Feature Request: Support Alternate Host Headers from Nessus File (-x option) #704
Description
Request:
When using the -x flag to import targets from a Nessus file, Eyewitness should optionally (or always) include additional hosts based on potential hostnames discovered within that file/scan.
Specifically, if Nessus identifies hostnames such as those listed in SSL certificates (e.g., Common Name (CN) or Subject Alternative Names (SANs)), Eyewitness should automatically generate additional requests for those hostnames. Each request should use the discovered hostname as the Host header, allowing Eyewitness to capture screenshots and response data for the application as it would appear when accessed via that hostname.
Use Case:
When Nessus scans are performed using IP addresses or generic hostnames, the captured endpoints may not reflect the actual application behavior due to virtual hosting (v-host) or other host-header–based routing mechanisms. Including alternate potential hostnames as host headers ensures that Eyewitness captures a more accurate representation of each web application’s front end.
Example
If Nessus reports a web server at 10.0.0.5 with an SSL certificate containing:
CN = app.example.com
SAN = [portal.example.com, api.example.com
Eyewitness should:
- Capture screenshots for https://10.0.0.5
- Also send additional requests using:
- Host: app.example.com
- Host: portal.example.com
- Host: api.example.com
Benefit:
This enhancement improves coverage and accuracy when documenting web assets behind shared IPs or v-hosted environments.
else?
Did you suspect Kent wrote this using copilot to more quickly explain his suggestion and to perhaps give a collaborator a prompt for code changes? Welcome overlord.