" Reverse IP Lookup " is a very useful concept for the penetration testers to find out domains which are hosted in targeted host . Using this concept you can find out the number of domains hosted on a server lets say s4ur4v.com is a server with a server address 1.1.1.1 now when you do a reverse IP lookup on that server you will find the other domains hosted on the same server.
Whats the theory behind this ?
All web servers are assigned with a unique IP address . If a web server is running a website the IP a address of the site will be same as that of the server. Now if there are multiple domains hosted on the same web server they will be also having the same IP address of the server . By using this concept " Reverse IP Lookup " we instruct the lookup process to look the number of domains on the target server/host
How to do a Reverse IP Lookup ?
Their are a lots of ready made sites which offer you to do a reverse IP look up like yougetsignal
-Go to http://www.yougetsignal.com/
-Gype the server address / website URL
-Click on check and bingo you get the number of domains on the server you looked up
Next i will show you how to do this with a python script which will be using Bing's API to find our dinner ( You can use also DRIL which uses the same )
- import httplib, urllib, socket, sys
- from xml.dom.minidom import parse, parseString
- if len(sys.argv) == 2:
- AppId = '1734E2C92CA63FAA596335295B09CF1D0B5C6161'
- domain = sys.argv[1]
- sites = [domain]
- ip = socket.gethostbyname(domain)
- offset = 50
- while offset < 300:
- uri = "/xml.aspx?AppId=%s&Query=ip:%s&Sources=Web&Version=2.0&Market=en-us&Adult=Moderate&Options=EnableHighlighting&Web.Count=50&Web.Offset=%s&Web.Options=DisableQueryAlterations"%(AppId, ip, offset)
- conn = httplib.HTTPConnection("api.bing.net")
- conn.request("GET", uri)
- res = conn.getresponse()
- data = res.read()
- conn.close()
- xmldoc = parseString(data)
- nameEls = xmldoc.getElementsByTagName('web:DisplayUrl')
- for el in nameEls:
- temp = el.childNodes[0].nodeValue
- temp = temp.split("/")[0]
- if temp.find('www.') == -1:
- if temp not in sites:
- sites.append(temp)
- offset += 50
- print "\n\n"
- print "Total: %d domain(s)\n\n"%len(sites)
- for i in sites:
- print i
- print "\n\n"
- else:
- print "\n\n\n"
- print "=====================================\n"
- print "Usage: $ python reverse.py domain.com\n"
- print "Ex: $ python reverse.py hackersbay.in \n"
- print "=====================================\n"
- print "\n\n\n"
Windows users please mind it you have python installed in your OS before running this script.I am going to show it using Backtrack
- Copy the above script and paste it in a file rename it to reverse.py
- Browse through the directory you saved the file in e.g cd /dir
- to execute the script you have to just write python reverse.py and then it will show you the how to do the rest :D
root@bt:~# cd /pentest
root@bt:/pentest# python reverse.py
=====================================
Usage: $ python reverse.py domain.com
Ex: $ python reverse.py enhack.net
=====================================
root@bt:/pentest# python reverse.py davunit8.org
Total: 103 domain(s)
davunit8.org
psplindia.com
jnvkeonjhar.com
microfinanceltd.com
puspitamishra.com
htti-cuttack.com
neemworld.com
keonjhar.net
origininfosystem.com
cippl.com
newditech.com
caravanholidaysindia.com
niateducation.com
sunrayadv.com
spanscaffold.com
suinsys.com
ihmbbs.org
mohindratourist.com
hiem-bdk.org
immunologyofdiabetessociety.com
pipilicrafts.com
dhaneswarinstitutekatak.com
indomer.com
itibalasore.org... continues
I missed something ? feel free to comment
No comments:
Post a Comment