lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9DFDDA5AE17BEC418FD3092387A99AB6152EE2E9@BXCH2K.bjw2k.asg>
Date: Mon Oct 24 21:21:23 2005
From: tkrpata at bjs.com (Krpata, Tyler)
Subject: vhost enumeration

Getting ahold of some TLD zone files would probably be a good place to
start. I know you can get the com and net ones from Verisign
(http://www.verisign.com/products-services/naming-and-directory-services
/naming-services/com-net-registry/page_001051.html), and you could
probably start aggregating data pretty easily from there. 

  _____  

From: unknown unknown [mailto:unknown.pentester@...il.com] 
Sent: Friday, October 21, 2005 12:05 PM
To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: [Full-disclosure] vhost enumeration



Guys,

I'm very interested in the idea of finding vhosts given an IP address.
So far, the only way to do this is by querying open source facilities
such as search engines and online statistic databases.

Sometimes, reverse lookups might give you hostnames, but you can't
always count on this as domain names don't always support PTR records.


I'm curious about how feasible it is to use vhosts as backdoors when
performing security tests. The idea is that you enumerate all vhosts for
a given IP address and attack the server via the vhost which offers the
most insecure web application. 

I haven't experimented much with this concept, so I would like to
receive some feedback on this.


So far, I use different tools to enumerate vhosts given an IP address:

1.Google

Search a given IP address. e.g.: "1.2.3.4" (including the quotation
marks). This method works sometimes, but it is a bit manual because you
need to check the hostnames from the result snippets and make sure that
they resolve to your target IP address

2. Reverse IP (http://www.whois.sc/reverse-ip/)

This online tool is quite good. The downside is that you need to
register for an account. If you register a free account, *only* a
maximum of 3 vhosts will be returned from your queries. Unfortunately,
you need to pay in order to get all the results from the database.

3. Searchmee (http://www.searchmee.com/web-info/ip-hunt.php)

Another online tool similar to Reverse IP. The good thing is that it is
*free*. A very cool feature is that it takes IP ranges in slash
notation. This is really powerful because it provides a stealth
mechanism to "scan" for webservers across a given company gateway.

For instance, you can make the following organizational query on your
shell:

$ whois -h whois.arin.net Microsoft

Then from there you could choose an IP range. So say that you pick
"207.46.0.0 - 207.46.255.255". After that you can stick in this range in
slash notation in Searchmee as 207.46.0.0/16 

This search will give you a quite good number of Microsoft web servers
that belong to that range without ever sending a single packet to the
target.




The request is: 

http://www.searchmee.com/web-info/

ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search

A partial screenshot is available at:

http://www.ikwt.com/imgs/webserver-enumeration.jpg


Other stealth enumeration tools that you might be interested in include:


Dmitry - http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz

MET (Massive Enumeration Toolset) -
http://www.gnucitizen.org/met/download/


If any of you knows of any other tools or techniques that might help
enumerating vhosts given an IP address please let me know.



Regards,
pagvac (Adrian Pastor)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051024/fa0a6e2b/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