Exegesis of Virtual Hosts Hacking

published: April 6th, 2006

This is the first paper written on the topic of virtual hosts hacking. It covers basic skills such as passive discovery techniques and (almost) stealth active discovery techniques. It also presents possible scenarios of exploitation.

Exegesis of Virtual Hosts Hacking was an experiment. The topic about hacking virtual hosts have been covered very vaguely in the past IMHO. This is the reason why me and Adrian Pastor decided to develop standard techniques which can be implemented into our personal toolkits. Of course this led to a paper which you can read now.

Investigating the virtual hosts that a web server may have is quite important when performing penetration testing. In order to gain access to a particular site, the attacker may not always go trough the font door but choose to enter through the backdoorl: in our case other virtual hosts. The most interesting bit in the paper is the actual investigation we’ve conducted at the time of writing. I am not completely sure how many readers realized the types of security implications that are behind the virtual hosting architecture.

Here is a snippet from the paper:

There is a lot that we can say about finding virtual hosts from a given IP address. Sometimes this task is straightforward, other times a bit of thinking is required. However, in general it is not a mission impossible.

During the last few years, domain name databases have emerged like mushrooms after a rainy day. This has certainly increased the awareness among security professionals about the possibility of using virtual hosts as backdoors when testing the security of a given organization. In reality, a good attacker will try to break into your organization by knocking on the not-so-obvious doors.

The process of getting all valuable virtual hosts usually falls into the passive, enumeration gathering practices and it is based on querying databases from the public sector. However, we will also look at some active enumeration techniques for finding virtual hosts.

In the following subsection we will discuss how to find virtual hosts by querying public databases and actively probing the domain name system (DNS) and the HTTP protocol itself.

» more | » comments rss | posted by pdp | syndication and integration ( )

Respond

In order to preserve the high standards of GNUCITIZEN, before you post a comment, please take note of the following guidelines:

Commenting is provided as a courtesy only.
Please be brief and relevant to the post.
Please be polite even in disagreement with us or others.
Support claims you wish to make using sources and links.
No personal attacks, name calling, or commercial commenting.
Anyone creating false or multiple identities will be banned.
If you don't have a cogent argument, you will be censored.
If you are purposefully deceptive, you will be censored.
No spamming or flooding.

We appreciate your time and effort in contributing to GNUCITIZEN.

name: (required)

mail: (required)

website:

comment:

GNUCITIZEN Products

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation