
             headers = {
-                'Host': hostname if self.port == 80 else '{}:{}'.format(hostname, self.port),
+                'Host': hostname if self.real_port == 80 else '{}:{}'.format(hostname, self.real_port),
                 'Accept': '*/*'
             }
 
@@ -87,4 +95,4 @@ def likely_matches(self):
         segmented_data = dataframe.groupby("val_col").filter(lambda x: len(x) <= self.unique_depth)
         matches = ((segmented_data["key_col"].values).tolist())
 
-        return matches
+        return matches