Home > Uncategorized > Virtual Host Enumeration for fun and profit

Virtual Host Enumeration for fun and profit

April 15, 2016 Leave a comment Go to comments

The following will allow you do virtual host discovery using the bing API

Step 1: Find the web servers you are interested in using NMAP

nmap -PN -p 80 –open -oG – 192.168.1.0/24 | awk ‘$NF~/http/{print $2}’ > webservers

Subsitute the IP address range you want in the above command and whatever you want the file name to be

Step 2: If you don’t already have a bing API key get one. The free API key allows you to do 5,000 transactions per month. If you need to do more there are paid tiers.

https://datamarket.azure.com/dataset/bing/search#

Step 3: I found a python script that works, its usage is a little bit funky, so I will be modifing it when I find some time.

https://bitbucket.org/holiman/ipsearch/downloads

Step 4: Create a text file and put your API key into it. IE VI key.txt

Step 5: Run the following command to search bing for the IP addresses in the file you created in step 1, this will output a text file called URLS that can then be used with eyewitness

cat webservers | python bingIP.py -b key.txt | awk ‘{ print $3 }’ > URLS

Step 6: If you don’t already have Eyewitness to capture screen shots down load it

git clone https://github.com/ChrisTruncer/EyeWitness.git

Step 6: Run eyewitness to get screen captures of all the virtual hosts
./EyeWitness.py –web -f URLS

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: