Jump to content

Multiple hosts on a shared IP


Jayze

Recommended Posts

Hi,

I was wondering how you can find out what domains & sub domains are hosted on a certain IP. You can find many tools on the internet that do the trick for you. I wonder how they find the different domains.

(eg : http://domainbyip.com/ ) try giving in this Ip : 72.14.205.100

I tried trough host, nslookup, dig , ... but didn't got far.

tia

Hosting companies that have multiple sites on one machine use virtual hosts, where their DNS records point to their system and match the domain nam ewiht the ip address. I don't know if there is a way to find all the virtual hosts on one ip address short of having an account on their system and being able to traverse the root directory tree(something you shouldn't be able to do if they have security set up properly). I know GoDaddy has some flaws in their hosting packages that allows you to use PHP to escape from your home directory and you can list all other directories one up from yours, showing you all the other virtual hosted accounts on that machine. This doesn't work on all godaddy acocunts, but from the few I have had access to, it not only lets me leave my home directory, but I was able to scan the tree all the way from the / direcotry, so I could see every file PHP had access to(short of shadow and root executable files) like the bin, etc, var, dev, (and so on) directories.

From the web side, domain name lookups will return an ip address, which in turn will show you the virtual host name, which in turn just gives you the ip address again, but not all the virtual hosted accounts under that IP address.

Example, go to http://samspade.org/ and punch in a website. After it gives you the ip address, click the IP address, and if its a virtual hosted account, you should get back a different domain name than the original you started with. If when clicking the IP address gives you back the original domain name you entered, then its not on a shared hosted server/account.

Link to comment
Share on other sites

Hosting companies that have multiple sites on one machine use virtual hosts, where their DNS records point to their system and match the domain nam ewiht the ip address. I don't know if there is a way to find all the virtual hosts on one ip address short of having an account on their system and being able to traverse the root directory tree(something you shouldn't be able to do if they have security set up properly). I know GoDaddy has some flaws in their hosting packages that allows you to use PHP to escape from your home directory and you can list all other directories one up from yours, showing you all the other virtual hosted accounts on that machine. This doesn't work on all godaddy acocunts, but from the few I have had access to, it not only lets me leave my home directory, but I was able to scan the tree all the way from the / direcotry, so I could see every file PHP had access to(short of shadow and root executable files) like the bin, etc, var, dev, (and so on) directories.

From the web side, domain name lookups will return an ip address, which in turn will show you the virtual host name, which in turn just gives you the ip address again, but not all the virtual hosted accounts under that IP address.

Example, go to http://samspade.org/ and punch in a website. After it gives you the ip address, click the IP address, and if its a virtual hosted account, you should get back a different domain name than the original you started with. If when clicking the IP address gives you back the original domain name you entered, then its not on a shared hosted server/account.

Digip : Indeed virtual hosts on 1 IP. Nice , didn't knew that with godaddy.

Exactly that's what I'm looking for a way to look up all the hosts for that certain IP (without having an account). That website seems to be able to look it up, aswell maltego has the option to look for it. It's not always that accurate, but it comes close. I was wondering how they do that. Clairly with host and dig you don't get that far. I mean you can get the reverse name (if there is a PTR record), NS, A & MX record from that certain domain, but other hostnames are also pointed to that IP, how to find them.

Link to comment
Share on other sites

Digip : Indeed virtual hosts on 1 IP. Nice , didn't knew that with godaddy.

Exactly that's what I'm looking for a way to look up all the hosts for that certain IP (without having an account). That website seems to be able to look it up, aswell maltego has the option to look for it. It's not always that accurate, but it comes close. I was wondering how they do that. Clairly with host and dig you don't get that far. I mean you can get the reverse name (if there is a PTR record), NS, A & MX record from that certain domain, but other hostnames are also pointed to that IP, how to find them.

NSLOOKUP sometimes can pull down all the names, but only if they allow the downloading and querying of the records. Not all hosts will allow this, and virtual hosts usually block this.

Here is what you can try though.

If on windows, open a command prompt. Type in "nslookup" and hit enter.

They type "server xx.xx.xx.xx" where xx.xx.xx.xx is the sites ip address you want to query(or just use their name, like somesite.com).

Then type "set type=any" and hit enter.

Then type "ls -d site.com" and hit enter. It should now show you the site and any sub domains if listed, but only if they accept the query. This does not work everywhere, but give it a shot.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...