From 8eb17c7149f5b68d22a9de8ef4e567ee6c8454aa Mon Sep 17 00:00:00 2001
From: Andres Julian Lopez <andres.julian.zgz@gmail.com>
Date: Sun, 1 Oct 2017 14:19:57 +0200
Subject: [PATCH 1/4] Closes #43 - Added reverse lookup support for new targets

---
 VHostScan.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/VHostScan.py b/VHostScan.py
index c439478..95df847 100644
--- a/VHostScan.py
+++ b/VHostScan.py
@@ -3,6 +3,8 @@
 import os
 import sys
 from argparse import ArgumentParser
+from dns.resolver import Resolver
+from socket import gethostbyaddr
 from lib.core.virtual_host_scanner import *
 from lib.helpers.output_helper import *
 from lib.core.__version__ import __version__
@@ -78,6 +80,12 @@ def main():
     if(arguments.ignore_content_length > 0):
         print("[>] Ignoring Content length: %s" % (arguments.ignore_content_length))
 
+    for ip in Resolver().query(arguments.target_hosts, 'A'):
+        host, aliases, ips = gethostbyaddr(str(ip))
+        wordlist.append(str(ip))
+        wordlist.append(host)
+        wordlist.extend(aliases)
+
     scanner_args = vars(arguments)
     scanner_args.update({'target': arguments.target_hosts, 'wordlist': wordlist})
     scanner = virtual_host_scanner(**scanner_args)

From 37a38155dd7fde19be9a3b2a600255f6bae9eec1 Mon Sep 17 00:00:00 2001
From: codingo <m.skelton@outlook.com>
Date: Mon, 2 Oct 2017 02:28:39 -0400
Subject: [PATCH 2/4] Added --no-lookups flag

---
 VHostScan.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/VHostScan.py b/VHostScan.py
index 95df847..93afc06 100644
--- a/VHostScan.py
+++ b/VHostScan.py
@@ -30,11 +30,12 @@ def main():
     parser.add_argument('--unique-depth', dest='unique_depth', type=int, help='Show likely matches of page content that is found x times (default 1).', default=1)
     parser.add_argument("--ssl", dest="ssl",   action="store_true", help="If set then connections will be made over HTTPS instead of HTTP (default http).", default=False)
     parser.add_argument("--fuzzy-logic", dest="fuzzy_logic", action="store_true", help="If set then fuzzy match will be performed against unique hosts (default off).", default=False)
+    parser.add_argument("--no-lookups", dest="no_lookup", action="store_true", help="Disable reverse lookups (identifies new targets and appends to wordlist).", default=False)
     parser.add_argument("--rate-limit", dest="rate_limit", type=int, help='Amount of time in seconds to delay between each scan (default 0).', default=0)
     parser.add_argument("--waf", dest="add_waf_bypass_headers",   action="store_true", help="If set then simple WAF bypass headers will be sent.", default=False)
     parser.add_argument("-oN",   dest="output_normal", help="Normal output printed to a file when the -oN option is specified with a filename argument." )
     parser.add_argument("-", dest="stdin", action="store_true", help="By passing a blank '-' you tell VHostScan to expect input from stdin (pipe).", default=False)
-    
+
     arguments = parser.parse_args()    
     wordlist = list()
     
@@ -80,11 +81,12 @@ def main():
     if(arguments.ignore_content_length > 0):
         print("[>] Ignoring Content length: %s" % (arguments.ignore_content_length))
 
-    for ip in Resolver().query(arguments.target_hosts, 'A'):
-        host, aliases, ips = gethostbyaddr(str(ip))
-        wordlist.append(str(ip))
-        wordlist.append(host)
-        wordlist.extend(aliases)
+    if not arguments.no_lookup:
+        for ip in Resolver().query(arguments.target_hosts, 'A'):
+            host, aliases, ips = gethostbyaddr(str(ip))
+            wordlist.append(str(ip))
+            wordlist.append(host)
+            wordlist.extend(aliases)
 
     scanner_args = vars(arguments)
     scanner_args.update({'target': arguments.target_hosts, 'wordlist': wordlist})

From 4a6e345948d669c71239dc0f668766a7dfcac01b Mon Sep 17 00:00:00 2001
From: codingo <m.skelton@outlook.com>
Date: Mon, 2 Oct 2017 02:32:12 -0400
Subject: [PATCH 3/4] Added --no-lookups description

---
 README.md    | 2 ++
 VHostScan.py | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5373f1e..ad84658 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ A virtual host scanner that can be used with pivot tools, detect catch-all scena
 * Work over HTTP and HTTPS
 * Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc
 * Add simple response headers to bypass some WAF products
+* Identify new targets by using reverse lookups and append to wordlist
 
 ## Product Comparisons
 
@@ -40,6 +41,7 @@ $ pip install -r requirements.txt
 | --unique-depth UNIQUE_DEPTH | Show likely matches of page content that is found x times (default 1). |
 | --ssl | If set then connections will be made over HTTPS instead of HTTP. |
 | --fuzzy-logic | If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it). |
+| --no-lookups | Disbale reverse lookups (identifies new targets and append to wordlist, on by default). | 
 | --rate-limit | Amount of time in seconds to delay between each scan (default 0). |
 | --waf | If set then simple WAF bypass headers will be sent. |
 | -oN OUTPUT_NORMAL | Normal output printed to a file when the -oN option is specified with a filename argument. |
diff --git a/VHostScan.py b/VHostScan.py
index 93afc06..8fa5c84 100644
--- a/VHostScan.py
+++ b/VHostScan.py
@@ -30,7 +30,7 @@ def main():
     parser.add_argument('--unique-depth', dest='unique_depth', type=int, help='Show likely matches of page content that is found x times (default 1).', default=1)
     parser.add_argument("--ssl", dest="ssl",   action="store_true", help="If set then connections will be made over HTTPS instead of HTTP (default http).", default=False)
     parser.add_argument("--fuzzy-logic", dest="fuzzy_logic", action="store_true", help="If set then fuzzy match will be performed against unique hosts (default off).", default=False)
-    parser.add_argument("--no-lookups", dest="no_lookup", action="store_true", help="Disable reverse lookups (identifies new targets and appends to wordlist).", default=False)
+    parser.add_argument("--no-lookups", dest="no_lookup", action="store_true", help="Disable reverse lookups (identifies new targets and appends to wordlist, on by default).", default=False)
     parser.add_argument("--rate-limit", dest="rate_limit", type=int, help='Amount of time in seconds to delay between each scan (default 0).', default=0)
     parser.add_argument("--waf", dest="add_waf_bypass_headers",   action="store_true", help="If set then simple WAF bypass headers will be sent.", default=False)
     parser.add_argument("-oN",   dest="output_normal", help="Normal output printed to a file when the -oN option is specified with a filename argument." )

From d9b2a3d14292821b9d5df67dd37bf4f31e3f0f26 Mon Sep 17 00:00:00 2001
From: codingo <m.skelton@outlook.com>
Date: Mon, 2 Oct 2017 02:33:09 -0400
Subject: [PATCH 4/4] Updated version number

---
 lib/core/__version__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/core/__version__.py b/lib/core/__version__.py
index a071974..6331142 100644
--- a/lib/core/__version__.py
+++ b/lib/core/__version__.py
@@ -2,5 +2,5 @@
 # |V|H|o|s|t|S|c|a|n|  Developed by @codingo_ & @__timk
 # +-+-+-+-+-+-+-+-+-+  https://github.com/codingo/VHostScan
 
-__version__ = '1.1'
+__version__ = '1.2'