 |
| A web server with no hidden vhosts |
Unfortunately, the hosts were not configured to disallow access to non-internal addresses, meaning the only thing restricting access to the ‘hidden’ vhosts was the lack of DNS resolution. To quickly enumerate configured vhosts, I wrote a small Perl script that takes two arguments - a file containing a list of IP addresses (targets), and a file containing a list of hostnames. Optionally, you can also pass an option specifying a domain name to append, allowing you to have your hosts file contain just common entries that can be used against any target.
./vhostchecker.pl -i ips.txt -h hosts.txt --append .cyberis.co.uk
[INFO] Read 1 IP's from file "ips.txt"
[INFO] Read 18 vhosts from file "hosts.txt"
Checking IP: 95.142.175.1 [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: staging.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: prelive.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: pre-live.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: test.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: www.cyberis.co.uk [C:200 L:14496]
[INFO] Read 1 IP's from file "ips.txt"
[INFO] Read 18 vhosts from file "hosts.txt"
Checking IP: 95.142.175.1 [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: staging.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: prelive.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: pre-live.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: test.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: www.cyberis.co.uk [C:200 L:14496]
The script will show the differing responses between requests, and the length of each, allowing you to quickly identify vhosts of interest, regardless of whether there is an associated DNS entry. If you find something, just be sure to create a static host entry before viewing in a browser!
Any feedback, improvements or comments, please use the comments field below.
Source code available here: http://www.cyberis.co.uk/downloads/vhostchecker.pl
Common vhosts file available here: http://www.cyberis.co.uk/downloads/commonvhosts.txt
im afraid this doesnt identify my vhosts when it finds a legit one:
ReplyDelete37.122.210.20 technoid.co.uk
for example i know webmail.technoid.co.uk works but it returns 503
Checking VHOST against 37.122.210.20: webmail.technoid.co.uk [C:503 L:2388]
Seems to work OK:
Delete./vhostchecker.pl -i ips.txt -h hosts.txt
[INFO] Read 1 IP's from file "ips.txt"
[INFO] Read 2 vhosts from file "hosts.txt"
Checking IP: 37.122.210.20 [C:200 L:9352]
Checking VHOST against 37.122.210.20: technoid.co.uk [C:404 L:355]
Checking VHOST against 37.122.210.20: webmail.technoid.co.uk [C:200 L:49936]
A 503 error would typically represent a temporary server error - http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#5xx_Server_Error
Could you try again - and email tools@cyberis.co.uk if the problem persists?
Yes i managed to get this working in the end thanks.
ReplyDeleteHowever, could you be kind enough to help explain why this is different. to a standard dns bruteforce?
We had a client that had several vhosts configured that were intended for internal use only (e.g. wiki.internal) - as such only the internal DNS server resolved these hosts. Brute forcing the external DNS server would not have identified the hidden hosts.
Delete