I got 1 response in a private mail on this, but the information wasn't
quite what I was looking for, so I'll try again.
We have a server running a bunch of vhosts, and people have various
php/pearl/etc. scripts on their websites. We know there are voulnable
scripts on some of the websites, but Nessus doesn't find those, because
it's just scanning the web server itself.
I was hoping that the use of ip[domain] would make Nessus able to scan
the vhosts directly, but as said it didn't quite do that. Am I
misunderstanding the mail below, or something?
Maybe Nessus isn't the right tool to do this, but in the past we have
had a lot of good use from Nessus, to find a bunch of poorly configed
servers. But maybe you guys can recomend a better tool for this type of
web server scanning?
--
Jesper S. Jensen
Basisnet og Sikkerhed
Uni-C - Århus, Danmark
+45 8937-6666
-------- Original Message --------
Subject: Testing virtual hosts
Date: Tue, 08 Nov 2005 11:06:20 +0100
From: Jesper S. Jensen <jsj@uni-c.dk>
To: nessus@list.nessus.org
I'm looking for a way to scan for vulnerable php-scripts and alike. I'm
trying to scan my domain on my webserver, but I can't quite get Nessus
to do it. It scans the webserver just fine, but it seems it's not able
to scan the vhost running on it.
I've found the mail below in the mailing list archive, and from that I
gather that I should just tell nessus to scan "127.0.0.1[www.foo.bar]"
(with my IP/domain in it), and that's what I've tried. But it still just
scans the webserver itself.
I'm wondering if I'm getting this wrong, and that Nessus arn't able to
do what I want, or if I'm doing something wrong? I hope you guys can
help me out.
-------- Original Message --------
Subject: Re: Testing virtual hosts
Date: Tue, 21 Oct 2003 08:13:46 -0400
From: Renaud Deraison <deraison@nessus.org>
To: nessus@list.nessus.org
References: <Pine.LNX.4.44.0310210936110.9843-100000@courgette.jml.net>
<20031021110726.D102338108@mail.secnap.net>
On Tue, Oct 21, 2003 at 07:07:26AM -0400, Michael Scheidell wrote:
> > Perhaps a silly question but a quick search couldn't find the
answer. How
> > does nessus handle the scanning of a host running a webserver that
> > provides serveral virtual hosts?
>
> If you select 'reverse dns' or you use the web server NAME, than all
> (most) of the http functions will use http/1.1 calls with the appropriate
> headers.
No, you just need to enter the name of the target host and that's it. If
the DNS<->IP has not been done it (ie: because the server has not been
put in production yet) you can force it in Nessus by giving the host
name between brackets. Ie: "127.0.0.1[www.foo.bar]" will test 127.0.0.1
and all the HTTP requests will have the Host: header set to www.foo.bar.
-- Renaud
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
