Re: Virtual host testing & plug_add_host

Mon, 28 Oct 2002 21:41:42 -0800 

Ok...I see where I was brain-dead.  But - doesn't this mean
there's a rather deficiency in the fact that the
various CGI abuse scripts will in the vast majority of cases
NOT use the correct Host: parameter in the HTTP protocol
(when they even try to use that in the first place)?

This is based on the observation that the majority of
web servers out there do not rDNS resolve back to the
host name needed to proplery retrieve web pages.

I'd suggest that the host name to be used can default
to the gethostbyaddr value, but it should be allowed
to be a SETTINGS parameter that can be configured during
configuration of a scan run...

Cheers, Thomas

H D Moore wrote:

The call tree which gets the FQDN:

0 - get_host_name
1 - get_hostname
2 - plug_get_host_fqdn
3 - arg_get_value(desc, "FQDN")
4 - hg_get_name_from_ip(addr)
5 - gethostbyaddr()

ExtFunc
const char * plug_get_host_fqdn(desc)
 struct arglist * desc;
{
 struct arglist * hinfos = arg_get_value(desc, "HOSTNAME");
 if(hinfos)return((char*)arg_get_value(hinfos, "FQDN"));
 else return(NULL);
}

In nessus-core/nessusd/attack.c:attack_init_hostinfos()

if(inet_aton(hostname, &addr) != 0)
  {
   char * f = (char*)hg_get_name_from_ip(addr);
   arg_add_value(hostinfos, "FQDN", ARG_STRING, strlen(f), estrdup(f));
   free(f);
}

In ./nessus-libraries/libhosts_gatherer/hg_utils.c:

/*
 *
 * Get the FQDN from the IP
 *
 */
char *
hg_get_name_from_ip(ip)
 struct in_addr ip;
{
 char * ret = NULL;
 struct hostent * he = NULL;

 he = gethostbyaddr((char *)&ip, sizeof(long), AF_INET);

 if(he)
 {
  int len = strlen(he->h_name);

  ret = malloc(len+1);
  bzero(ret, len+1);
  strncpy(ret, he->h_name, len);
 }
 else
 ret = strdup(inet_ntoa(ip));

 return(ret);


On Monday 28 October 2002 08:42 pm, Thomas Reinke wrote:


I've been doing a bit of digging on how virtual web servers
are tested (or in many cases, not) reliably, and have noticed
some usage of the function "get_host_name".  In an attempt
to backtrack where the data being retrieved is set for this
fuction call, I'm running into a dead-end with the .c function
"plug_add_host". Dead-end, because I can't find anywhere in
the entire Nessus source tree where this routine is called.


-
[EMAIL PROTECTED]: general discussions about Nessus.
* To unsubscribe, send a mail to [EMAIL PROTECTED] with
"unsubscribe nessus" in the body.




-
[EMAIL PROTECTED]: general discussions about Nessus.
* To unsubscribe, send a mail to [EMAIL PROTECTED] with
"unsubscribe nessus" in the body.

Reply via email to