Hostmap – shared/virtual host enumeration

You either love or hate Sun Tzu Quotes but, when they apply i’m inclined to use them

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle”

And so it is also with some web servers! Do you manage your own hosting? Or, like the million others out there, do you share one mega-server hosting hundreds of other sites as well?

Part of the recon stage of pentesting is checking for shared hosting. If there are other sites on your same server, your security is only as strong as their security. Web applications they deploy may not be as well thought out, secure, or even documented.

Long have I searched for ways to enumerate these virtual hosts, but each avenue was a semi-manual process. Now I have settled on a stellar tool by Alessandro `jekil` Tanasi called Hostmap. It uses a plethora of dns and scraping tricks to accomplish this task for us. Check out the documentation =)

`jhaddix@secaegis:~$ host securityaegis.com`

`securityaegis.com has address 69.163.181.91`

`securityaegis.com mail is handled by 0 aspmx.l.google.com.`

`jhaddix@secaegis:~$ hostmap 69.163.181.91`
hostmap 0.2.1 codename fissatina Coded by Alessandro `jekil` Tanasi
[2010-01-20 09:52] Found new hostname apache2-grog.argonauts.dreamhost.com [2010-01-20 09:52] Found new domain argonauts.dreamhost.com [2010-01-20 09:52] Found new hostname www.licitex.com.br [2010-01-20 09:52] Found new domain licitex.com.br [2010-01-20 09:52] Found new hostname licitex.com.br [2010-01-20 09:52] Found new hostname www.iamaverystorm.com [2010-01-20 09:52] Found new domain iamaverystorm.com [2010-01-20 09:53] Found new hostname iamaverystorm.com [2010-01-20 09:53] Found new domain bz11.info [2010-01-20 09:53] Found new hostname bz11.info [2010-01-20 09:53] Found new hostname advancedsolarnj.com [2010-01-20 09:53] Found new domain advancedsolarnj.com [2010-01-20 09:53] Found new hostname www.beaudryacura.com [2010-01-20 09:53] Found new domain beaudryacura.com [2010-01-20 09:53] Found new hostname beaudryacura.com [2010-01-20 09:53] Found new hostname www.palmspringscelebritygolf.com [2010-01-20 09:53] Found new domain palmspringscelebritygolf.com [2010-01-20 09:53] Found new hostname palmspringscelebritygolf.com (truncated...)
`Results for 69.163.181.91`
`Served by name server (probably) ns1.dreamhost.com ns3.dreamhost.com ns2.dreamhost.com`
`Served by mail exchange (probably) mx2.sub3.homie.mail.dreamhost.com aspmx.l.google.com mx1.sub3.homie.mail.dreamhost.com`
`Hostnames: ftp.itstimetobetheking.com ftp.terpstar.com www.vangoghpaintings.net www.securityaegis.com roast-beef.org terpstar.com licitex.com.br www.blackspotskateboards.org ftp.jimwaterhouse.com ftp.alonsoespinosa.org itstimetobetheking.com blahasculpture.com www.boardmasher.com www.alonsoespinosa.org securityaegis.com salvadorgc.com www.terpstar.com apache2-grog.argonauts.dreamhost.com ftp.ambientchannel.tv (truncated...)`

hostmap, shared hosting, tools

This entry was posted on Wednesday, January 20th, 2010, 11:51 am and is filed under Tool Talk. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

No comments yet.