Re: Finding vhosts

[Fabrice MOURRON <fab () revhosts net>]

Le lundi 24 octobre 2005 à 16:30 +0000, m123303 () richmond ac uk a écrit :
> Dear pentesters,
Hi pagvac,

> So far, I use different tools to enumerate vhosts given an IP address:
>
> 1.Google
>
> Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks). This method works sometimes, but it is a 
> bit manual because you need to check the hostnames from the result snippets and make sure that they resolve to your 
> target IP address.
>
> 2. Reverse IP (http://www.whois.sc/reverse-ip/)
>
> This online tool is quite good. The downside is that you need to register for an account. If you register a free 
> account, *only* a maximum of 3 vhosts will be returned from your queries. Unfortunately, you need to pay in order to 
> get the full version results from the database.
Yes, coupling with another database (http://webhosting.info/), that
perhaps sufficient.


> 3. Searchmee (http://www.searchmee.com/web-info/ip-hunt.php)
>
> Another online tool similar to Reverse IP. The good thing is that it is *free*. A very cool feature is that it takes 
> IP ranges in slash notation. This is really powerful because it provides a stealth mechanism to "scan" for webservers 
> across a given company gateway.
>
> For instance, you can make the following organizational query on your shell:
>
> $ whois -h whois.arin.net Microsoft
>
> Then from there you could choose an IP range. So say that you pick “207.46.0.0 - 207.46.255.255”. After that you can 
> stick in this range in slash notation in Searchmee as 207.46.0.0/16
>
> This search will give you a quite good number of Microsoft web servers that belong to that range without ever sending 
> a single packet to the target.
>
> The request is:
>
> http://www.searchmee.com/web-info/ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search
>
> A partial screenshot is available at:
> http://www.ikwt.com/imgs/webserver-enumeration.jpg
>
>
> Other stealth enumeration tools that you might be interested in include:
>
> Dmitry - http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz
> MET (Massive Enumeration Toolset) - http://www.gnucitizen.org/met/download/
>
> If any of you knows of any other tools or techniques that might help enumerating vhosts given an IP address please 
> let me know.


Yes, http://www.revhosts.net/releases/revhosts-0.2.16.tar.gz

Writting in python language, revhosts is based on plugins which will try
to make the result more effective

Exemple :
revhosts % ./revhosts.py -v -i 207.99.30.226
Plugin [webhosting] in action . . .
Plugin [whois.sc] in action . . .
Hash and Sort in action . . .

2600.com
2600.net
2600.org
2600mag.com
2600magazine.com
2600news.com
hackerquarterly.com
thehackerquarterly.com

-----------------------------------------------
Found 8 VirtualHost(s) on 207.99.30.226 address
-----------------------------------------------

Regards,

Fab

-- 
Fabrice MOURRON
fab at revhosts.net

PGP KeyID: 971BED04
Fingerprint: 400C 0D25 FD13 7803 C955  335D 1B35 AAAE 971B ED04

Attachment: signature.asc
Description: This is a digitally signed message part