anyway to get the domain name from the ip ??

[evilcode1]

hello all ...
i have a list of ip's range for a websites in the server .... i try to get the domain name from ip i used python requests lib. to grep get the HEAD and then grep the location ... it's work in some cases but not all .. this is my code :

    x = "194.187.80.65"
    
    url = ("http://" + x)
    
    try:
        r = requests.head(url,timeout=1)
        if r.status_code == 403:
            print("[~] 403 Forbidden -- " , url + "\n")
        if r.status_code == 401:
            print("[~]401 Unauthorized -- Maybe it's a control panel protected by Firewall ( check it manually ) ! " , url + "\n")
        else: 
            qan =  (f"\n[+]Testing : {url}\t (Y)\t OK\t\t : "  + url + " [!]INFO : ")
            dd  =(r.headers)
            print(Fore.GREEN + qan + str(dd) + "\n")
         
       
    except requests.exceptions.HTTPError as errh:
        print ("Http Error:",errh)
        
    except requests.exceptions.ConnectionError as errc:
        print (Fore.RED + f"[-]Testing : {url}\t (N) \t Error Connecting: " + url )
        
    except requests.exceptions.Timeout as errt:
        print ("Timeout Error:",errt)
       
    except requests.exceptions.RequestException as err:
        print ("OOps: Something Else",err)
    

Output:
http://194.187.80.65 [!]INFO : {'Expires': '0', 'Cache-Control': 'no-cache', 'X-Powered-By': 'JSP/2.3, JSP/2.3', 'Set-Cookie': 'JSESSIONID=3GkFeBQdOxugDl9x5sWx5nZH6qbUSCX1MJqtLEZu.alumni; path=/', 'Pragma': 'no-cache', 'Date': 'Thu, 08 Aug 2019 19:05:04 GMT', 'Connection': 'keep-alive', 'Content-Type': 'text/html;charset=UTF-8', 'Content-Length': '57530'}

and i try this code :

import socket
socket.gethostbyaddr("194.187.80.65")

Output:
socket.gethostbyaddr("194.187.80.65")
socket.herror: [Errno 11004] host not found

how to do that !! i need it to return the domain name : alumni.qou.edu

[Larz60+]

Give it a valid IP Address

import socket

print(socket.gethostbyname('cleopatra.io'))
print(socket.gethostbyaddr('63.245.208.212'))

Output:
63.245.208.212
('cleopatra.io', [], ['63.245.208.212'])

[DeaD_EyE]

On one IP address many different VHosts can run.
If you have luck, you're redirected to a default page or and admin panel.
The most webservers are hosting more than one domain on one IP.

Here look at some example configurations of Nginx:
https://www.nginx.com/resources/wiki/sta...er_blocks/

How would you find out any of hosted pages on an IP-Address, when many different Domains can be the answer?
It's like a guessing game. At the moment I don't have any idea how to get all hosted VHosts, if you know only the ip.
Only a bad security flaw can let you find out the configuration of a webserver.

One problem with Domains was SSL. If I remind right, there was one place in the internet, where you can
see registrations of SSL-Certificates. In some cases you oberve this and then you know the whole infrastructure of a company domain for example.

[Malt]

(Aug-08-2019, 06:51 PM)evilcode1 Wrote: hello all ... i have a list of ip's range for a websites in the server .... i try to get the domain name from ip i used python requests lib. to grep get the HEAD and then grep the location ... it's work in some cases but not all .. this is my code :

 x = "194.187.80.65" url = ("http://" + x) try: r = requests.head(url,timeout=1) if r.status_code == 403: print("[~] 403 Forbidden -- " , url + "\n") if r.status_code == 401: print("[~]401 Unauthorized -- Maybe it's a control panel protected by Firewall ( check it manually ) ! " , url + "\n") else: qan = (f"\n[+]Testing : {url}\t (Y)\t OK\t\t : " + url + " [!]INFO : ") dd =(r.headers) print(Fore.GREEN + qan + str(dd) + "\n") except requests.exceptions.HTTPError as errh: print ("Http Error:",errh) except requests.exceptions.ConnectionError as errc: print (Fore.RED + f"[-]Testing : {url}\t (N) \t Error Connecting: " + url ) except requests.exceptions.Timeout as errt: print ("Timeout Error:",errt) except requests.exceptions.RequestException as err: print ("OOps: Something Else",err) 

Output:
http://194.187.80.65 [!]INFO : {'Expires': '0', 'Cache-Control': 'no-cache', 'X-Powered-By': 'JSP/2.3, JSP/2.3', 'Set-Cookie': 'JSESSIONID=3GkFeBQdOxugDl9x5sWx5nZH6qbUSCX1MJqtLEZu.alumni; path=/', 'Pragma': 'no-cache', 'Date': 'Thu, 08 Aug 2019 19:05:04 GMT', 'Connection': 'keep-alive', 'Content-Type': 'text/html;charset=UTF-8', 'Content-Length': '57530'}

and i try this code :

 import socket socket.gethostbyaddr("194.187.80.65") 

Output:
socket.gethostbyaddr("194.187.80.65") socket.herror: [Errno 11004] host not found

how to do that !! i need it to return the domain name : alumni.qou.edu

I thought of exploring gethostbyaddr definition in socket.py but it is importing another _socket. Where we can view _socket

(Aug-08-2019, 08:57 PM)Larz60+ Wrote: Give it a valid IP Address

 import socket print(socket.gethostbyname('cleopatra.io')) print(socket.gethostbyaddr('63.245.208.212')) 

Output:
 63.245.208.212 ('cleopatra.io', [], ['63.245.208.212']) 

I thought of exploring gethostbyaddr function definition, but couldn't locate it under socket.py where it is actually importing another _socket. Where we can see the source code for _socket.py

[Gribouillis]

Malt Wrote:Where we can see the source code for _socket.py

The _socket module is written in C. See Modules/socketmodule.c in the CPython source tree. As far as I know, the socket module is merely a python wrapper around the C socket API.

[evilcode1]

(Aug-08-2019, 08:57 PM)Larz60+ Wrote: Give it a valid IP Address

import socket

print(socket.gethostbyname('cleopatra.io'))
print(socket.gethostbyaddr('63.245.208.212'))

Output:
63.245.208.212
('cleopatra.io', [], ['63.245.208.212'])

its valid bu can check it by visit it on ur browser ..
by it still not working with print(socket.gethostbyaddr('63.245.208.212')) !!
any idea ?? or any other way to do that ?

[DeaD_EyE]

>>> print(socket.gethostbyaddr('63.245.208.212'))
('redirects.public.mdc1.mozilla.com', ['cleopatra.io'], ['63.245.208.212'])
>>>

I guess you changed the ptr. Changing NS-Records takes time until they are everywhere (nameserver/resolver) updated.
To check the answer, you could do following on Linux:

andre@DESKTOP-F29NT09:~$ dig @1.1.1.1 63.245.208.212.in-addr.arpa ptr

; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> @1.1.1.1 63.245.208.212.in-addr.arpa ptr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15931
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;63.245.208.212.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
63.245.208.212.in-addr.arpa. 86400 IN   PTR     coquide-cambrai-gw.gw1.lil1.fr.uu.net.

;; Query time: 35 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 09 12:57:47 CEST 2019
;; MSG SIZE  rcvd: 107

In this case the amazon-nameserver is used to query the PTR record.
The format is ip-address.in-addr.arpa
This will resolve the PTR record in a domain-name.