Hostmap – shared/virtual host enumeration

You either love or hate Sun Tzu Quotes but, when they apply i’m inclined to use them 😉

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle”

And so it is also with some web servers! Do you manage your own hosting? Or, like the million others out there, do you share one mega-server hosting hundreds of other sites as well?

Part of the recon stage of pentesting is checking for shared hosting. If there are other sites on your same server, your security is only as strong as their security. Web applications they deploy may not be as well thought out, secure, or even documented.

Long have I searched for ways to enumerate these virtual hosts, but each avenue was a semi-manual process. Now I have settled on a stellar tool by Alessandro `jekil` Tanasi called Hostmap. It uses a plethora of dns and scraping tricks to accomplish this task for us. Check out the documentation =)

[email protected]:~$ host securityaegis.com

securityaegis.com has address 69.163.181.91

securityaegis.com mail is handled by 0 aspmx.l.google.com.


[email protected]:~$ hostmap 69.163.181.91


hostmap 0.2.1 codename fissatina
Coded by Alessandro `jekil` Tanasi


[2010-01-20 09:52] Found new hostname apache2-grog.argonauts.dreamhost.com
[2010-01-20 09:52] Found new domain argonauts.dreamhost.com
[2010-01-20 09:52] Found new hostname www.licitex.com.br
[2010-01-20 09:52] Found new domain licitex.com.br
[2010-01-20 09:52] Found new hostname licitex.com.br
[2010-01-20 09:52] Found new hostname www.iamaverystorm.com
[2010-01-20 09:52] Found new domain iamaverystorm.com
[2010-01-20 09:53] Found new hostname iamaverystorm.com
[2010-01-20 09:53] Found new domain bz11.info
[2010-01-20 09:53] Found new hostname bz11.info
[2010-01-20 09:53] Found new hostname advancedsolarnj.com
[2010-01-20 09:53] Found new domain advancedsolarnj.com
[2010-01-20 09:53] Found new hostname www.beaudryacura.com
[2010-01-20 09:53] Found new domain beaudryacura.com
[2010-01-20 09:53] Found new hostname beaudryacura.com
[2010-01-20 09:53] Found new hostname www.palmspringscelebritygolf.com
[2010-01-20 09:53] Found new domain palmspringscelebritygolf.com
[2010-01-20 09:53] Found new hostname palmspringscelebritygolf.com
(truncated...)


Results for 69.163.181.91

Served by name server (probably)
ns1.dreamhost.com
ns3.dreamhost.com
ns2.dreamhost.com

Served by mail exchange (probably)
mx2.sub3.homie.mail.dreamhost.com
aspmx.l.google.com
mx1.sub3.homie.mail.dreamhost.com


Hostnames:
ftp.itstimetobetheking.com
ftp.terpstar.com
www.vangoghpaintings.net
www.securityaegis.com
roast-beef.org
terpstar.com
licitex.com.br
www.blackspotskateboards.org
ftp.jimwaterhouse.com
ftp.alonsoespinosa.org
itstimetobetheking.com
blahasculpture.com
www.boardmasher.com
www.alonsoespinosa.org
securityaegis.com
salvadorgc.com
www.terpstar.com
apache2-grog.argonauts.dreamhost.com
ftp.ambientchannel.tv
(truncated...)

20 thoughts on “Hostmap – shared/virtual host enumeration

  1. Pingback: | Infosec Events

Leave a Reply

Your email address will not be published. Required fields are marked *