Author Topic: Finding domain from IP  (Read 1910 times)

0 Members and 1 Guest are viewing this topic.

Offline DanBlaze

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 5
    • View Profile
Finding domain from IP
« on: December 20, 2014, 12:56:19 pm »
Hi, everyone.

I've been lurking for some time now and I finally have something which might be interesting enough to be worth discussing.
I'm working with tons of ips and am trying to find a way to figure out if there are websites hosted on that IP.
Here's what I'm doing so far:
- I'm parsing results from some sites/tools which provide this functionality

- I'm using php's gethostbyaddr function, which more or less provides no relevant results whatsoever

Here are some ideas I'm planning to implement:
- I can try to find long/lat coordinates of the machine behind the IP, then figure out a street address and see if there's a company which has a website on this address. This is probably the worse method I can use, since the false positives will be a ton for all sites on shared hostings. But I'm willing to explore any option, since this is a project done mostly as a hobby.
- I'm also considering going through emails to look for a co-relation between ips and domains. The problem here is that I don't have access to a database with email headers to go through. :/
- And finally I'm thinking of setting up a web crawler which will index domains and a separate script which will keep their IPs up to date. Then I can go over this database to do lookups. This has potential to be useful on it's own as another tool which provides reverse dns lookup, but will probably take a lot of time before it has a large enough database to produce meaningful results.

So... Got any other ideas how I can get this going? Or maybe you can suggest improvements to what I'm already doing?
For example - which sites are you using when you do reverse ip lookups?




Offline d4rkcat

  • Knight
  • **
  • Posts: 287
  • Cookies: 115
  • He who controls the past controls the future. He who controls the present controls the past.
    • View Profile
    • Scripts
Re: Finding domain from IP
« Reply #1 on: December 20, 2014, 01:29:43 pm »
I think you are over complicating it.
What you are trying to do is called a reverse DNS lookup.
https://en.wikipedia.org/wiki/Reverse_DNS_lookup

Easily done with a few lines of python:
Code: (Python) [Select]
import socket
socket.setdefaulttimeout(5)
socket.gethostbyaddr("69.59.196.211")

Output:
Code: (Python) [Select]
('stackoverflow.com', ['211.196.59.69.in-addr.arpa'], ['69.59.196.211'])
Jabber (OTR required): thed4rkcat@einfachjabber.de    Email (PGP required): thed4rkcat@yandex.com    PGP Key: here and here     Blog

<sofldan> not asking for anyone to hold my hand uber space shuttle door gunner guy.


Offline DanBlaze

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 5
    • View Profile
Re: Finding domain from IP
« Reply #2 on: December 20, 2014, 01:53:12 pm »
The python snippet appears to provide the same information as php's gethostbyaddr. It shows some data, but it doesn't get all the domains which have A records pointed at the IP, which is what I'm looking for.

Offline d4rkcat

  • Knight
  • **
  • Posts: 287
  • Cookies: 115
  • He who controls the past controls the future. He who controls the present controls the past.
    • View Profile
    • Scripts
Re: Finding domain from IP
« Reply #3 on: December 20, 2014, 02:08:02 pm »
Ah ok, sorry I did not understand the question correctly.
Bad news, as far as I understand, it is impossible.

http://serverfault.com/questions/105061/how-to-find-all-hostnames-in-dns-attached-to-one-ip
Jabber (OTR required): thed4rkcat@einfachjabber.de    Email (PGP required): thed4rkcat@yandex.com    PGP Key: here and here     Blog

<sofldan> not asking for anyone to hold my hand uber space shuttle door gunner guy.


Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Finding domain from IP
« Reply #4 on: December 20, 2014, 02:22:30 pm »
The python snippet appears to provide the same information as php's gethostbyaddr. It shows some data, but it doesn't get all the domains which have A records pointed at the IP, which is what I'm looking for.
There is no way of knowing such a thing.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline madf0x

  • Knight
  • **
  • Posts: 172
  • Cookies: 50
    • View Profile
Re: Finding domain from IP
« Reply #5 on: December 20, 2014, 04:08:01 pm »
Im assuming you've already made sure that there is a webserver on the IPs your are checking? And just trying to find alternate hosts on that site?

You can always use robtex.com as well, contains tons of information related to ip addresses. For instance if you plug in evilzone's ip you get https://www.robtex.com/en/advisory/dns/184/168/221/104/ which contains tons of other hosts associated with this address. However some of or even all could be stale addresses, and it funny enough doesn't have evilzone anywhere on its reverse addresses which goes to prove why you cant rely on a single tool, always verify ;) Idk if robtex has an api to work with, but making queries is pretty easy, just gotta parse the data.

