Finding Sites?

[Guest]

Just a quick question, how would you go about finding out all the sites that are hosted on a certain web host?

[stingwray]

I can't think of a system of find all the sites hosted by a certain web host unless the web host has a list of them so that you can look at them. So do this I know because they like to show off their clients and to prove that people are using them.

You could probably find out if a site is hosted by a web host by some poking around and looking at various information you can gain easily. But you'll have to do that on a site basis which I take it you don't want to do.

[Sparda]

You could scan a hosts IP block, and try a connect() scan on port 80, that would be

nmap -p 80 192.168.0.0-255

wouldn't it?

[nbr]

You could scan a hosts IP block, and try a connect() scan on port 80, that would be

nmap -p 80 192.168.0.0-255

wouldn't it?

i think that he wants to know how to get the usernames of a web host that provides a web space....host.com/username/...

so that wouldnt work!

(sorry bad english)

[metatron]

Just walk into their main offices and get them. (Use the force.)

[stingwray]

Ok, well the host is likely to use a block of IPs that they have bought, and find them out would be to hard, as you can find the IP of one site and then scan around that range.

The only problem with that is that wouldn't give you what sites are hosting on them, as they would likely to be running more than one website on a server. So you would have a list of their servers but not sites.

[Sparda]

Thats why you use the whois database to see who hosts it, the whois database will offten tell you there IP range as well.

[Sammael]

You may be able to find the IP of the host by signing up for a free account. The host I use just gave me the IP address to use when uploading. Others might not work like this though. Just a thought.

[tonysathre]

Goto http://www.domaintools.com and use there Whois query.

[rFayjW98ciLoNQLDZmFRKD]

Just walk into their main offices and get them. (Use the force.)

<scarcasm> <not_recomended> Run and Gun! You may go to jail, or get the deth penity, or get shot as well, but you will have the Domain! :-) </not_recomended> </scarcasm>

[Guest]

Goto http://www.domaintools.com and use there Whois query.

I just found that link and it does exactly what i wanted, its in the reverse lookup. But i would still like to know how this site is actually doing this. The only way i can think of is sending a certain query to one of the services that they have running that makes that service tell you what domains are parked with them.

[jalada]

Goto http://www.domaintools.com and use there Whois query.

I just found that link and it does exactly what i wanted, its in the reverse lookup. But i would still like to know how this site is actually doing this. The only way i can think of is sending a certain query to one of the services that they have running that makes that service tell you what domains are parked with them.

I was just about to say reverse lookup.

Well as DNS servers have a record of all the host -> IP address records, I guess it would just be a case of building up a record of all the hostnames with the same IP address?

[Guest]

yeh it would be, but how do you tell the server to dumb the hostnames that it has in its record?

[stingwray]

yeh it would be, but how do you tell the server to dumb the hostnames that it has in its record?

A machine has one host name, to run multiple websites on a single server the application, as in Apache or IIS will look at the request and the respond with the correct website. So if I ask it for xyz.com then it returns xyz.com, but if asked for abc.com then it will return abc.com and so on.

I can't see a way other than using an exploit for the server software to gain the list (that is practical).

Also I can't see why you would need to do this.

[Guest]

The reasion to do it isnt actually ethical, thats why i didnt say. It wouldnt be through anexploit though. If you try to park a domain that is already parked on another server it wont let you, which says there must be some kind of way to know if a domain is parked on a certain server.

[cooper]

Actually, you can set up a virtual host for your home machine if you want to.

Try it.

Make that virtual host in Apache and put that machine's IP in your hosts file as www.microsoft.com

Then go there using your browser. It'll cough up your home machine.

The problem is that when you're on the internet, the DNS servers provide the authorotive answer as to which IP will serve the request for a given host. And unless that's pointing at your box, you won't be seeing that traffic.

[Guest]

that still doesnt answer how you would do it, we know it can be done because http://www.domaintools.com have a tool that does it. So the question is still how do they actually do it.

[stingwray]

Perhaps were not answering your question well because either we don't understand your question because you don't write it correctly or leave details out or you don't know what you want for an answer.

[cooper]

Well, what you should've done was read the DNS RFCs. RFC1035 appears to be particularly interesting.

Everybody knows that a DNS server can do PURTY_NAME -> IP

RFC1035 defines PTR records for DNS. They do the exact opposite.

On Linux we have this WONDERFUL program called 'dig' (Domain Information Groper). If you want to see what a DNS server answers when you ask for PURTY_NAME, you run 'dig PURTY_NAME' and you get a listing of the full DNS record for that name, including the name servers that are authoritive for it and some other bits and pieces.

Now take the IP address you've gotten for that host and do a reverse DNS lookup. That's done with 'dig -x IP'. You'll get all the domain names that are served by that IP address if the server has its DNS records setup properly (and many of them don't).

I would reckon that the best reason why DNS operators that have a LOT of hosts on a given IP DON'T support the spitting out all the records associated with it is security related. A great way to DDOS someone is to send data to an alternate server, and let it send its response to your DDOS target, preferably sending more data to your target than you sent to it.

DNS uses UDP which is connectionless. You just fire your packets away and hope they arrive in one piece. If not, the requester of the data will simply ask again.

If there's a DNS query you can ask that's 100 bytes long, and the server responds with, say, 10000 bytes of data, all you need to DOS someone is to modify your DNS request so that it appears as if it came from the target machine. Send the request out a couple of zillion times and wait for the DNS server to flood your target's line while you continue properly seeding the Hak.5 DVD.

[Guest]

Perhaps were not answering your question well because either we don't understand your question because you don't write it correctly or leave details out or you don't know what you want for an answer.

The question was actually answered with a site that will give you the info you need. THat is good and does what i want. But I would still like to actually know how that site does it. Maybe next time if you cant actually add something to the post you dont just post some random shit. Oh and cooper thanx for the reply I didnt know about that dig command, but the options you gave me still dont actually give me the answers. Ill look into the other options you can send with dig to see if i can pull down the info i need.