File http-vhosts
Script types:
portrule
Categories:
discovery, intrusive
Download: http://nmap.org/svn/scripts/http-vhosts.nse
User Summary
Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.
Each HEAD request provides a different
Host header. The hostnames come from a built-in default
list. Shows the names that return a document. Also shows the location of
redirections.
The domain can be given as the http-vhosts.domain argument or
deduced from the target's name. For example when scanning www.example.com,
various names of the form <name>.example.com are tried.
Script Arguments
http-vhosts.filelist
file with the vhosts to try. Default nselib/data/vhosts-default.lst
http-vhosts.collapse
The limit to start collapsing results by status code. Default 20
http-vhosts.path
The path to try to retrieve. Default /.
http-vhosts.domain
The domain that hostnames will be prepended to, for
example example.com yields www.example.com, www2.example.com,
etc. If not provided, a guess is made based on the hostname.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent
See the documentation for the http library.Example Usage
nmap --script http-vhosts -p 80,8080,443 <target>
Script Output
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-vhosts: | example.com: 301 -> http://www.example.com/ | www.example.com: 200 | docs.example.com: 302 -> https://www.example.com/docs/ |_images.example.com: 200
Requires
Author: Carlos Pantelides
License: Same as Nmap--See http://nmap.org/book/man-legal.html