> I'm very interested in the idea of finding vhosts given an IP address. So > far, the only > way to do this is by querying open source facilities such as search engines > and > online statistic databases.
Hi. You should use RevHosts to enumerate the vhosts. It's a plugin based tool written in python, which aggregate all the results from your sources, and some more : [in french] http://www.revhosts.net/index.php/Accueil http://www.revhosts.net/releases/revhosts-0.2.16.tar.gz Example : revhosts % ./revhosts.py -v -i 207.99.30.226 Plugin [webhosting] in action . . . Plugin [whois.sc] in action . . . Hash and Sort in action . . . 2600.com 2600.net 2600.org 2600mag.com 2600magazine.com 2600news.com hackerquarterly.com thehackerquarterly.com ----------------------------------------------- Found 8 VirtualHost(s) on 207.99.30.226 address ----------------------------------------------- 2005/10/21, unknown unknown <[EMAIL PROTECTED]>: > > > Guys, > > I'm very interested in the idea of finding vhosts given an IP address. So > far, the only way to do this is by querying open source facilities such as > search engines and online statistic databases. > > > > Sometimes, reverse lookups might give you hostnames, but you can't always > count on this as domain names don't always support PTR records. > > > I'm curious about how feasible it is to use vhosts as backdoors when > performing security tests. The idea is that you enumerate all vhosts for a > given IP address and attack the server via the vhost which offers the most > insecure web application. > > I haven't experimented much with this concept, so I would like to receive > some feedback on this. > > > So far, I use different tools to enumerate vhosts given an IP address: > > 1.Google > > Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks). > This method works sometimes, but it is a bit manual because you need to > check the hostnames from the result snippets and make sure that they resolve > to your target IP address > > 2. Reverse IP (http://www.whois.sc/reverse-ip/) > > This online tool is quite good. The downside is that you need to register > for an account. If you register a free account, *only* a maximum of 3 vhosts > will be returned from your queries. Unfortunately, you need to pay in order > to get all the results from the database. > > 3. Searchmee > (http://www.searchmee.com/web-info/ip-hunt.php) > > Another online tool similar to Reverse IP. The good thing is that it is > *free*. A very cool feature is that it takes IP ranges in slash notation. > This is really powerful because it provides a stealth mechanism to "scan" > for webservers across a given company gateway. > > For instance, you can make the following organizational query on your > shell: > > > > $ whois -h whois.arin.net Microsoft > > Then from there you could choose an IP range. So say that you pick > "207.46.0.0 - 207.46.255.255". After that you can stick in this range in > slash notation in Searchmee as 207.46.0.0/16 > > This search will give you a quite good number of Microsoft web servers that > belong to that range without ever sending a single packet to the target. > > > > > The request is: > > http://www.searchmee.com/web-info/ > > ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search > > > > A partial screenshot is available at: > > http://www.ikwt.com/imgs/webserver-enumeration.jpg > > > Other stealth enumeration tools that you might be interested in include: > > > > > Dmitry - > http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz > > MET (Massive Enumeration Toolset) - > http://www.gnucitizen.org/met/download/ > > > > > If any of you knows of any other tools or techniques that might help > enumerating vhosts given an IP address please let me know. > > > > Regards, > pagvac (Adrian Pastor) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
