Script http-vhosts

Script types: portrule
Categories: discovery, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-vhosts.nse

Script Summary

Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames.

Each HEAD request provides a different Host header. The hostnames come from a built-in default list. Shows the names that return a document. Also shows the location of redirections.

The domain can be given as the http-vhosts.domain argument or deduced from the target's name. For example when scanning www.example.com, various names of the form <name>.example.com are tried.

Script Arguments

http-vhosts.filelist

file with the vhosts to try. Default nselib/data/vhosts-default.lst

http-vhosts.collapse

The limit to start collapsing results by status code. Default 20

http-vhosts.path

The path to try to retrieve. Default /.

http-vhosts.domain

The domain that hostnames will be prepended to, for example example.com yields www.example.com, www2.example.com, etc. If not provided, a guess is made based on the hostname.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-vhosts -p 80,8080,443 <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vhosts:
| example.com: 301 -> http://www.example.com/
| www.example.com: 200
| docs.example.com: 302 -> https://www.example.com/docs/
|_images.example.com: 200

Requires

• coroutine
• http
• io
• nmap
• shortport
• stdnse
• string
• table
• datafiles

---

Author:

• Carlos Pantelides

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host, port)

Script action

Parameters

host

table

port

table