1. Understanding Server Architecture and Multiple Websites
Web servers often host multiple websites on a single physical machine or IP address. This creates an important security consideration: if one website on the server is vulnerable, it can potentially compromise all other websites hosted on the same server.
Key Concept: Shared Server Vulnerability
When multiple websites share the same server (same IP address), gaining access to one website can provide access to all other websites on that server. This is because all websites exist on the same file system and operating system.
Server Architecture Diagram
IP: 192.168.1.100
All websites share the same IP address and file system
Methods to Discover Co-hosted Websites
Method 1: Using Robtex.com
Robtex provides DNS lookup services that show all domain names pointing to the same IP address.
2. Enter target domain
3. Look for "Names pointing to same IP"
Method 2: Using Bing Search
Bing allows IP-based searches to find all websites hosted on a specific IP address.
Method 3: Ping Command
Use ping to verify that multiple domains resolve to the same IP address.
ping target.com
ping co-hosted-site.com
2. Subdomain Discovery and Enumeration
Subdomains are extensions of a primary domain that can host entirely different applications or
services. For example, mail.google.com is a subdomain of google.com.
Why Subdomain Discovery is Important
- Subdomains may run different applications with different security configurations
- Development or beta versions may be less secure
- Admin panels and management interfaces may be accessible
- Sensitive data may be exposed on forgotten subdomains
- Testing environments often have weaker security
Domain Structure Example
Using Knockpy for Subdomain Discovery
knockpy is a powerful tool for discovering subdomains through both passive reconnaissance and brute-force techniques.
| Method | Description | Pros | Cons |
|---|---|---|---|
| Recon (Passive) | Uses public DNS records and databases | Fast, stealthy, no direct requests to target | May miss some subdomains |
| Brute-force | Tests wordlist of potential subdomain names | Comprehensive, finds hidden subdomains | Slow, creates logs on target server |
Practical Examples
# View help menu
knockpy --help
# Passive subdomain discovery (recommended)
knockpy --domain google.com --recon
# Brute-force subdomain discovery
knockpy --domain target.com --bruteforce
# Example output shows discovered subdomains:
# - mail.google.com
# - maps.google.com
# - play.google.com
# - admin.google.com
# - dev.google.com
Real-World Example
Running knockpy against google.com revealed over 555 subdomains, including:
- mail.google.com - Email service
- maps.google.com - Mapping service
- play.google.com - App store
- gsuite.google.com - Business tools
Each subdomain represents a potential attack vector that should be assessed for vulnerabilities.
3. File and Directory Discovery
Web servers contain numerous files and directories that may not be linked from the main website. These hidden resources can contain sensitive information, configuration files, backup data, or development code.
Web Server Directory Structure
Understanding URL Structure
Breaking it down:
• Protocol: http://
• IP Address: 10.20.14.204
• Directory: /mutillidae/
• File: index.php
Using DIRB for Directory Brute-forcing
dirb is a web content scanner that searches for hidden files and directories using wordlist-based brute-force attacks.
# View DIRB manual
man dirb
# Basic syntax
dirb http://target-url wordlist-path
# Example: Scan specific directory
dirb http://10.20.14.204/mutillidae/
# The tool will use default wordlist located at:
# /usr/share/dirb/wordlists/common.txt
# Advanced options:
# -r : Non-recursive scan
# -z : Add milliseconds delay
# -o : Save output to file
# -u username:password : HTTP authentication
Common Sensitive Files to Look For
📋 robots.txt
Reveals directories and files that administrators want hidden from search engines.
Disallow: /passwords/
Disallow: /config.inc
Disallow: /admin/
⚙️ phpinfo.php
Displays detailed PHP configuration, versions, modules, and system paths.
- PHP version information
- Server configuration
- Installed modules
- File system paths
🔧 config.inc / config.php
Contains database credentials and application settings.
$dbuser = "root";
$dbpass = "";
$dbname = "webapp";
🔑 Password Files
May contain credentials for various services.
user1:password123
developer:dev@2024
Real-World Discovery Example
DIRB Scan Results Analysis
When scanning http://10.20.14.204/mutillidae/, DIRB discovered:
| File/Directory | Sensitivity | Information Gained |
|---|---|---|
| /login.php | Medium | Authentication portal discovered |
| /phpinfo.php | High | PHP 5.x, MySQL installed, config paths |
| /robots.txt | Medium | Revealed /passwords/ directory |
| /passwords/accounts.txt | Critical | Username/password pairs discovered |
| /config.inc | Critical | Database credentials (root with blank password) |
| /phpmyadmin/ | High | Database management interface |
⚠️ Security Impact
The discovered information can lead to:
- Database Compromise: Blank root password allows direct database access
- Account Takeover: Discovered credentials can be used for authentication
- Information Disclosure: phpinfo.php reveals system architecture
- Privilege Escalation: Admin credentials found in password files
4. Best Practices and Methodology
🎯 Reconnaissance Phase
- Identify all co-hosted websites
- Discover all subdomains
- Map directory structure
- Document findings systematically
🔍 Analysis Phase
- Analyze phpinfo.php for version info
- Check robots.txt for sensitive paths
- Review config files for credentials
- Identify development/beta environments
⚡ Exploitation Phase
- Test discovered credentials
- Access admin panels if found
- Target vulnerable co-hosted sites
- Escalate from one site to target
📝 Documentation Phase
- Record all discovered assets
- Document security weaknesses
- Create detailed reports
- Provide remediation recommendations
5. Tool Reference Summary
| Tool | Purpose | Key Command | Use Case |
|---|---|---|---|
| knockpy | Subdomain discovery | knockpy --domain target.com --recon | Finding hidden subdomains |
| dirb | Directory brute-forcing | dirb http://target.com/ | Discovering hidden files/directories |
| ping | IP resolution | ping target.com | Verifying co-hosted websites |
| Robtex | DNS lookup | Web interface | Finding domains on same IP |
| Bing | IP-based search | IP:192.168.1.1 | Discovering co-hosted sites |
6. Key Takeaways
🎓 Critical Security Lessons
- Shared Infrastructure Risk: Multiple websites on one server create a chain-of-trust vulnerability. Securing one site isn't enough if others are vulnerable.
- Subdomain Exposure: Development, testing, and beta environments often have reduced security controls and should be properly isolated or secured.
- Hidden Content Discovery: Security through obscurity doesn't work. Hidden files and directories can be discovered through systematic enumeration.
- Information Leakage: Files like phpinfo.php, robots.txt, and configuration files reveal critical information that aids attackers.
- Defense in Depth: Multiple layers of security are essential. Don't rely on a single security control.
⚖️ Legal and Ethical Reminder
All techniques described in this guide should only be used on systems where you have explicit written authorization to perform security testing. Unauthorized access to computer systems is illegal under laws such as:
- Computer Fraud and Abuse Act (CFAA) in the United States
- Computer Misuse Act in the United Kingdom
- Similar legislation in other jurisdictions
Always obtain proper authorization before conducting any security assessment.
Conclusion
Web application penetration testing requires a systematic approach to information gathering. By understanding server architecture, discovering subdomains, and enumerating hidden files and directories, security professionals can identify vulnerabilities before malicious actors exploit them.
Remember that effective penetration testing combines technical skills with ethical responsibility. Always work within legal boundaries and use these techniques to improve security, not compromise it.