How to find out all sites at an IP
A web server can serve one or more virtual hosts. Therefore, several sites can be hosted on the same IP. Information about sites on one IP can be interesting as simply out of curiosity: what other sites / projects are involved in this web master, or during the pentesting - while the initial collection of information to expand the attack area.
Because different web applications can use a variety of software, if you cannot find a vulnerability in one of the sites, you should try your luck with another on the same server. As they say, "A chain is only as strong as its weakest link" - this is applicable in this situation. Since when a website is compromised, although it is not the goal, but is located on the same server as the target site, there is a possibility to compromise the entire server or to facilitate the attack on the target site.
The ability to find sites on one IP provides various services that use a large amount of statistical information. This means the following:
- Different services can provide information of different volumes (depending on the completeness of the accumulated data)
- The data provided can be irrelevant (partially or completely)
- Information may be incomplete
iptodomain allows you to extract domains from a IP range, using the historic information archived in Virustotal. It is usefull if you want to know what domains are behind of this IP address, for example in bug bounty programs one of the first steps is to extract subdomains, this tool can help with this task… first you have to find out the IP range that uses a company. Many times a good start point is to know the AS (Autonomus system) number, then you can find the IP range.
Install iptodomain:
git clone https://github.com/jevalenciap/iptodomain.git cd iptodomain/ sed -i '1s/^/#! \/usr\/bin\/env python2\n/' iptodomain.py sudo chmod +x iptodomain.py sudo mv iptodomain.py /usr/local/bin/iptodomain cd iptodomain
iptodomain Options:
-h, --help show this help message and exit
-i FIRST_IP The First IP of the range that you want to scan
-f LAST_IP The Last IP of the range that you want to scan.
-w FILE2 Please enter the file name where report with all domains and
its IPs are going to save.
-o FILE1 Please enter the file name where the all domains found are
going to save.
-v It shows more information while you are scanning.
-r FILE3 Please enter the name of the final Report without duplicate
domains results
Before starting work, the author advise to change the Virustotal API key (it's free). But everything works without changing (in the program code the key is already specified).
As you can see from the options, the program works with IP ranges and does not support entering a the host name (domain name) directly. Therefore, the algorithm is as follows:
- We get an IP address of an interesting site
- Specify the same address as the start and end of the IP range.
Let's consider an example of the program running.
Let's say we need to know a list of all the sites hosted on the same IP as the site suip.biz.
You need to start by finding the IP of the target site. This can be done with the dig command:
dig +short suip.biz 185.117.153.79
Set the beginning of the scan range (-i 185.117.153.79) and the end of the scan range (-f 185.117.153.79), the results, domains together with the IP, will be saved to a file (-w /tmp/t.txt):
iptodomain -i 185.117.153.79 -f 185.117.153.79 -w /tmp/t.txt
By the way, one site can have more than one IP.
To automate the process, I wrote the following large command. It can be directly copied to the command line:
DONE=""; URL=`/usr/bin/zenity --entry --width=370 --title="Hostnames that resolve to the target's IP address" --text="URL or IP:" 2>/dev/null`; while read -r IP; do echo ""; echo "We got IP $IP. Looking for web-sites on the address:"; iptodomain -i $IP -f $IP -w /tmp/t.txt; echo ""; DONE="1"; done < <( dig @8.8.8.8 +short $URL); if [ -z "$DONE" ]; then echo ""; echo " We got IP $URL. Looking for web-sites on the address:"; iptodomain -i $URL -f $URL -w /tmp/t.txt; echo ""; fi;
A dialog box will open, there you can enter a domain name or an IP address:
For the entered IP will be displayed all the sites that host it. If a domain name is entered, IP will be found for it and all sites on it will be displayed. If the entered domain name has more than one IP, all the sites found on each of them will be shown:
Also you can save the following script to the file allwebsites.bash:
#!/bin/bash
URL=$1;
if [ -z "$URL" ]; then
URL=`/usr/bin/zenity --entry --width=350 --title="Hostnames that resolve to the target's IP address" --text="URL or IP:" 2>/dev/null`;
fi
DONE="";
while read -r IP; do
echo "";
echo "We got IP $IP. Looking for web-sites on the address:";
iptodomain -i $IP -f $IP -w /tmp/t.txt;
echo "";
DONE="1";
done < <( dig @8.8.8.8 +short $URL);
if [ -z "$DONE" ]; then
echo "";
echo "We got IP $URL. Looking for web-sites on the address:";
iptodomain -i $URL -f $URL -w /tmp/t.txt;
echo "";
fi
You can run it without arguments (then it will work just like the previous big command):
bash allwebsites.bash
Or, you can specify an IP or URL. Example:
bash allwebsites.bash youtube.com
All sites from the range of IP addresses
In the previous examples, we searched the site for only one IP.
The iptodomain program was originally created to search all sites on the range of networks. Therefore, you can run it like this:
iptodomain -i 185.117.153.1 -f 185.117.153.255 -w /tmp/t.txt
Online service for searching all sites hosted at an IP (IP Neighbours)
Since the guide describes the work in the Linux environment, for Windows users this approach may be difficult.
To avoid any difficulties, regardless of your OS, an online service with this functionality is created. It is located at https://suip.biz/?act=hostmap. There you just need to enter an address of the target site or an IP address and information from the iptodomain program will be shown to you.
Conclusion
If for some IP you have found a very large number of sites, then probably this IP address can belong to a hosting provider that provides virtual hosting services. In these cases, at an IP there can be hundreds or even thousands of websites, while the sites belong to completely different people who have only one thing in common – they use the services of the same hosting provider.
My scripts do not work with address ranges, they are intended only to speed up the routine process of searching sites at an IP, or neighbours of a website.
Related articles:
- How to find out if a site is behind CloudFlare or not (92.4%)
- How to find out the real IP of a site in Cloudflare (92.4%)
- How to see locked HTML code, how to bypass social content lockers and other website info gathering countermeasures (92.4%)
- Dissection of the scammer site (case) (92.4%)
- How to find out hostnames for many IP addresses (92.4%)
- Introduction to IPv6 Addresses: How to Use and How to Explore the Network (Part 2) (RANDOM - 15.3%)