There is a lot that we can say about finding virtual hosts from a given IP address. Sometimes this task is straightforward, other times a bit of thinking is required. However, in general it is
not a mission impossible.
During the last few years, domain name databases have emerged like mushrooms after a rainy day. This has certainly increased the awareness among security professionals about the possibility of using virtual hosts as backdoors when testing the security of a given
organization. In reality, a good attacker will try to break into your organization by knocking on the not-so-obvious doors.
The process of getting all valuable virtual hosts usually falls into the passive, enumeration gathering practices and it is based on querying databases from the public sector. However, we will also look at some active enumeration techniques for finding virtual hosts.
In the following subsection we will discuss how to find virtual hosts by querying public databases and actively probing the domain name system (DNS) and the HTTP protocol itself.
This document is in PDF format. To view it click here.