Thursday, 14 February 2013

Finding Hidden Vhosts

A web server with no hidden vhosts
During a recent test we observed a number of web servers that had a number vhosts configured, only some of which were discoverable from public DNS records. Internal DNS servers were configured to resolve the remaining ‘hidden’ vhosts served by the web server.

Unfortunately, the hosts were not configured to disallow access to non-internal addresses, meaning the only thing restricting access to the ‘hidden’ vhosts was the lack of DNS resolution. To quickly enumerate configured vhosts, I wrote a small Perl script that takes two arguments - a file containing a list of IP addresses (targets), and a file containing a list of hostnames. Optionally, you can also pass an option specifying a domain name to append, allowing you to have your hosts file contain just common entries that can be used against any target.

./vhostchecker.pl -i ips.txt -h hosts.txt --append .cyberis.co.uk
[INFO] Read 1 IP's from file "ips.txt"
[INFO] Read 18 vhosts from file "hosts.txt"

Checking IP: 95.142.175.1 [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: staging.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: prelive.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: pre-live.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: test.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: www.cyberis.co.uk [C:200 L:14496]

The script will show the differing responses between requests, and the length of each, allowing you to quickly identify vhosts of interest, regardless of whether there is an associated DNS entry. If you find something, just be sure to create a static host entry before viewing in a browser!

Any feedback, improvements or comments, please use the comments field below.

Source code available here: http://www.cyberis.co.uk/downloads/vhostchecker.pl

Common vhosts file available here: http://www.cyberis.co.uk/downloads/commonvhosts.txt

4 comments:

  1. im afraid this doesnt identify my vhosts when it finds a legit one:

    37.122.210.20 technoid.co.uk

    for example i know webmail.technoid.co.uk works but it returns 503


    Checking VHOST against 37.122.210.20: webmail.technoid.co.uk [C:503 L:2388]

    ReplyDelete
    Replies
    1. Seems to work OK:

      ./vhostchecker.pl -i ips.txt -h hosts.txt
      [INFO] Read 1 IP's from file "ips.txt"
      [INFO] Read 2 vhosts from file "hosts.txt"

      Checking IP: 37.122.210.20 [C:200 L:9352]
      Checking VHOST against 37.122.210.20: technoid.co.uk [C:404 L:355]
      Checking VHOST against 37.122.210.20: webmail.technoid.co.uk [C:200 L:49936]

      A 503 error would typically represent a temporary server error - http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#5xx_Server_Error

      Could you try again - and email tools@cyberis.co.uk if the problem persists?

      Delete
  2. Yes i managed to get this working in the end thanks.

    However, could you be kind enough to help explain why this is different. to a standard dns bruteforce?

    ReplyDelete
    Replies
    1. We had a client that had several vhosts configured that were intended for internal use only (e.g. wiki.internal) - as such only the internal DNS server resolved these hosts. Brute forcing the external DNS server would not have identified the hidden hosts.

      Delete