Perform a reverse IP lookup to find all
A records associated with an IP address. The results can pinpoint virtual hosts being served from a web server. Information gathered can be used to expand the attack surface when identifying vulnerabilities on a server.
What is a Reverse IP Lookup?
The technique known as Reverse IP Lookup is a way to identify hostnames that have DNS (A) records associated with an IP address.
A web server can be configured to server multiple virtual hosts from a single IP address. This is a common technique in shared hosting environments. It is also common in many organizations and can be an excellent way to expand the attack surface when going after a web server. If for example your primary target web site appears to be secure you may be able to gain access to the underlying operating system by attacking a less secure site on the same server. Bypassing the security controls of the target site.
Bing Reverse IP Search
There are generally not many reasons to use Bing, however the Bing reverse IP search is one. Of the major search engines Bing is the only service to offer a search query that resolves host names from an IP address.
A few years ago this was a popular method for finding virtual web hosts from an IP address. The search query is straight forward to use. Here is an example.
Making a query such as one in the example will show results from hosts that are using the ip address that matches the query. Bing uses its search index to perform the reverse IP lookup and it can still be used today.
Popular Use Cases for the Reverse IP Lookup
When attacking a host one of the first things you will do is attempt to identify the attack surface of the host. With an understanding of the attack surface you can move to the next step which is to enumerate the applications and services in use. Following enumeration a skilled penetration tester will be able to identify weak spots where vulnerabilities may become opportunities for exploitation.
Using the Reverse IP Lookup technique, it is possible to identify web sites on the host that may contain vulnerabilities to exploit. Even if no vulnerabilities are present information disclosure can be used to build the penetration tester's knowledge of the target.
Simply identifying additional hostnames that are related to the target can further inform the information discovery cycle as the new hostnames may have additional DNS records that can point to new target hosts.
In this OSINT discovery chart you can see that a reverse IP lookup is one part of the information discovery process.
Incident Response and Threat Intelligence
Whether responding to an incident, identifying a botnet C2 or simply tracking down noisy Internet scanning, a reverse IP lookup can identify hostnames associated with an attacking system. These findings can further inform the investigation and lead to additional information sources.
Web Hosting Oversubscription
When purchasing web hosting in a shared hosting environment, the web host provider sells small amounts of resources on a server to a number of web sites. In order to cut costs the web host provider may oversubcribe, that is sell more web sites than the server can handle. This is common in cheaper shared hosting providers, where a single web server can hosts thousands of small web sites. Using the reverse IP address lookup you are able to identify how many sites you are sharing that host with.
Web Hosting Reputation
Hosts with poor reputation can affect email delivery, blacklisting of your site and likely affect search engine ranking. By using the reverse IP address lookup service you are able to identify other sites on your host and use other investigative tools to identify if the other hosts are of poor quality perhaps even spam or phishing sites.
How is the DNS data queried?
The bulk of the data for the reverse IP lookup tool comes from the excellent scans.io project. Other open source intelligence (OSINT) sources include the Bing API for queries using the IP address reverse IP search query
ip:xxx.xxx.xxx.xxx. The DNS A records total approximately 60G of plain text DNS records. The query simply searches through this data on our backend systems to find all hosts that match the IP address entered.
Reverse DNS Lookup
A reverse dns lookup is a bit different to the common defintion for a reverse IP lookup. In the case of a reverse dns lookup the IP address is checked against a DNS server to see if there is a
PTR record associated with that IP address. This
PTR record is assigned by the IP address block owner.
Reverse IP Lookup API
An easy to use simple API for quick access to the database. Use
python or any web request against the API url below to receive the results in plain text format.
The API is simple and designed to be used for ad-hoc recon tasks; like all our IP Tools there is a limit of 100 queries per day or you can increase the daily quota with a Membership.
Discover, Explore, Learn.