Finding Virtualhosts

Web applications are often the most vulnerable of all applications in an IT infrastructure, as they are

• often proprietary built by the company, and therefore have not undergone the security tests that might have been performed with standard software and are
• reachable from the Internet, so anyone with an Internet connection can access them.

Additionally, more than one domain can be served from a single web server. Each domain is then considered a virtualhost.

It’s sometimes really difficult to find all domains that are served from an IP address, as there is no way in DNS to find out all domains that point to a certain IP. For an attacker or penetration tester, it is important to find as many virtualhosts as possible, as each one might contain vulnerabilities of their own.

The only way to do this is to build a large database with as many domain names as possible, complete with the IP address that these domain names point to. Luckily, there are a couple of tools that have done exactly that:

• YouGetSignal.com seems to be the newest tool and works pretty well. I did a couple of tests and it finds not only virtualhosts for .net, .com or .org, but also for local TLDs like .co.uk. According to the author of the tool, it simply uses search engine results to find as many domains as possible and performs DNS queries for them.
• Robtex Swiss Army Knife as they call themselves also can help to find virtualhosts, but the results are a little bit limited and partly out of date.

Picture of IT infrastructure where you literary have to find the web-server by kchbrown

Tags: DNS, Domains, Hosting, Virtual Host, Virtual Hosts, Virtualhost, Virtualhosts, Web, Web Application, Web Applications, Web Server, Webserver