Bug Bounty Hub
  • 🚀WELCOME
    • Bug Bounty Hub
    • BBH - Values
    • About the author
  • 🕸️PENTESTING WEB
    • Information Gathering
      • Enumerating ASN and IP blocks
      • Reverse IP Lookup
      • Scanning Open Ports/Services
      • Subdomain Enumeration
        • Active Subdomain Enumeration
        • Passive Subdomain Enumeration
        • Subdomain Permutations
        • Check Alive Subdomains
      • Subdomain Takeover
      • Fuzzing
      • JavaScript Files
      • Endpoints
      • Input Parameters
      • Mapping Attack Surface - Crawling/Spider
      • Fingerprinting
      • Potential Vulnerabilities - Nuclei
    • Client-Side Injection Attacks
    • Server-Side Vulnerabilities
      • Path Traversal/File Inclusion
      • Access Control
      • Authentication
      • Server-side Request Forgery (SSRF)
      • File upload vulnerabilities
      • OS Command Injection
      • SQL Injection
        • MySQL Injection
        • SQLi with SQLMap
    • Authentication
    • Insecure Direct Object Reference (IDOR)
    • Cross-Site Request Forgery Attacks
    • Business Logic Flaws
    • HTTP Verb Tampering
    • Bypass 401 & 403
    • Evading WAFs
    • Reporting
  • 🐣THE BASICS OF WEB
    • HTTP Methods
    • HTTP Response Codes
    • HTTP Headers
      • AWS S3 Buckets Headers
    • HTTP Cookies
    • Encoding
      • URL encoding
      • HTML encoding
      • Base 64 encoding
      • Unicode encoding
    • Web Browsers
      • Same-Origin Policy (SOP)
      • Content Security Policy (CSP)
      • Subresource Integrity Check (SIC)
    • Web Proxies
  • 📚RESOURCES
    • Books
    • Web resources
    • CTF Platforms
  • 🏔️Bug Bounty Platforms
Powered by GitBook
On this page

Was this helpful?

  1. PENTESTING WEB
  2. Information Gathering

Reverse IP Lookup

Reverse IP lookup involves querying an IP address to identify domains hosted on the same IP address.

There are numerous online tools available providing the ability to perform a reverse IP lookup, such as:

  • ViewDNS.info -> https://viewdns.info

  • RapidDNS.io -> https://rapiddns.io

Alternately, we can use curlwith RapidDNS.io to extract domain information for a specific IP range:

curl -s 'https://rapiddns.io/sameip/<CIDR>#result' \
    | grep 'target="' -B1 | egrep -v '(--| )' \
    | rev | cut -c 6- | rev | cut -c 5- | sort -u

Do not trust only one source of information. These databases are not accurate and hence they should be used in conjuction with other resources.

BGP + RapidDNS to check domains associated with some organization IP blocks

#!/bin/bash

organization="$1"

curl -s "https://api.bgpview.io/search?query_term=${organization}" \
    | jq '.data.ipv4_prefixes[].prefix' | sed 's/\"//g' | anew -q ip-blocks.txt

lines_ip=$(wc -l ip-blocks.txt | cut -d" " -f1)
echo "[+] IP Blocks detected: $lines_ip"

while IFS= read -r line; do
        curl -s "https://rapiddns.io/sameip/${line}#result" \
                | grep 'target="' -B1 | egrep -v '(--| )' \
                | rev | cut -c 6- | rev | cut -c 5- | sort -u | anew -q domains_reverseIPlookup.txt
done < ip-blocks.txt

lines_reverse=$(wc -l domains_reverseIPlookup.txt | cut -d" " -f1)
echo "[+] Domains detected: $lines_reverse"

PreviousEnumerating ASN and IP blocksNextScanning Open Ports/Services

Last updated 5 months ago

Was this helpful?

🕸️