Re: vhost enumeration

[Gilles DEMARTY <gilles.demarty () gmail com>]

> I'm very interested in the idea of finding vhosts given an IP address. So far, the only
> way to do this is by querying open source facilities such as search engines and
> online statistic databases.

Hi.
You should use RevHosts to enumerate the vhosts. It's a plugin based
tool written in python, which aggregate all the results from your
sources, and some more :

[in french] http://www.revhosts.net/index.php/Accueil
http://www.revhosts.net/releases/revhosts-0.2.16.tar.gz

Example :
revhosts % ./revhosts.py -v -i 207.99.30.226
Plugin [webhosting] in action . . .
Plugin [whois.sc] in action . . .
Hash and Sort in action . . .

2600.com
2600.net
2600.org
2600mag.com
2600magazine.com
2600news.com
hackerquarterly.com
thehackerquarterly.com

-----------------------------------------------
Found 8 VirtualHost(s) on 207.99.30.226 address
-----------------------------------------------


2005/10/21, unknown unknown <unknown.pentester () gmail com>:
> Guys,
>
>  I'm very interested in the idea of finding vhosts given an IP address. So
> far, the only way to do this is by querying open source facilities such as
> search engines and online statistic databases.
>
>
>
> Sometimes, reverse lookups might give you hostnames, but you can't always
> count on this as domain names don't always support PTR records.
>
>
> I'm curious about how feasible it is to use vhosts as backdoors when
> performing security tests. The idea is that you enumerate all vhosts for a
> given IP address and attack the server via the vhost which offers the most
> insecure web application.
>
> I haven't experimented much with this concept, so I would like to receive
> some feedback on this.
>
>
>  So far, I use different tools to enumerate vhosts given an IP address:
>
>  1.Google
>
>  Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks).
> This method works sometimes, but it is a bit manual because you need to
> check the hostnames from the result snippets and make sure that they resolve
> to your target IP address
>
>  2. Reverse IP (http://www.whois.sc/reverse-ip/)
>
>  This online tool is quite good. The downside is that you need to register
> for an account. If you register a free account, *only* a maximum of 3 vhosts
> will be returned from your queries. Unfortunately, you need to pay in order
> to get all the results from the database.
>
>  3. Searchmee
> (http://www.searchmee.com/web-info/ip-hunt.php)
>
>  Another online tool similar to Reverse IP. The good thing is that it is
> *free*. A very cool feature is that it takes IP ranges in slash notation.
> This is really powerful because it provides a stealth mechanism to "scan"
> for webservers across a given company gateway.
>
>  For instance, you can make the following organizational query on your
> shell:
>
>
>
> $ whois -h whois.arin.net Microsoft
>
> Then from there you could choose an IP range. So say that you pick
> "207.46.0.0 - 207.46.255.255". After that you can stick in this range in
> slash notation in Searchmee as 207.46.0.0/16
>
> This search will give you a quite good number of Microsoft web servers that
> belong to that range without ever sending a single packet to the target.
>
>
>
>
> The request is:
>
> http://www.searchmee.com/web-info/
>
> ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search
>
>
>
> A partial screenshot is available at:
>
> http://www.ikwt.com/imgs/webserver-enumeration.jpg
>
>
>  Other stealth enumeration tools that you might be interested in include:
>
>
>
>
>  Dmitry -
> http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz
>
> MET (Massive Enumeration Toolset) -
> http://www.gnucitizen.org/met/download/
>
>
>
>
>  If any of you knows of any other tools or techniques that might help
> enumerating vhosts given an IP address please let me know.
>
>
>
>  Regards,
>  pagvac (Adrian Pastor)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/