Research and Development

There are a number of ways to own a webapp. In a shared environment, an attacker can enumerate all the applications accessible and target the weakest one to root the server and with it all the webapps on the box. To try and emulate this approach on a pentest, we have to find ALL THE VHOSTS.

Key features

This natty python 2 script scrapes a series of web applications (including bing and yougetsignal’s database) and looks at Subject Alternative Names in the SSL certificate to find as many web applications which resolve to an IP address as possible. No guarantees are made as to the completeness or accuracy of the data, but it’s the best we can do. It can give an insight into the attack surface associated with a given IP address, allowing testers to advise client in situations where the risk is out of their control.

Usage and example

$ python2
[+] bing search complete
[+] myipneighbours Search Complete
[E]ipneighbour search error.
[+] yougetsignal Search Complete
[+] SAN enumeration complete.
[+] resolved original addresss...
[+] verifying that 8 found URLs resolve to the same address
[+] all URLs resolved
Allthevhosts Tar
November 4, 2013
1.7 KiB
MD5 hash: be3c25a78d89f9b5234689250824fbed

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)