There are a number of ways to own a webapp. In a shared environment, an attacker can enumerate all the applications accessible and target the weakest one to root the server and with it all the webapps on the box. To try and emulate this approach on a pentest, we have to find ALL THE VHOSTS.
This natty python 2 script scrapes a series of web applications (including bing and yougetsignal’s database) and looks at Subject Alternative Names in the SSL certificate to find as many web applications which resolve to an IP address as possible. No guarantees are made as to the completeness or accuracy of the data, but it’s the best we can do. It can give an insight into the attack surface associated with a given IP address, allowing testers to advise client in situations where the risk is out of their control.
Usage and example
$ python2 allthevhosts.py 18.104.22.168 [+] bing search complete [+] myipneighbours Search Complete [E]ipneighbour search error. [+] yougetsignal Search Complete [+] SAN enumeration complete. [+] resolved original addresss... [+] verifying that 8 found URLs resolve to the same address [+] all URLs resolved www.portcullis-security.com labs.portcullis.co.uk www.portcullis.co.uk ctads.net portcullis-forensics.com portcullis-security.com portcullis.co.uk