[WEB SECURITY] way to determine virtual hosts?

Nicolas nicolasfr at gmail.com
Tue Apr 15 11:09:24 EDT 2008

Are you specifically looking for websites (virtual hosts) hosted on a server
or all DNS names that points to a single IP (that may not have a hosted

Concerning all DNS names you can try, given you are on an internal network :

- Try a zone transfer on the DNS,
- Passive / active sniffing for hostnames,
- Dump the machine names from the LDAP directory (Active Directory if it's a
windows domain)
- Bruteforce the DNS

Then of course a simple script to check the webpage for each DNS name is
trivial (wget or whatever will do)

Also you can look for specific bugs: Apache had a flaw under certain
circumstances (add %00 to the url will display the list of directories if
using the home based virtual hosts module)

On Tue, Apr 15, 2008 at 2:11 PM, Travis Altman <travisaltman at gmail.com>

> i'm specifically looking for a way to do this on an INTERNAL network, any
> suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080415/06aa7967/attachment.html>

More information about the websecurity mailing list