[WEB SECURITY] way to determine virtual hosts?

Adam Muntner adam.muntner at quietmove.com
Tue Apr 15 14:51:36 EDT 2008


DiG is your friend

Here are some queries that will come in handy. The DNS techniques discussed
below work equally well on intranets and internets.

$ dig @dnsserver version.bind chaos txt
Depending on configuration of the DNS server this will report the server
type and version. Maybe it hasn't been patched forever and you can exploit
and grab the zonefiles?
example:
$ dig @1.2.3.254 version.bind chaos txt
(snip)
;; ANSWER SECTION:
version.bind.        0    CH    TXT    "9.3.1"

$ dig @dnsserver dommainname.com ns
This will report all the nameservers registered as being authoritative for a
domain for the domain specified. Frequently you will find poorly planned DNS
implementations. Example in use: Query the DNS server for the list of
authoritative nameservers. Query each of those for the authoritative
nameservers for the same zone
like
$ dig @ns1.foo.com dommainname.com ns
$ dig @ns2.foo.com dommainname.com ns
etc. Keep a list of all unique DNS servers. Now and then there are old or
unexpected or misconfigured slave DNS servers on a network. They have the
zone table... and unlike all the other DNS servers, this one is configured
to allow a zone transfer.

Zone transfer is done with DiG like this:
dig @68.105.28.11 dommainname.com axfr
You'll either get a response back that the transfer failed, or you'll get
the zone table dump. Just run it again and pipe the results into a file.
If you have a long list of dns servers to try, you can automate this with a
little bash script
$ for i in `cat nameservers.txt`;do dig @$i victim.com axfr;done | tee
$i.txt
It will loop through all the IPs in the nameservers.txr file, try to do a
zone transfer, and dump the results into a text file with the name of the
dns server tried.

There is a website (subscription) that keeps archives of zone records over
time historically - I can't remember what it's called. I've used it to find
other network address space for organizations during zero-knowledge
pentests.

-- 
Adam Muntner, CISSP
Managing Partner
QuietMove, Inc.
http://www.quietmove.com



On Tue, Apr 15, 2008 at 8:09 AM, Nicolas <nicolasfr at gmail.com> wrote:

> Are you specifically looking for websites (virtual hosts) hosted on a
> server or all DNS names that points to a single IP (that may not have a
> hosted website)?
>
> Concerning all DNS names you can try, given you are on an internal network
> :
>
> - Try a zone transfer on the DNS,
> - Passive / active sniffing for hostnames,
> - Dump the machine names from the LDAP directory (Active Directory if it's
> a windows domain)
> - Bruteforce the DNS
>
> Then of course a simple script to check the webpage for each DNS name is
> trivial (wget or whatever will do)
>
> Also you can look for specific bugs: Apache had a flaw under certain
> circumstances (add %00 to the url will display the list of directories if
> using the home based virtual hosts module)
>
>
>
>
> On Tue, Apr 15, 2008 at 2:11 PM, Travis Altman <travisaltman at gmail.com>
> wrote:
>
> > i'm specifically looking for a way to do this on an INTERNAL network,
> > any suggestions?
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080415/89b3f5de/attachment.html>


More information about the websecurity mailing list