Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Finding vhosts

from [Fabrice MOURRON] Network Security [Permanent Link]
Subject: Re: Finding vhosts
Date: Tue, 25 Oct 2005 08:32:20 +0200 
Le lundi 24 octobre 2005 Ã 16:30 +0000, m123303@richmond.ac.uk a Ãcrit :

Dear pentesters,

Hi pagvac,



So far, I use different tools to enumerate vhosts given an IP address:

1.Google

Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks). 
This method works sometimes, but it is a bit manual because you need to check 
the hostnames from the result snippets and make sure that they resolve to 
your target IP address.

2. Reverse IP (http://www.whois.sc/reverse-ip/)

This online tool is quite good. The downside is that you need to register for 
an account. If you register a free account, *only* a maximum of 3 vhosts will 
be returned from your queries. Unfortunately, you need to pay in order to get 
the full version results from the database.


Yes, coupling with another database (http://webhosting.info/), that
perhaps sufficient.



3. Searchmee (http://www.searchmee.com/web-info/ip-hunt.php)

Another online tool similar to Reverse IP. The good thing is that it is 
*free*. A very cool feature is that it takes IP ranges in slash notation. 
This is really powerful because it provides a stealth mechanism to "scan" for 
webservers across a given company gateway.

For instance, you can make the following organizational query on your shell:

$ whois -h whois.arin.net Microsoft

Then from there you could choose an IP range. So say that you pick 
â207.46.0.0 - 207.46.255.255â. After that you can stick in this range in 
slash notation in Searchmee as 207.46.0.0/16

This search will give you a quite good number of Microsoft web servers that 
belong to that range without ever sending a single packet to the target.

The request is:

http://www.searchmee.com/web-info/ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search

A partial screenshot is available at:
http://www.ikwt.com/imgs/webserver-enumeration.jpg


Other stealth enumeration tools that you might be interested in include:

Dmitry - http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz
MET (Massive Enumeration Toolset) - http://www.gnucitizen.org/met/download/

If any of you knows of any other tools or techniques that might help 
enumerating vhosts given an IP address please let me know.



Yes, http://www.revhosts.net/releases/revhosts-0.2.16.tar.gz

Writting in python language, revhosts is based on plugins which will try
to make the result more effective

Exemple :
revhosts % ./revhosts.py -v -i 207.99.30.226
Plugin [webhosting] in action . . .
Plugin [whois.sc] in action . . .
Hash and Sort in action . . .

2600.com
2600.net
2600.org
2600mag.com
2600magazine.com
2600news.com
hackerquarterly.com
thehackerquarterly.com

-----------------------------------------------
Found 8 VirtualHost(s) on 207.99.30.226 address
-----------------------------------------------

Regards,

Fab

-- 
Fabrice MOURRON
fab at revhosts.net

PGP KeyID: 971BED04
Fingerprint: 400C 0D25 FD13 7803 C955  335D 1B35 AAAE 971B ED04

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Finding vhosts, Martin Mačok
Next by Date:  Default shares & SMS Server, Goran Sevic
Previous by Thread:  Re: Finding vhosts, Martin Mačok
Next by Thread:  mac to ip address tools, kukulkan
Indexes:  [Date] [Thread] [Top] [All Lists]