Discovering hostnames pointing to the same IP address
Web servers return different content depending on the hostname used in the HTTP request. By discovering new hostnames, penetration testers can access new target web applications that were inaccessible using the server's IP.
This recipe shows how to enumerate all hostnames pointing to the same IP address to discover new targets.
How to do it...
To discover hostnames pointing to the same IP address, open your terminal and enter the following command:
$nmap -sn --script hostmap-* <target>
The hostmap-robtex
, hostmap-bfk
, and hostmap-ip2hosts
scripts will return all records that match the given IP address:
Nmap scan report for nmap.org (45.33.49.119) Host is up (0.057s latency). Other addresses for nmap.org (not scanned): 2600:3c01::f03c:91ff:fe98:ff4e rDNS record for 45.33.49.119: ack.nmap.org Host script results: | hostmap-bfk: | hosts: | sectools.org | svn.nmap.org | www.secwiki...