14

I have to determine if a given subnet has virtual hosts.

Are there any ideas about what switches to use?

schroeder
  • 123,438
  • 55
  • 284
  • 319
py_script
  • 781
  • 2
  • 7
  • 10
  • I want to clarify something.This exercise was a past paper at a laboratory examination.So I dont have the comfort to write a script.I have to do it with nmap switces. – py_script Apr 03 '11 at 10:53
  • 1
    I added "virtual machines" to the question title based on your comment. But I'm puzzled now, after the accepted answer seems to focus on vhosts (multiple dns names sharing one web server and ip address). Of course the whole vhost setup can be within a virtual machine - is that what they meant? Should we change the question back to vhosts? – nealmcb Apr 15 '11 at 16:10

5 Answers5

11

You could use the Metasploit Framework HTTP Virtual Host Brute Force Scanner module.

Nmap is best launched from inside Metasploit. See the Metasploit Unleashed (free training available from Offensive-Security) section on Port Scanning for more information.

If the target IP address is available from the global Internet, then I suggest you also check out MyIPNeighbors and SHODAN, which are incredibly resourceful for this sort of reconnaissance activity.

Identification of caching servers, CDN infrastructure, reverse web proxies, load-balancers, internal IP prefixes, archived content, and associated hosts may also help during the investigation of virtual hosted infrastructure. Be sure to check out tools such as the Host/IP Pattern Extraction Tool (host-extract.rb), Halberd, The Web Archive, HTTP Archive, and W3AF.

To circle back to your original question, it is possible to scan for vhosts using an NSE (Nmap Scripting Engine) script called http-vhosts. However, it's good to know the intricacies of the entire target architecture before settling on a final decision about what has been / has not been discovered.

Typically, I find it easier to first find a path disclosure vulnerability that leads to a file read inclusion vulnerability -- and then to download the web server configuration in order to go through it manually. Or email/phone/text/DM/FaceBook-message the web server administrator who has access and then ask him or her for a copy of the web server configs.

If you are on local LAN (force with --send-eth), you can map the MAC Address' OUI 12-bit extension identifier map to the org assigned by the IEEE Registry Authority. Nessus and some other tools do this by default. My favorite is NetworkMiner of the traffic, as it also provides a sample of packet analysis and gives a good view of what happened for proactive troubleshooting.

atdre
  • 18,885
  • 6
  • 58
  • 107
4

The following link has a good overview of this :

http://lab.lonerunners.net/blog/virtual-host-and-dns-names-enumeration-techniques

Covers: 1. Why you need to enumerate 2. Techniques 2.1 DNS enumeration techniques 2.2 Banner grabbing 2.3 SSL/TLS Protocol enumeration techniques 2.4 HTTP Protocol enumeration techniques 2.5 Passive web enumeration techniques 2.6 Active web enumeration techniques

David Stubley
  • 2,886
  • 1
  • 17
  • 28
4

If it is a local subnet, you can get the MAC addresses of the hosts and check if they belong to vmware or other companies. Usually nobody bothers changing them. nmap will tell you too with -A switch etc.

john
  • 10,968
  • 1
  • 36
  • 43
3

At the bottom David Stubley's linked page is a link to a Ruby tool called hostmap that looks promising.

http://hostmap.lonerunners.net/

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
csvx
  • 31
  • 2
1

All the KVM VMs ports are filtered by the KVM host, so on a LAN you can select any arbitrary port (65535), and look for the filtered ones:

nmap -p 65535 192.168.0.0/24 -oG - | grep filtered| awk '{print $2,$3}'

But the firewalls and the KVM VMs should show up in this scan too.

ESXi hosts should have port 902 open:

nmap -p 902 192.168.0.0/24 -oG - | grep open | awk '{print $2,$3}'

The ESXi hosts should show up in that scan.

Shōgun8
  • 111
  • 3
  • This may help you find the hypervisor the machines are running on, but probably won't help find the actual virtual machines. – multithr3at3d May 07 '19 at 23:26