[NOTICE: This post assumes that your friend owns the server he is using, and that everything running on the server is owned and controlled by him]INTROIn this post I will be explaining how to increase attack vectors (the number of ways into a target), allowing you to own websites which previously appeared to be secure.
So you're running a security audit on a friends websites, so far everything seems fine. There are no known vulnerabilities in the web software he's running, and there doesn't appear to be any vulnerable plugins either. The services running on the server also appear to be secure, So... what do you do?
Finding Other DomainsWhat you're looking at looks secure, so you want to expand what you're looking at. The first thing we're going to do is look for other websites running on the same server, often admins will run more than one website on their server, they may also have a personal blog or some other site hosted there too and these may be vulnerable.
To find other domains which point to the ip address of your friends server we can use Bing. Bings search engine has an "ip" operator, so typing "ip:x.x.x.x" returns any websites Bing has crawled which have the ip "x.x.x.x".
Another way we can do this is using the following service:
link Enter in the target domain name or ip address and it will return all the domains it knows that point to the same ip.
[NOTICE: When using either of these, always confirm the results, occasionally they may be outdated.]DNS EnumerationThe next thing we're going to do is find subdomains for your friends domain. We want to do this because different subdomans are likely to point to different web applications, some of which may be vulnerable.
We are going to use a tool called dnsenum. It can be downloaded from here:
https://code.google.com/p/dnsenum/If you are running Kali or BackTrack you should already have it.
Dnsenum uses a CLI, so you will need to use terminal here.
Dnsenum is very simple to use, and will perform 3 different checks to find subdomains set up by your friend.
Test 1First of all it will request a zone transfer from the name servers used by your friend. If this works you've hit the jackpot, you will now be able to see all the subdomains and the ip address they point to.
Test 2The second test is a bruteforce one, using a wordlist of common subdomains, it queeries the name server for each of them, reporting any valid subdomains back to you. This can take several minutes dependng on the size of the wordlist. Dnsenum comes with it's own wordlist which you can use. In Kali linux it is located at /usr/share/dnsenum/dns.txt
NOTICE: If the name server uses wildcards this will not work and dnsenum will skip this test.
Test 3The third test queeries whois to find the netrange your friends hosting provider uses, then queeries every ip for your friends domain, to find if your friends owns any of these servers. This will rarely succeed and it can take a lot of time, so in my opinion it isn't worth running it unless you are targeting a larger network, such as that owned by a large company.
An example output of dnsenum running on Kali Linux is shown below.
For this example I have chosed securityoverride.org, one of evilzones partners.
The command: dnsenum -f /usr/share/dnsenum/dns.txt securityoverride.org
In some cases not all of the subdomains point to the same ip, however they are still worth checking out. Often the same login credentials are used over several different servers, so if you gain access to one of them, you may gain access to them all.
ExtraAnother thing you can do is a reverse dns lookup of the email address your friend used to register his domain. This will look through domain registration records for your friends email and you may find other domains he has registered, some of which may be active, and they may even point to the same server.
DirBuster is another great tool for discovering hidden content hosted on the same server, but I'll save that for another time.
Side NoteTry using dnsenum on manchester.ac.uk (Manchester University), you will see just how much information this tool can provide.
