Re: Finding vhosts

From: Fabrice MOURRON (fab_at_revhosts.net)
Date: 10/25/05

  • Next message: Goran Sevic: "Default shares & SMS Server" 
    To: m123303@richmond.ac.uk
Date: Tue, 25 Oct 2005 08:32:20 +0200

    Le lundi 24 octobre 2005 à 16:30 +0000, m123303@richmond.ac.uk a écrit :
    > Dear pentesters,
    Hi pagvac,

    >
    > So far, I use different tools to enumerate vhosts given an IP address:
    >
    > 1.Google
    >
    > Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks). This method works sometimes, but it is a bit manual because you need to check the hostnames from the result snippets and make sure that they resolve to your target IP address.
    >
    > 2. Reverse IP (http://www.whois.sc/reverse-ip/)
    >
    > This online tool is quite good. The downside is that you need to register for an account. If you register a free account, *only* a maximum of 3 vhosts will be returned from your queries. Unfortunately, you need to pay in order to get the full version results from the database.
    >
    Yes, coupling with another database (http://webhosting.info/), that
    perhaps sufficient.

    > 3. Searchmee (http://www.searchmee.com/web-info/ip-hunt.php)
    >
    > Another online tool similar to Reverse IP. The good thing is that it is *free*. A very cool feature is that it takes IP ranges in slash notation. This is really powerful because it provides a stealth mechanism to "scan" for webservers across a given company gateway.
    >
    > For instance, you can make the following organizational query on your shell:
    >
    > $ whois -h whois.arin.net Microsoft
    >
    > Then from there you could choose an IP range. So say that you pick “207.46.0.0 - 207.46.255.255”. After that you can stick in this range in slash notation in Searchmee as 207.46.0.0/16
    >
    > This search will give you a quite good number of Microsoft web servers that belong to that range without ever sending a single packet to the target.
    >
    > The request is:
    >
    > http://www.searchmee.com/web-info/ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search
    >
    > A partial screenshot is available at:
    > http://www.ikwt.com/imgs/webserver-enumeration.jpg
    >
    >
    > Other stealth enumeration tools that you might be interested in include:
    >
    > Dmitry - http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz
    > MET (Massive Enumeration Toolset) - http://www.gnucitizen.org/met/download/
    >
    > If any of you knows of any other tools or techniques that might help enumerating vhosts given an IP address please let me know.

    Yes, http://www.revhosts.net/releases/revhosts-0.2.16.tar.gz

    Writting in python language, revhosts is based on plugins which will try
    to make the result more effective

    Exemple :
    revhosts % ./revhosts.py -v -i 207.99.30.226
    Plugin [webhosting] in action . . .
    Plugin [whois.sc] in action . . .
    Hash and Sort in action . . .

    2600.com
    2600.net
    2600.org
    2600mag.com
    2600magazine.com
    2600news.com
    hackerquarterly.com
    thehackerquarterly.com

    -----------------------------------------------
    Found 8 VirtualHost(s) on 207.99.30.226 address
    -----------------------------------------------

    Regards,

    Fab 

    -- 
Fabrice MOURRON
fab at revhosts.net
PGP KeyID: 971BED04
Fingerprint: 400C 0D25 FD13 7803 C955  335D 1B35 AAAE 971B ED04

  • Next message: Goran Sevic: "Default shares & SMS Server"