A web server with no hidden vhosts

During a recent test we observed a number of web servers that had a number vhosts configured, only some of which were discoverable from public DNS records. Internal DNS servers were configured to resolve the remaining ‘hidden’ vhosts served by the web server.



Unfortunately, the hosts were not configured to disallow access to non-internal addresses, meaning the only thing restricting access to the ‘hidden’ vhosts was the lack of DNS resolution. To quickly enumerate configured vhosts, I wrote a small Perl script that takes two arguments - a file containing a list of IP addresses (targets), and a file containing a list of hostnames. Optionally, you can also pass an option specifying a domain name to append, allowing you to have your hosts file contain just common entries that can be used against any target.



./vhostchecker.pl -i ips.txt -h hosts.txt --append .cyberis.co.uk [INFO] Read 1 IP's from file "ips.txt" [INFO] Read 18 vhosts from file "hosts.txt" Checking IP: 95.142.175.1 [C:301 L:233 R:http://www.cyberis.co.uk/] Checking VHOST against 95.142.175.1: staging.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/] Checking VHOST against 95.142.175.1: prelive.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/] Checking VHOST against 95.142.175.1: pre-live.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/] Checking VHOST against 95.142.175.1: test.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/] Checking VHOST against 95.142.175.1: www.cyberis.co.uk [C:200 L:14496]



The script will show the differing responses between requests, and the length of each, allowing you to quickly identify vhosts of interest, regardless of whether there is an associated DNS entry. If you find something, just be sure to create a static host entry before viewing in a browser!



Any feedback, improvements or comments, please use the comments field below.



Source code and common vhosts available from Github: https://github.com/cyberisltd/VHOSTChecker