Penetration Testing mailing list archives
Re: Finding vhosts
From: Fabrice MOURRON <fab () revhosts net>
Date: Tue, 25 Oct 2005 08:32:20 +0200
Le lundi 24 octobre 2005 à 16:30 +0000, m123303 () richmond ac uk a écrit :
Dear pentesters,
Hi pagvac,
So far, I use different tools to enumerate vhosts given an IP address: 1.Google Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks). This method works sometimes, but it is a bit manual because you need to check the hostnames from the result snippets and make sure that they resolve to your target IP address. 2. Reverse IP (http://www.whois.sc/reverse-ip/) This online tool is quite good. The downside is that you need to register for an account. If you register a free account, *only* a maximum of 3 vhosts will be returned from your queries. Unfortunately, you need to pay in order to get the full version results from the database.
Yes, coupling with another database (http://webhosting.info/), that perhaps sufficient.
3. Searchmee (http://www.searchmee.com/web-info/ip-hunt.php) Another online tool similar to Reverse IP. The good thing is that it is *free*. A very cool feature is that it takes IP ranges in slash notation. This is really powerful because it provides a stealth mechanism to "scan" for webservers across a given company gateway. For instance, you can make the following organizational query on your shell: $ whois -h whois.arin.net Microsoft Then from there you could choose an IP range. So say that you pick “207.46.0.0 - 207.46.255.255”. After that you can stick in this range in slash notation in Searchmee as 207.46.0.0/16 This search will give you a quite good number of Microsoft web servers that belong to that range without ever sending a single packet to the target. The request is: http://www.searchmee.com/web-info/ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search A partial screenshot is available at: http://www.ikwt.com/imgs/webserver-enumeration.jpg Other stealth enumeration tools that you might be interested in include: Dmitry - http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz MET (Massive Enumeration Toolset) - http://www.gnucitizen.org/met/download/ If any of you knows of any other tools or techniques that might help enumerating vhosts given an IP address please let me know.
Yes, http://www.revhosts.net/releases/revhosts-0.2.16.tar.gz Writting in python language, revhosts is based on plugins which will try to make the result more effective Exemple : revhosts % ./revhosts.py -v -i 207.99.30.226 Plugin [webhosting] in action . . . Plugin [whois.sc] in action . . . Hash and Sort in action . . . 2600.com 2600.net 2600.org 2600mag.com 2600magazine.com 2600news.com hackerquarterly.com thehackerquarterly.com ----------------------------------------------- Found 8 VirtualHost(s) on 207.99.30.226 address ----------------------------------------------- Regards, Fab -- Fabrice MOURRON fab at revhosts.net PGP KeyID: 971BED04 Fingerprint: 400C 0D25 FD13 7803 C955 335D 1B35 AAAE 971B ED04
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Finding vhosts m123303 (Oct 24)
- Re: Finding vhosts Martin Mačok (Oct 25)
- Re: Finding vhosts Steve Micallef (Oct 25)
- Re: Finding vhosts Fabrice MOURRON (Oct 25)