Full Report
Jeremiah from WhiteHatSec has just written a quick piece on how to find your websites. Now Footprinting is obviously dear to our hearts, with 3 Blackhat talks on it (or applications of it) (“Automation – Deus ex Machina or Rube Goldberg Machine?“, “Putting The Tea Back Into CyberTerrorism“, “The Role of Non Obvious Relationships in the Foot Printing Process“), a commercial tool almost dedicated to it, and a full blown chapter on it in Open Source Penetration Testing by charl and gareth. Footprinting is a genuinely important part of a companies security assessment, cause it doesn’t matter if they have multi-layer firewalls and WAF’s protecting the web app on their www.company.com, and an old barely used sql-injectable form on their community.company.com site that lets you grab SA on their SQL server anyway.. (Now that the shameless self promotion is over..) i wanted to touch on an interesting aspect of webserver discovery that is often skipped, and thats the issue of multiple websites running as name based virtual hosts on the same web-server. There was a time (not so long ago) when all of the popular scanning tools, failed to take into account that scanning 209.61.188.39 was not the same as scanning www.sensepost.com (or hackrack.sensepost.com which happens to be on the same ip address).
Analysis Summary
# Best Practices: Comprehensive Web Asset Discovery and Configuration Hardening
## Overview
These security practices address the critical, often overlooked aspect of "Footprinting" an organization's digital presence, specifically focusing on the vulnerability introduced by using **Name-Based Virtual Hosting** on web servers. The core issue is that scanning an IP address directly may miss distinct, potentially vulnerable websites hosted on the same server via different hostnames (virtual hosts).
## Key Recommendations
### Immediate Actions
1. **Perform IP-Address-to-Hostname Mapping:** Immediately leverage online tools and services to identify *all* domain names resolving to your organization's established IP addresses. This exposes potentially forgotten, test, or unhardened subdomains.
2. **Verify Current Scanner Configuration:** Ensure that all automated web application and network scanners are explicitly configured to target **hostnames** (using the `Host:` header) across all relevant ranges, rather than relying solely on IP address scans.
3. **Review Shared Hosting Risk:** If using a third-party Internet Service Provider (ISP) or shared hosting environment, immediately confirm the hosting provider's segregation mechanisms between different customer web servers to prevent cross-site compromise via misconfiguration.
### Short-term Improvements (1-3 months)
1. **Audit Virtual Host Configurations:** Systematically verify the configuration of all web servers (e.g., Apache, Nginx) to understand how multiple domain names map to specific application instances residing on the same IP address.
2. **Test Virtual Host Isolation:** For every discovered name-based virtual host, execute targeted vulnerability scans (e.g., directory/file scanners, known vulnerability checks) against each unique hostname to ensure security controls are applied uniformly across all instances.
3. **Decommission or Secure Forgotten Assets:** Catalog all discovered assets (e.g., `test.company.com`, beta sites). Either immediately harden them to production security standards or permanently decommission and remove their corresponding virtual host configurations.
### Long-term Strategy (3+ months)
1. **Implement Domain Monitoring and Alerting:** Establish continuous monitoring (using external passive services) to detect the registration of new subdomains or changes in DNS records that point to your infrastructure, providing an early warning system for unauthorized asset sprawl.
2. **Adopt IP-Based Segregation for Critical Services:** Where possible, move high-risk or sensitive applications onto dedicated IP addresses, moving away from relying solely on name-based virtual hosting for critical security boundaries.
3. **Integrate Asset Discovery into Security Policies:** Formalize the process of asset discovery and inventory management within the organization's security assessment lifecycle (part of continuous compliance checks), mandating checks for name-based virtual host enumeration during penetration tests.
## Implementation Guidance
### For Small Organizations
* **Tool Usage:** Prioritize using readily available (and free/low-cost) online lookup services to map IPs to names.
* **Scanner Focus:** Ensure any basic scanning tool used (like Nikto) is used with the `-h` or equivalent flag to explicitly supply the hostname, simulating HTTP/1.1 requests correctly.
* **ISP Review:** Schedule a meeting with your ISP/hosting provider to clearly define the security boundaries and segregation policies between your hosted sites.
### For Medium Organizations
* **Automation Scripting:** Develop internal scripts or utilize existing footprinting modules within standard testing suites to automate the enumeration of virtual hosts based on an IP range.
* **Internal Auditing:** Mandate that development teams document all intended hostnames/IPs for new deployments, cross-referencing them against external discovery results.
* **Configuration Management:** Utilize configuration management tools (e.g., Ansible, Puppet) to enforce standardized, secure configurations across *all* virtual host definitions server-wide.
### For Large Enterprises
* **Dedicated Attack Surface Management (ASM) Platform:** Implement a dedicated external attack surface management solution to continuously map, monitor, and risk-score the entire public-facing digital footprint, including hidden or overlapping assets.
* **Security Framework Integration:** Integrate findings from virtual host enumeration directly into existing governance, risk, and compliance (GRC) workflows for immediate remediation tracking.
* **DNS/Firewall Policy Enforcement:** Implement rigorous DNS governance. Ensure firewall rules explicitly deny direct IP access to web server ports where name-based virtual hosting is in use, forcing all traffic through the intended hostname resolution path unless specifically required otherwise.
## Configuration Examples
*The article highlights the format difference, necessitating the use of the `Host:` header.*
**Required HTTP/1.1 Request Format (used by scanners):**
bash
# Target: www.company.com (which resolves to IP X.X.X.X)
GET /path/endpoint HTTP/1.1
Host: www.company.com
Connection: close
**Implication for Scanning:**
If a scanner only uses the IP address without specifying the Host header (as in older HTTP/1.0 or raw IP checks), the web server may default to the first configured virtual host, ignoring potentially vulnerable sites configured for subsequent hostnames (e.g., `community.company.com`). **Always specify the Host header.**
## Compliance Alignment
* **NIST SP 800-53 (AC-2, RA-5):** Directly addresses the need for inventory management, configuration control, and regular vulnerability assessments that must account for the full scope of internet-facing assets.
* **ISO/IEC 27001 (A.5.1, A.12.6.1):** Requires proper asset management and technical vulnerability management, which necessitates comprehensive discovery beyond initial asset listings.
* **CIS Controls (Control 3: Asset Inventory and Control of Enterprise Assets):** Requires maintaining an accurate, comprehensive inventory of all hardware and software assets, extending fundamentally to all accessible public host entries.
## Common Pitfalls to Avoid
* **Assuming IP Scanning Suffices:** Never assume that scanning a direct IP address fully covers the security posture of a web server; this misses virtual hosts entirely.
* **Ignoring Test/Beta Environments:** Foregoing the scanning of subdomains like `test.company.com` or those pointing to known infrastructure IPs, as these often contain unpatched, legacy, or development code.
* **Trusting Internal Inventory Only:** Relying solely on internal IT records for asset identification; attackers use external, passive means that often find assets IT is unaware of.
## Resources
* **Name Resolution Mapping Tools:** (Conceptual examples based on the text) Domain Name Analysis Tools (e.g., DomainTools or equivalents), reverse IP lookup services.
* **Vulnerability Scanners:** Ensure tools used (e.g., Nikto, Wikto equivalents) support mandatory HTTP/1.1 `Host:` header specification for comprehensive scans.
* **Web Server Documentation:** Review documentation for web server platforms (Apache, Nginx) regarding `NameVirtualHost` configuration to understand how unintended hosts might be served from the same IP.