Tuesday 18 December 2012

CLI Virtual Host Checker bingip

Google rocks right? Well, there’s still one feature it lacks compared to Bing – the ability to search by IP address. 

On bing.com you can use ip:<IP address> and it will return pages indexed from that IP address which, as a security guy is a really useful way of enumerating virtual hosts belonging to a web server.

However, a fancy web page of results is not much use to the average penetration tester, we like text files which we can then pass into all sorts of other tools and scripts that we come up with.  

There seem to be a few command line tools which dealt with gathering data from Google but in my brief search on a BT5 instance there wasn’t one which did what I wanted, so as all good testers would do, I wrote one.

bingip is a really simple tool that makes a request to bing.com to determine domains hosted at that IP, returning each in plain-text on a new line.  

It’s a very simple script at the moment and can only handle up to 50 domains (due to the page limit on Bing - I will update to use API at some point) and of course, can break as soon as Bing change their website – but I’ll try and keep on top of that.

As it's Christmas we've added some new features to bingip.

It now accepts a file of IP addresses as input and, more usefully I think, it accepts an Nmap XML file too. 

This means you can run your standard Nmap scans as normal and, when you're done use bingip to find which websites are hosted on the target IP addresses. 

A simple example would be:

nmap -p 80 -oX bingip_example.xml scanme.nmap.org

Now pass the file generated as an argument and bingip will automatically extract hosts with web server ports:

bingip.py --nmap_file bingip_example.xml

You can download the tool and see further examples over on our Github page at https://github.com/7Elements/bingip.