From: Steve Micallef (steve@binarypool.com)
Date: Tue Oct 25 2005 - 05:12:04 EDT
Check out Netcraft - http://www.netcraft.com.
----- Original Message -----
From: <m123303@richmond.ac.uk>
To: <pen-test@securityfocus.com>
Sent: Tuesday, October 25, 2005 2:30 AM
Subject: Finding vhosts
> Dear pentesters,
>
> I'm very interested in the idea of finding vhosts given an IP address. So
> far, the only way to do this is by querying open source facilities such as
> search engines and online statistic databases.
>
> Sometimes, reverse lookups might give you hostnames, but you can't always
> count on this as domain names don't always support PTR records.
>
> I'm curious about how feasible it is to use vhosts as backdoors when
> performing security tests. The idea is that you enumerate all vhosts for a
> given IP address and attack the server via the vhost which offers the most
> insecure web application.
>
> I haven't experimented much with this concept, so I would like to receive
> some feedback on this.
>
>
> So far, I use different tools to enumerate vhosts given an IP address:
>
> 1.Google
>
> Search a given IP address. e.g.: "1.2.3.4" (including the quotation
> marks). This method works sometimes, but it is a bit manual because you
> need to check the hostnames from the result snippets and make sure that
> they resolve to your target IP address.
>
> 2. Reverse IP (http://www.whois.sc/reverse-ip/)
>
> This online tool is quite good. The downside is that you need to register
> for an account. If you register a free account, *only* a maximum of 3
> vhosts will be returned from your queries. Unfortunately, you need to pay
> in order to get the full version results from the database.
>
> 3. Searchmee (http://www.searchmee.com/web-info/ip-hunt.php)
>
> Another online tool similar to Reverse IP. The good thing is that it is
> *free*. A very cool feature is that it takes IP ranges in slash notation.
> This is really powerful because it provides a stealth mechanism to "scan"
> for webservers across a given company gateway.
>
> For instance, you can make the following organizational query on your
> shell:
>
> $ whois -h whois.arin.net Microsoft
>
> Then from there you could choose an IP range. So say that you pick
> "207.46.0.0 - 207.46.255.255". After that you can stick in this range in
> slash notation in Searchmee as 207.46.0.0/16
>
> This search will give you a quite good number of Microsoft web servers
> that belong to that range without ever sending a single packet to the
> target.
>
> The request is:
>
> http://www.searchmee.com/web-info/ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search
>
> A partial screenshot is available at:
> http://www.ikwt.com/imgs/webserver-enumeration.jpg
>
>
> Other stealth enumeration tools that you might be interested in include:
>
> Dmitry - http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz
> MET (Massive Enumeration Toolset) -
> http://www.gnucitizen.org/met/download/
>
> If any of you knows of any other tools or techniques that might help
> enumerating vhosts given an IP address please let me know.
>
>
> Regards,
> pagvac (Adrian Pastor)
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:05 EDT
