Discovering hostnames pointing to the same IP address

Web servers return different content depending on the hostname used in the HTTP request. By discovering new hostnames, penetration testers can access new target web applications that were inaccessible using the server's IP.

This recipe shows how to enumerate all hostnames pointing to the same IP , in order to discover new targets.

Getting ready

The script hostmap depends on external services, and the official version only supports BFK's DNS Logger. In my experience, this service works great for popular servers but not so much for the others. For this reason I created my own version of hostmap.nse that adds a new service provider: ip2hosts.com. This service uses Bing's Search API and often returns ...

Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Nmap 6: Network Exploration and Security Auditing Cookbook by Paulino Calderon Pale

Discovering hostnames pointing to the same IP address

Getting ready

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly