Extending your attack vector by discovering vhosts

in technology •  4 months ago

Disclaimer: Only try this at hosts your have the right to do this. Some server admins handle actions like described above as "attack". This is only for learning purposes, don't do this out in the www.

Let's assume theres a website you'd like to hack but you do not find any security holes you can gain access. You already scanned for other services but only find another well secured ssh and ftp service which are not attackable cuz their are to good secured.

Then you need to extend your attack surface in order to probably find a hole you can exploit.

What is a vhosts?

First of all you need to understand what a vhost is.
For example you have a physical server A with an IP address 123.123.123.1 and a physical server B with the IP address 123.123.123.2.

When you operate in a non vhost environment each Server runs a webserver which delivers ONE website.
That means that one physical server handles ONE and only ONE website.
If you wanna surf to this webpage you can use its url example.com and it points to the webserver 123.123.123.2. This works also vice versa. You can enter the website via surfing directly to its IP address 123.123.123.2 and end up on the very same location.

This is not pretty cost effective since servers are not cheap. So vhosts got popular.
That means that ONE server with ONE ip address can handle multiple hosts, so called virtual hosts.
Webserver A for example is now upgraded to a vhost server. It has still ONE ip address 123.123.123.1 but there are multiple websites on it. Hosting companies usually do that in order to have competitive prices for their customers. That means that the customers share a server with other customers.
So lets assume that example2.com and example3.com run on the same server as two different vhosts.
If I surf to example2.com using HTTP I end up getting on server 123.123.123.1. And if I surf to example3.com using HTTP I also end up on server 123.123.123.1. But I see a different website? How is that possible?

We can find the answer described in RFC 2614 section 14.23
https://tools.ietf.org/html/rfc2616#section-14.23

HTTP 1.1 has a header-field called "host". And this host has to point to the host we are surfing to. If you surf to example3.com your HTTP requests adds the host field "example3.com". Therefor the server knows which website you would like to see if multiple are available on a server.

So you send a HTTP request to 123.123.123.1 with the HTTP header "example3.com" or "example2.com". The server uses this field to know which webpage you want to see.

vhosts on a apache server

A very popular webserver software is apache. Lets get a quick look how its set up in oder to understand it better.
You can read an in-depth guide here: https://httpd.apache.org/docs/2.4/vhosts/name-based.html
But basically you can configure it this way:

ServerName example2.com
DocumentRoot /var/www/example2-files/

ServerName example3.com
DocumentRoot /var/www/example3-files/

This concept again makes clear that you operate on the very same server.

And wheres the bigger attack surface now?

If you not already noticed where the bigger attack surface is you maybe should not go further :D
If your target is example2.com but you cant find any security hole you can try to attack example3.com.
Why? Because its on the same server. If you can gain control over the server of example3.com you also have control over the server of example2.com. Why? Because its the same server ;)
And maybe its not limited to only two hosts. Some servers have 100 of vhosts configured, and only one of them needs to have a security hole you can exploit ;)

How to find out if a site is running on a vhost environment?

The next step is to find out, if your target site runs in a vhost environment. As described above according to rfc2616 http needs to send a "host" header field in order to identify a vhost on a server.

Lets use some real life examples. For example amazon.com. Its such a huge company the do not share their servers with other hosts.

Using the developer tools in chrome we can check the http header fields in the network tab. You see, there is no "host" field defined. That means amazon.com runs on a dedicated server which only serves their website. Lets check if this is true using its ip address.
First simply get the ip adress of amazon.com and then try to access amazon.com via its ip address.

Their ip address is 205.251.242.103 and entering this ip address directly into a browser leads me to amazon.com That means this ip address is only dedicated to the website of amazon.com. If there were multiple vhosts on the same server this would lead to an error since I do not define a host in the http head.
In the case of amazon.com we can't make our attack surface bigger using this method.

Good, lets check another website. Something small wich runs most likely as a vhost.
Let's use rgbtohex.net.
Okay surfing to rgbtohex.net with the open developer tools shows me that a host field is set:

This means if we directly access the server without providing a host header we should trigger an error since the server does not know which site he has to deliver:

The ip address of their server is 52.204.234.149. And accessing this server directly via ip without providing an http header leads to this:
The server is confused and redirects to "www.52.204.234.149"

So now we know, that rgbtohex.net runs on a vhost.

How to find vhosts on a server

Since there is not way to simply ask a server "hey list me all your vhosts" you have to rely on different source like search engines, databses, internet archives, pgp servers and so on.
My favorite tool for this is theHarvester from laramies.
You can get it here: https://github.com/laramies/theHarvester
I do not want to go to deep into details of theHarvester since its documented pretty well, but it does a good job in finding vhosts on a server:

So that's it. If you need to create a bigger attack surface on a server you now know how :)
For questions, just ask.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

This account is my favorite, the truth has lowered my level of ignorance much since I follow it. easy and simple your way of explaining, good teacher

this is very useful for everyone, and especially for myself, this is a new science for me. thank you very much for sharing. @rockz,

Great information about vhosts and clear explanation about vhosts on a apache server, find vhosts on a server. Really your analytic content is highly appreciable and it's enhance our knowledge about hacking and security.

I always love reading your piece because it contain a lot of valuable information and update, keep the good work flowing man

Technology bring a great change in all over world and humain life become easy and easy

It really an amazing information about servers.
i never heard about vhosts ever before, but your is full of knowledge about vhosts.
thank you very much for sharing.

wow, very good information @rockz, this is very useful for everyone, and especially for myself, this is a new science for me. Thanks for sharing, and hopefully you will be more successful to work... :)

thanks for sharing such an great knolwegde regarding technology hacking and security and i really like your quality of answering any question @rockz a great human being!

Great Information you shared about technology.

Thanks for sharing your helpful information. I am so happy

Great article as always !

Great, so I learnt something new today...interesting. That makes the web a little more dangerous :D Wait, let me correct myself - it is already that dangerous all the time :P

Good information to learn, I just heard about Vhosts, maybe this is worth to learn,
I've heard about apache, but I do not know its usefulness, because it is included in open source project ..

Learned something new about hacking, but I guess its not allowed in my country.

your writing skill totally good @rockz

Apache is very much useful for virtual host

wow you are amazing are you a programmer

·

Haha, its not rocket science. Yes I am a programmer.

·
·

yeah i know that but the thing is i am a programmer too and when i saw that i felt really happy
but these days i am searching for some who can help me with steem power

·
·

i need 6k steem power delegation its very important for me i will be thank full if you could help

Congratulations @rockz! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @rockz! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!

wow great technology

hackers use vhost to hack you?

me @fauzan11, is the friend @bigboss joined

greeting,you make friends with bigbos99? he is our friend also

Congratulations @rockz! You have received a personal award!

1 Year on Steemit
Click on the badge to view your Board of Honor.

Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - The results, the winners and the prizes

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Nice post

Posted using Partiko Android

greeting,,friendship in steemit