Also important to remember that even if you find multiple hosts pointing to the same address, it doesn't necessarily mean they are on the same box, they could simply be using the same gateway that is intelligently routing/proxying the traffic.

Another thing you could always try is finding the name servers associated with that addresses and attempting a zone transfer. Low chances of working today but sometimes you get secondary name servers that arent properly configured. However nothing means it will actually have all the host for the address, some host may be using a different NS.

Thats why d4rkcat and proxx said its impossible to know for sure, too many different factors at play and ultimately its cases like this that makes good recon more of an art than science.

Offline DanBlaze

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 5
    • View Profile
Re: Finding domain from IP
« Reply #6 on: December 20, 2014, 06:28:31 pm »
Thanks for the post, madf0x, I'll definitely take a look at robtex.com.
As for trying zone transfers - I already did, but almost all of the servers I tried didn't allow them so I kinda left it as a dead end.


Also I  know it is impossible to have an up-to-date exhaustive list, but I'm trying to see how close to that I can get. Worst case I've had some fun diggin' around, best case I get to launch a useful online tool.


Offline madf0x

  • Knight
  • **
  • Posts: 172
  • Cookies: 50
    • View Profile
Re: Finding domain from IP
« Reply #7 on: December 20, 2014, 06:35:08 pm »
No problem. Your best bet might simply be to try to pull up every resource you can find on enumeration, and start up a list of techniques, or a catalog of things to try to squeeze out just one more host name. I'm sure there are a bunch of other tricks that may be obscure/situational that I havn't said that you might be able to dig up(oh ya, play with dig too, sometimes domains and DNS entries have some weird stuff going on thats interesting ;) ).

Then when you're done throw it up in the tuts section, youll get at least one cookie from me.

Offline DanBlaze

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 5
    • View Profile
Re: Finding domain from IP
« Reply #8 on: December 21, 2014, 07:40:02 pm »
Ok, here's an update.

First of all - thanks, guys, you've been really helpful. :)

I've gone through a lot of tools and options and I finally came to a conclusion that there are pretty awesome tools that do that already. None of them seem to be 100% accurate, but it's to be expected given the nature of the task.
I'm not sure whether it's worth implementing another tool, especially since it will rely on others to work, and will not yield much better results than the rest. But if I were to, I'd have it do the following:
- Do a preliminary filtering out IPs which don't have HTTP and HTTPS ports open
- Use a number of tools (listed later) which will return a list of domains
- Check each of the domain's A records (because the tools may have old information)
A tool like that would mostly be useful for a large amount of IPs which one would not want to do manually. If we want to do just a handful of check one can just do it manually with the following tools:


https://www.robtex.com/en/advisory/dns/127/0/0/1/ - provides lots of information including up to a 100 domains associated with an ip, but doesn't work all of the time - I get a lot of bad gateway errors


http://viewdns.info/ - lots of useful tools, and a very simple but very accurate reverse DNS lookup, free api with up to 250 requests monthly, probably the most accurate tool out there, still not 100% up-to-date


http://reverseip.domaintools.com/search/?q=127.0.0.1 - another very accurate reverse DNS tool, which provides up to 3 results for free - very useful for another layer of preliminary filtering. If it doesn't return anything, there probably isn't anything.


Here are a couple of IP neighbourhood checkers, which are really useful:


http://www.ipneighbour.com/ - returns accurate results
https://majestic.com/reports/neighbourhood-checker - returns nice results for reverse DNS look up as part of neighbors, allows only so many checks before asks for registration


And a list of tools which don't do anything much different than what a simple gethostbyaddr() would return:

http://mxtoolbox.com/
http://remote.12dt.com/
https://www.dnswatch.info/
http://ping.eu/rev-lookup/
http://www.dnsgoodies.com/


If I decide to actually develop the class (it will probably be PHP or JAVA) I'll share it, but at the moment I don't think it's worth the time invested. Still had fun doing the research though.


Offline madf0x

  • Knight
  • **
  • Posts: 172
  • Cookies: 50
    • View Profile
Re: Finding domain from IP
« Reply #9 on: December 21, 2014, 08:21:11 pm »
+1 cookie for doing your own homework :)

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: Finding domain from IP
« Reply #10 on: December 30, 2014, 06:16:03 pm »
Have you looked into Bing. They have an IP search parameter where they try to give you different sites on that IP and the vhosts. They also provide for any subdomains indexed by Bing in that domain.
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]