Merge pull request #45 from xuvez/master

Closes #43 - Added reverse lookup support for new targets

README.md

@@ -12,6 +12,7 @@ A virtual host scanner that can be used with pivot tools, detect catch-all scena
 * Work over HTTP and HTTPS
 * Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc
 * Add simple response headers to bypass some WAF products
+* Identify new targets by using reverse lookups and append to wordlist
 
 ## Product Comparisons
 
@@ -40,6 +41,7 @@ $ pip install -r requirements.txt
 | --unique-depth UNIQUE_DEPTH | Show likely matches of page content that is found x times (default 1). |
 | --ssl | If set then connections will be made over HTTPS instead of HTTP. |
 | --fuzzy-logic | If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it). |
+| --no-lookups | Disbale reverse lookups (identifies new targets and append to wordlist, on by default). | 
 | --rate-limit | Amount of time in seconds to delay between each scan (default 0). |
 | --waf | If set then simple WAF bypass headers will be sent. |
 | -oN OUTPUT_NORMAL | Normal output printed to a file when the -oN option is specified with a filename argument. |

VHostScan.py

@@ -3,6 +3,8 @@
 import os
 import sys
 from argparse import ArgumentParser
+from dns.resolver import Resolver
+from socket import gethostbyaddr
 from lib.core.virtual_host_scanner import *
 from lib.helpers.output_helper import *
 from lib.core.__version__ import __version__
@@ -28,11 +30,12 @@ def main():
     parser.add_argument('--unique-depth', dest='unique_depth', type=int, help='Show likely matches of page content that is found x times (default 1).', default=1)
     parser.add_argument("--ssl", dest="ssl",   action="store_true", help="If set then connections will be made over HTTPS instead of HTTP (default http).", default=False)
     parser.add_argument("--fuzzy-logic", dest="fuzzy_logic", action="store_true", help="If set then fuzzy match will be performed against unique hosts (default off).", default=False)
+    parser.add_argument("--no-lookups", dest="no_lookup", action="store_true", help="Disable reverse lookups (identifies new targets and appends to wordlist, on by default).", default=False)
     parser.add_argument("--rate-limit", dest="rate_limit", type=int, help='Amount of time in seconds to delay between each scan (default 0).', default=0)
     parser.add_argument("--waf", dest="add_waf_bypass_headers",   action="store_true", help="If set then simple WAF bypass headers will be sent.", default=False)
     parser.add_argument("-oN",   dest="output_normal", help="Normal output printed to a file when the -oN option is specified with a filename argument." )
     parser.add_argument("-", dest="stdin", action="store_true", help="By passing a blank '-' you tell VHostScan to expect input from stdin (pipe).", default=False)
-    
+
     arguments = parser.parse_args()    
     wordlist = list()
 
@@ -78,6 +81,13 @@ def main():
     if(arguments.ignore_content_length > 0):
         print("[>] Ignoring Content length: %s" % (arguments.ignore_content_length))
 
+    if not arguments.no_lookup:
+        for ip in Resolver().query(arguments.target_hosts, 'A'):
+            host, aliases, ips = gethostbyaddr(str(ip))
+            wordlist.append(str(ip))
+            wordlist.append(host)
+            wordlist.extend(aliases)
+
     scanner_args = vars(arguments)
     scanner_args.update({'target': arguments.target_hosts, 'wordlist': wordlist})
     scanner = virtual_host_scanner(**scanner_args)

lib/core/__version__.py

@@ -2,5 +2,5 @@
 # |V|H|o|s|t|S|c|a|n|  Developed by @codingo_ & @__timk
 # +-+-+-+-+-+-+-+-+-+  https://github.com/codingo/VHostScan
 
-__version__ = '1.1'
+__version__ = '1.2'