Web servers return different content depending on the hostname used in the HTTP request. By discovering new hostnames, penetration testers can access new target web applications that were inaccessible using the server's IP.
This recipe shows how to enumerate all hostnames pointing to the same IP , in order to discover new targets.
The script hostmap depends on external services, and the official version only supports BFK's DNS Logger. In my experience, this service works great for popular servers but not so much for the others. For this reason I created my own version of hostmap.nse that adds a new service provider: ip2hosts.com. This service uses Bing's Search API and often returns additional records not available in BFK's records.
Download hostmap.nse with Bing support at https://secwiki.org/w/Nmap/External_Script_Library.
After copying it to your local script directory, update your script database by running the following command:
#nmap --script-updatedb
Open a terminal and enter the following command:
$nmap -p80 --script hostmap nmap.org
The output will look similar to the following:
$nmap -p80 --script hostmap nmap.org Nmap scan report for nmap.org (74.207.254.18) Host is up (0.11s latency). rDNS record for 74.207.254.18: web.insecure.org PORT STATE SERVICE 80/tcp open http Host script results: | hostmap: | sectools.org | nmap.org | insecure.org | seclists.org |_secwiki.org
The arguments --script hostmap -p80 tell Nmap to start the HTTP script hostmap and limit port scanning to port 80 to speed up this task.
This version of hostmap.nse queries two different web services: BFK's DNS Logger and ip2hosts.com. BFK's DNS Logger is a free service that collects its information from public DNS data, and ip2hosts.com is a web service maintained by myself that is based on Bing's Search API. It basically launches a Bing search using the keywords "ip:<target ip>" to extract a list of known hostnames.
Both of these services are free, and abusing them will most likely get you banned from the service.
You could specify the service provider by setting the argument hostmap.provider:
$nmap -p80 --script hostmap --script-args hostmap.provider=BING <target> $nmap -p80 --script hostmap --script-args hostmap.provider=BFK <target> $nmap -p80 --script hostmap --script-args hostmap.provider=ALL <target>
To save a hostname list for each IP scanned, use the argument hostmap.prefix. Setting this argument will create a file with a filename of <prefix><target> in your working directory:
$nmap -p80 --script hostmap --script-args hostmap.prefix=HOSTSFILE <target>
- The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration
- The Geolocating an IP address recipe
- The Getting information from WHOIS records recipe
- The Collecting valid e-mail accounts recipe
- The Checking if a host is known for malicious activities recipe
- The Listing protocols supported by a remote host recipe
- The Brute forcing DNS records recipe