Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: vhost enumeration
From: Gilles DEMARTY <gilles.demarty () gmail com>
Date: Wed, 26 Oct 2005 22:56:04 +0200

I'm very interested in the idea of finding vhosts given an IP address. So far, the only
way to do this is by querying open source facilities such as search engines and
online statistic databases.

Hi.
You should use RevHosts to enumerate the vhosts. It's a plugin based
tool written in python, which aggregate all the results from your
sources, and some more :

[in french] http://www.revhosts.net/index.php/Accueil
http://www.revhosts.net/releases/revhosts-0.2.16.tar.gz

Example :
revhosts % ./revhosts.py -v -i 207.99.30.226
Plugin [webhosting] in action . . .
Plugin [whois.sc] in action . . .
Hash and Sort in action . . .

2600.com
2600.net
2600.org
2600mag.com
2600magazine.com
2600news.com
hackerquarterly.com
thehackerquarterly.com

-----------------------------------------------
Found 8 VirtualHost(s) on 207.99.30.226 address
-----------------------------------------------


2005/10/21, unknown unknown <unknown.pentester () gmail com>:


Guys,

 I'm very interested in the idea of finding vhosts given an IP address. So
far, the only way to do this is by querying open source facilities such as
search engines and online statistic databases.



Sometimes, reverse lookups might give you hostnames, but you can't always
count on this as domain names don't always support PTR records.


I'm curious about how feasible it is to use vhosts as backdoors when
performing security tests. The idea is that you enumerate all vhosts for a
given IP address and attack the server via the vhost which offers the most
insecure web application.

I haven't experimented much with this concept, so I would like to receive
some feedback on this.


 So far, I use different tools to enumerate vhosts given an IP address:

 1.Google

 Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks).
This method works sometimes, but it is a bit manual because you need to
check the hostnames from the result snippets and make sure that they resolve
to your target IP address

 2. Reverse IP (http://www.whois.sc/reverse-ip/)

 This online tool is quite good. The downside is that you need to register
for an account. If you register a free account, *only* a maximum of 3 vhosts
will be returned from your queries. Unfortunately, you need to pay in order
to get all the results from the database.

 3. Searchmee
(http://www.searchmee.com/web-info/ip-hunt.php)

 Another online tool similar to Reverse IP. The good thing is that it is
*free*. A very cool feature is that it takes IP ranges in slash notation.
This is really powerful because it provides a stealth mechanism to "scan"
for webservers across a given company gateway.

 For instance, you can make the following organizational query on your
shell:



$ whois -h whois.arin.net Microsoft

Then from there you could choose an IP range. So say that you pick
"207.46.0.0 - 207.46.255.255". After that you can stick in this range in
slash notation in Searchmee as 207.46.0.0/16

This search will give you a quite good number of Microsoft web servers that
belong to that range without ever sending a single packet to the target.




The request is:

http://www.searchmee.com/web-info/

ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search



A partial screenshot is available at:

http://www.ikwt.com/imgs/webserver-enumeration.jpg


 Other stealth enumeration tools that you might be interested in include:




 Dmitry -
http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz

MET (Massive Enumeration Toolset) -
http://www.gnucitizen.org/met/download/




 If any of you knows of any other tools or techniques that might help
enumerating vhosts given an IP address please let me know.



 Regards,
 pagvac (Adrian Pastor)

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]