Totally agree! I create a ticket in the trac [0] for it. [0] https://sourceforge.net/apps/trac/w3af/ticket/162539
On Wed, 2011-04-06 at 13:04 +0200, Andres Riancho wrote: > Taras, > > On Tue, Mar 15, 2011 at 11:14 PM, Taras <ox...@oxdef.info> wrote: > > Hi, all! > > > > What do you think about making some kind of port of host-extract tool > > described below in w3af? It can be a grep plugin. We already have > > privateIP grep plugin but it is useful in some cases to extract also > > hosts/IPs which are different than target (not only private IPs). > > After thinking about this for a while, I think that we might > already have 90% of this tool within w3af. As you said, grep.privateIP > will find the private ip addresses, and what we're missing now are the > external hosts. We have a pretty good HTML/PDF parser that will > extract links, but only if they look like (http|https)://... . We > could create a grep plugin that would use their nasty regular > expression [0], line 232 and their false positive reduction (line > 252). > > That should be an easy task that almost anyone in the community > could perform, so I invite our users and potential contributors to > step up and try to do it :) We'll be here to help you out along the > way. > > [0] http://code.google.com/p/host-extract/source/browse/trunk/host-extract.rb > > Regards, > > > > > -------- Forwarded Message -------- > > From: YGN Ethical Hacker Group <li...@yehg.net> > > To: full-disclosure <full-disclos...@lists.grok.org.uk>, > > websecur...@webappsec.org > > Subject: [WEB SECURITY] [new tool announcement] host-extract > > Date: Mon, 14 Mar 2011 00:46:18 +0800 > > > > Host-Extract | Host/IP Pattern Extractor > > =============================== > > > > category: /pentest/enumeration/www > > useful area: blackbox testing > > > > > > This little ruby script tries to extract all IP/Host patterns in page > > response of a given URL and JavaScript/CSS files of that URL. > > > > With it, you can quickly identify internal IPs/Hostnames, development > > IPs/ports, cdn, load balancers, additional attack entries related to > > your target that are revealed in inline js, css, html comment areas > > and js/css files. > > > > This is unlike web crawler which looks for new links only in anchor > > tags (<a) or the like. > > > > In some cases, host-extract may give you false positives when there > > are some words like - main-site_ver_10.2.1.3.swf. > > > > With -v option, you can ask the tool to output html view-source > > snippets for each IP/Domain extracted. This will shorten your manual > > analysis time. > > > > Please go to http://host-extract.googlecode.com/ for more info. > > > > > > Download/Update > > ============== > > svn co http://host-extract.googlecode.com/svn/trunk/ host-extract > > > > > > Tutorial Wiki > > ========== > > > > Sebastien Damaye from aldeid.com has prepared a thorough host-extract > > tutorial with real-world famous web sites. > > > > http://aldeid.com/index.php/Host-extract > > > > > > > > -- > > Taras > > http://oxdef.info > > ---- > > "Software is like sex: it's better when it's free." - Linus Torvalds > > > > > > > > ------------------------------------------------------------------------------ > > Colocation vs. Managed Hosting > > A question and answer guide to determining the best fit > > for your organization - today and in the future. > > http://p.sf.net/sfu/internap-sfd2d > > _______________________________________________ > > W3af-develop mailing list > > W3af-develop@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > -- Taras http://oxdef.info ---- "Software is like sex: it's better when it's free." - Linus Torvalds ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
