Use a reverseIP Domain lookup to find all the records associated with an IP address. The results can identify virtual hosts served by a web server. When identifying vulnerabilities on a server, the information gathered can be used to broaden the attack surface.
What precisely is a Reverse IP
Lookup?
Reverse IP Lookup is a method for identifying hostnames with DNS (A)
records associated with an IP address.
A web server can serve multiple virtual hosts from a single IP address.
In shared hosting environments, this is a common technique. It is also common
in many organizations and can be an excellent way to broaden the attack surface
during web server surveys. Suppose your primary target website appears to be secure,
for example. In that case, you might gain access to the underlying operating
system by attacking a less secure site on the same server. Potentially
circumventing the target site's security controls.
- CIDR
Lookup
The Reverse IP lookup query can not only be used to find web hosts on a
single IP address but it can also be performed against a CIDR network block.
Search for hosts using up to a /24 range of public IP addresses.
- Bing
IP Reverse Search
There are few reasons to use Bing, but the Bing reverse IP search is
occasionally one. Bing is the only major search engine that provides a search
query that resolves hostnames from an IP address.
This was a popular method for locating virtual web hosts from an IP
address a few years ago. It is simple to use the search query. Here's an
illustration.
ip:254.32.x.x
A query like the one in the example will return results from hosts with
the IP address that matches the query. Bing uses its search index to perform
reverse IP lookups, which are still available today.
Popular Applications for Reverse IP
Lookup
Blue and Red Teams Exploration of Attack Surfaces
When attacking a host, one of the first things you'll do is try to
identify the host's attack surface. After determining the attack surface, the
next step is to list the applications and services in use. Following
enumeration, a skilled penetration tester can identify weak points where
vulnerabilities can be exploited.
Using the Reverse IP Lookup technique, it is possible to identify
websites on the host that may contain exploitable vulnerabilities. Even if no
vulnerabilities exist, information disclosure can be used to increase the
penetration tester's understanding of the target. Identifying additional
hostnames related to the target helps inform the information discovery cycle
because the new hostnames may have additional DNS records that point to new
target hosts.
- Threat
Intelligence and Incident Response
A reverse IP lookup can identify hostnames associated with an attacking
system, whether responding to an incident, identifying a botnet C2, or simply
tracking down noisy Internet scanning. These findings can help to inform the
investigation and lead to new sources of information.
- Web
Hosting Is Oversubscribed
When you buy web hosting in a shared hosting environment, the web host
provider sells small amounts of server resources to a number of websites. The
web host provider may oversubscribe or sell more websites than the server can
handle to save money. This is common with less expensive shared hosting providers,
where a single web server can host thousands of small websites. You can find
out how many sites share that host using the reverse IP address lookup.
- The
reputation of Web Hosting
Poorly rated hosts can impact email delivery, blacklisting, and search engine
ranking. To identify other sites on your host, use the reverse IP address
lookup service. Then, using investigative tools, determine whether these other
hosts are of poor quality, possibly even spam or phishing sites.
A reverse DNS lookup differs from the more commonly used definition of
a Reverse IPdomain lookup. In the case of a reverse DNS lookup, the IP address
is checked against a DNS server to see if it is associated with a PTR record.
The owner of the IP address block assigns this PTR record.
No comments:
Post a Comment