The Web Local
 

 

 

hostmap

 

The hostmap host name discovery tool is an utility designed to discover the host names related to a given IP address, generally speaking, all application level host names related to a server (example: DNS names, HTTP virtual hosts).

 

In the real world an IP address can be registered in a DNS server with multiple host names, because it can have some aliases or it is hosting a bunch of websites.

 

A user, or a penetration tester, that needs to test the security of a machine needs to know all the host names (importantly to know which ones are in the agreed scope!!). These are needed to achieve a complete test on the system, because several applications, for example the web server, exposes different attack points, in that case virtual hosts, for each different host name requested so each one must be fully tested.

 

A number of resources are checked to help with discovery:

 

  • Microsoft Bing (with and without search API)
  • MIT GPG key server: http://pgp.mit.edu:11371
  • DNS/ WHOIS databases:

 

  • DNShistory: http://dnshistory.org
  • Domainsdb: http://www.domainsdb.net/
  • Fbk.de: http://www.bfk.de/
  • Gigablast: http://www.gigablast.com
  • Netcraft: http://searchdns.netcraft.com
  • Robtex: http://www.robtex.com
  • Tomdns: http://www.tomdns.net
  • Web-max: http://www.web-max.ca

 

It is available from here

 

Pre-Requisites

 

Ruby

 

Installation

 

Down and extract then execute

 

Execution

 

hostmap.rb [options] -t [target]

Target options:
 

-t, --target [STRING]               Set target domain

Discovery options:


--with-zonetransfer                 Enable DNS zone transfer check
--without-bruteforce                Disable DNS bruteforcing
--without-dnsexpansion         Disable DNS TLD expansion
--bruteforce-level [STRING]   Bruteforce aggressivity, lite, custom or full (default is lite)
--without-be-paranoid            Don't check the results consistency
--http-ports [STRING]             Comma separated list of custom HTTP ports to check
--only-passive                         Passive discovery, NO network activity on target network
--timeout [STRING]                Plugin timeout

Networking options:
 

-d, --dns [STRING]                 Comma separated list of DNS servers/IP addresses to use instead of system defaults

Output options:


--print-maltego                       Set output formatted for Maltego
-v, --verbose                           Set verbose mode
-h, --help                                 Show this help message

 

Expected Output:

 

C:\hostmap-0.2.1>ruby hostmap.rb -t 66.35.45.201
hostmap 0.2.1 codename fissatina
Coded by Alessandro `jekil` Tanasi <alessandro@tanasi.it>

[2010-01-10 18:16] Found new domain sans.org
[2010-01-10 18:16] Found new hostname sans.org
[2010-01-10 18:16] Found new hostname www.sans.org
[2010-01-10 18:17] Detected a wildcard entry in X.509 certificate for: *.sans.org
[2010-01-10 18:17] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[2010-01-10 18:17] Found new mail server mail1.sans.org
[2010-01-10 18:17] Found new nameserver ns1.dshield.org
[2010-01-10 18:17] Found new mail server iceman12-ext.giac.net
[2010-01-10 18:17] Found new nameserver ns2.dshield.org
[2010-01-10 18:17] Found new nameserver dns1c.den.giac.net
[2010-01-10 18:18] Found new nameserver ns1.giac.net
Results for 66.35.45.201
Served by name server (probably)
ns1.dshield.org
ns2.dshield.org
dns1c.den.giac.net
ns1.giac.net
Served by mail exchange (probably)
mail1.sans.org
iceman12-ext.giac.net
Hostnames:
www.sans.org
sans.org

 

IT Security News:

       more........

 

Pen Testing Framework:

 

Information:

 

 

  
 

© VulnerabilityAssessment.co.uk 11 January 2010