From: Fabrice MOURRON (fab@revhosts.net)
Date: Tue Oct 25 2005 - 02:32:20 EDT
Le lundi 24 octobre 2005 à 16:30 +0000, m123303@richmond.ac.uk a écrit :
> Dear pentesters,
Hi pagvac,
>
> So far, I use different tools to enumerate vhosts given an IP address:
>
> 1.Google
>
> Search a given IP address. e.g.: "1.2.3.4" (including the quotation marks). This method works sometimes, but it is a bit manual because you need to check the hostnames from the result snippets and make sure that they resolve to your target IP address.
>
> 2. Reverse IP (http://www.whois.sc/reverse-ip/)
>
> This online tool is quite good. The downside is that you need to register for an account. If you register a free account, *only* a maximum of 3 vhosts will be returned from your queries. Unfortunately, you need to pay in order to get the full version results from the database.
>
Yes, coupling with another database (http://webhosting.info/), that
perhaps sufficient.
> 3. Searchmee (http://www.searchmee.com/web-info/ip-hunt.php)
>
> Another online tool similar to Reverse IP. The good thing is that it is *free*. A very cool feature is that it takes IP ranges in slash notation. This is really powerful because it provides a stealth mechanism to "scan" for webservers across a given company gateway.
>
> For instance, you can make the following organizational query on your shell:
>
> $ whois -h whois.arin.net Microsoft
>
> Then from there you could choose an IP range. So say that you pick “207.46.0.0 - 207.46.255.255”. After that you can stick in this range in slash notation in Searchmee as 207.46.0.0/16
>
> This search will give you a quite good number of Microsoft web servers that belong to that range without ever sending a single packet to the target.
>
> The request is:
>
> http://www.searchmee.com/web-info/ip-hunt.php?hosttofind=&ip=207.46.0.0&cidr=16&action=Search
>
> A partial screenshot is available at:
> http://www.ikwt.com/imgs/webserver-enumeration.jpg
>
>
> Other stealth enumeration tools that you might be interested in include:
>
> Dmitry - http://mor-pah.net/code/download.php?file=DMitry-1.2a.tar.gz
> MET (Massive Enumeration Toolset) - http://www.gnucitizen.org/met/download/
>
> If any of you knows of any other tools or techniques that might help enumerating vhosts given an IP address please let me know.
Yes, http://www.revhosts.net/releases/revhosts-0.2.16.tar.gz
Writting in python language, revhosts is based on plugins which will try
to make the result more effective
Exemple :
revhosts % ./revhosts.py -v -i 207.99.30.226
Plugin [webhosting] in action . . .
Plugin [whois.sc] in action . . .
Hash and Sort in action . . .
2600.com
2600.net
2600.org
2600mag.com
2600magazine.com
2600news.com
hackerquarterly.com
thehackerquarterly.com
-----------------------------------------------
Found 8 VirtualHost(s) on 207.99.30.226 address
-----------------------------------------------
Regards,
Fab
-- Fabrice MOURRON fab at revhosts.net PGP KeyID: 971BED04 Fingerprint: 400C 0D25 FD13 7803 C955 335D 1B35 AAAE 971B ED04
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:05 EDT
