Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Finding vhosts

From: m123303 () richmond ac uk
Date: 24 Oct 2005 16:30:28 -0000
Dear pentesters,

I'm very interested in the idea of finding vhosts given an IP address. So far, the only way to do this is by querying 
open source facilities such as search engines and online statistic databases.

Sometimes, reverse lookups might give you hostnames, but you can't always count on this as domain names don’t always 
support PTR records.

I’m curious about how feasible it is to use vhosts as backdoors when performing security tests. The idea is that you 
enumerate all vhosts for a given IP address and attack the server via the vhost which offers the most insecure web 
application.

I haven’t experimented much with this concept, so I would like to receive some feedback on this.


So far, I use different tools to enumerate vhosts given an IP address:

1.Google

Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks). This method works sometimes, but it is a 
bit manual because you need to check the hostnames from the result snippets and make sure that they resolve to your 
target IP address.

2. Reverse IP (http://www.whois.sc/reverse-ip/)

This online tool is quite good. The downside is that you need to register for an account. If you register a free 
account, *only* a maximum of 3 vhosts will be returned from your queries. Unfortunately, you need to pay in order to 
get the full version results from the database.

3. Searchmee (http://www.searchmee.com/web-info/ip-hunt.php)

Another online tool similar to Reverse IP. The good thing is that it is *free*. A very cool feature is that it takes IP 
ranges in slash notation. This is really powerful because it provides a stealth mechanism to "scan" for webservers 
across a given company gateway.

For instance, you can make the following organizational query on your shell:

$ whois -h whois.arin.net Microsoft

Then from there you could choose an IP range. So say that you pick “207.46.0.0 - 207.46.255.255”. After that you can 
stick in this range in slash notation in Searchmee as 207.46.0.0/16

This search will give you a quite good number of Microsoft web servers that belong to that range without ever sending a 
single packet to the target.

The request is:

http://www.searchmee.com/web-info/ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search

A partial screenshot is available at:
http://www.ikwt.com/imgs/webserver-enumeration.jpg


Other stealth enumeration tools that you might be interested in include:

Dmitry - http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz
MET (Massive Enumeration Toolset) - http://www.gnucitizen.org/met/download/

If any of you knows of any other tools or techniques that might help enumerating vhosts given an IP address please let 
me know.


Regards,
pagvac (Adrian Pastor)

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: