Perform a reverse IP lookup to find all
A records associated with an IP address. The results can pinpoint virtual hosts being served from a web server. Information gathered can be used to expand the attack surface when identifying vulnerabilities on a server.
What is a Reverse IP Lookup?
The technique known as Reverse IP Lookup is a way to identify hostnames that have DNS (A) records associated with an IP address.
A web server can be configured to server multiple virtual hosts from a single IP address. This is a common technique in shared hosting environments. It is also common in many organizations and can be an excellent way to expand the attack surface when going after a web server. If for example your primary target web site appears to be secure you may be able to gain access to the underlying operating system by attacking a less secure site on the same server. Bypassing the security controls of the target site.
Not only can you use the Reverse IP lookup to find web hosts on a single IP address, the query can also be performed against a CIDR network block. Search hosts across up to a /24 of public IP addresses.
Free users are limited by the number of results. Registered members can get up to 500'000 results from a single query using the web form or an API key.
Bing Reverse IP Search
There are usually not many reasons to use Bing, however the Bing reverse IP search is sometimes one. Of the major search engines Bing is the only service to offer a search query that resolves host names from an IP address.
A few years ago this was a popular method for finding virtual web hosts from an IP address. The search query is straight forward to use. Here is an example.
Making a query such as one in the example will show results from hosts that are using the ip address that matches the query. Bing uses its search index to perform the reverse IP lookup and it can still be used today.
Popular Use Cases for the Reverse IP Lookup
Attack Surface Discovery for Blue & Red Teams
When attacking a host one of the first things you will do is attempt to identify the attack surface of the host. With an understanding of the attack surface you can move to the next step which is to enumerate the applications and services in use. Following enumeration a skilled penetration tester will be able to identify weak spots where vulnerabilities may become opportunities for exploitation.
Using the Reverse IP Lookup technique, it is possible to identify web sites on the host that may contain vulnerabilities to exploit. Even if no vulnerabilities are present information disclosure can be used to build the penetration tester's knowledge of the target.
Simply identifying additional host names that are related to the target can further inform the information discovery cycle as the new hostnames may have additional DNS records that can point to new target hosts.
In this OSINT discovery chart you can see that a reverse IP lookup is one part of the information discovery process.
Incident Response and Threat Intelligence
Whether responding to an incident, identifying a botnet C2 or simply tracking down noisy Internet scanning, a reverse IP lookup can identify hostnames associated with an attacking system. These findings can further inform the investigation and lead to additional information sources.
Oversubscribed Web Hosting
When purchasing web hosting in a shared hosting environment, the web host provider sells small amounts of resources on a server to a number of web sites. In order to cut costs the web host provider may oversubscribe, that is sell more web sites than the server can handle. This is common in cheaper shared hosting providers, where a single web server can hosts thousands of small web sites. Using the reverse IP address lookup you are able to identify how many sites you are sharing that host with.
Web Hosting Reputation
Hosts with poor reputation can affect email delivery, blacklisting of your site and likely affect search engine ranking. By using the reverse IP address lookup service you are able to identify other sites on your host and use other investigative tools to identify if the other hosts are of poor quality perhaps even spam or phishing sites.
How is the DNS data queried?
The bulk of the data for the reverse IP lookup tool comes from our crawls of the Alexa Top 1 Million sites, Search Engines (Bing), Common Crawl, Certificate Transparency and the excellent scans.io project. The DNS A records total approximately 90G of plain text host records. The query simply searches through this data on our backend systems to find all hosts that match the IP address entered.
Reverse DNS Lookup
A reverse DNS lookup is a bit different to the commonly used definition for a reverse IP lookup. In the case of a reverse dns lookup the IP address is checked against a DNS server to see if there is a
PTR record associated with that IP address. This
PTR record is assigned by the IP address block owner.
Reverse IP Lookup API
An easy to use simple API for quick access to our backend database. Use
python or any web request against the API url below to receive the results in plain text format.
The API is simple and designed to be used for quick recon tasks; like all our IP Tools there is a limit of 50 queries per day or you can increase the daily quota with a Membership. For those who need to send more packets, HackerTarget.com has Enterprise Plans.
Have you seen our other Free IP and Network Testing tools.
Discover. Explore. Learn.
Next level testing with advanced Security Vulnerability Scanners.
Trusted tools. Hosted for easy access.