Discovering hostnames pointing to the same IP address
Web servers return different content depending on the hostname used in the HTTP request host header. By discovering new hostnames, penetration testers can access new target web applications that were inaccessible using the server's IP, thus expanding the attack surface.
This recipe shows how to discover new hostnames pointing to the same IP address.
How to do it...
- To discover hostnames pointing to the same IP address, use the following Nmap command:
$nmap -sn --script hostmap-* <target>
- The
hostmap-crtsh
script returns all records that match the given IP address by querying an external service from https://crt.sh. There were other hostmap scripts that at the moment are broken because of changes in the API, but are expected to work again in the future. If there are records on the public database, they will be included in the results:Host script results: | hostmap-crtsh: |Â Â Â subdomains...