Last week, I was received an email "from a friend" that invited me to create an account on some site in order to view "some pictures" he had sent me. The last step in the sign-up process included giving the site my gmail login information, which I was not about to do. At that point, I wondered if my friend was aware that I had been sent a message "from him". It turned out that he was not aware that the site had sent out an email to me. He did say, however, that he had gone through the signup process and had given the site his gmail login information. Following that, the site had sent emails to everyone it could find in his gmail account, telling them all that he had pictures he wanted to show them.
Needless to say, I found this rather disconcerting and wanted to find more information about the site. One of the things I did was to figure out what other subdomains the site has on its server.
It's easy enough to figure out the main ip address of a website. From there, finding many subdomains isn't hard. Most web hosting companies give out ip addresses in a somewhat sequential manner. Most companies sign up for their main servers all at the same time. This should mean that their servers' ip addresses are clustered around each other, which makes it easy to enumerate all of them and see if the resolved domain names for the ip addresses belong to the site. This is how I did this from the command line:
@del ips.txt 2>nul &cmd /c "for /l %i in (0, 1, 255) do @echo 216.157.72.%i >> ips.txt & @echo 216.157.73.%i >> ips.txt" & nslookup 2>nul < ips.txt > results.txt & type results.txt | find /i "wegame"
Yeah, I know it's a bit much all at once. This is how it looks made a bit more readable
@del ips.txt 2>nul &
cmd /c
"for /l %i in (0, 1, 255) do
@echo 216.157.72.%i >> ips.txt &
@echo 216.157.73.%i >> ips.txt" &
nslookup 2>nul < ips.txt > results.txt &
type results.txt | find /i "wegame"
So, I start out deleting any old ips.txt laying around, sending any error output to nul ( @del ips.txt 2>nul ). Then I run a for loop that generates ips in a separate cmd (hence the cmd /c). The for loop loops from 0 to 255 ( for /l %i in (0, 1, 255) ) and appends each loop value (%i) to the two ip addresses (216.157.72. and 216.157.73.). I chose to generate ips in this range because the main server's ip address is 216.157.72.224, almost in the middle of both ranges. After generating the ip addresses, I send the resulting file (ips.txt) to nslookup ( < ips.txt ), send any error output to nul ( 2>nul ), and output the results to a text file ( > results.txt ). I then type the contents of results.txt, piping the output to a find command that searches for the name "wegame" ( type results.txt | find /I "wegame" ). The output looks like this:
Name: test3.wegame.com
Name: test3.wegame.com
Name: medproc3.wegame.com
Name: medproc3.wegame.com
Name: db2.wegame
Name: db2.wegame
Name: vip1.wegame.com
Name: fw.wegame
Name: medproc1.wegame
Name: medproc1.wegame
Name: medproc2.wegame
Name: medproc2.wegame
Name: test2.wegame
Name: test2.wegame
Name: test1.wegame
Name: test1.wegame
You could also make it more verbose about what it is doing by changing it to look like this:
@echo . & @echo ------------------------------ & @echo . NSLOOKUP SCRIPT & @echo ------------------------------ & @echo . & @echo . Generating ips into ips.txt & @del ips.txt 2>nul & cmd /c "for /l %i in (0, 1, 255) do @echo 216.157.72.%i >> ips.txt & @echo 216.157.73.%i >> ips.txt" & @echo . Running nslookup on generated ips & @echo . (results outputted to results.txt) & nslookup 2>nul < ips.txt > results.txt & @echo . Searching results for [wegame] & type results.txt | find /i "wegame" & @echo . DONE!
The new output will look like this:
.
------------------------------
. NSLOOKUP SCRIPT
------------------------------
.
. Generating ips into ips.txt
. Running nslookup on generated ips
. (results outputted to results.txt)
. Searching results for [wegame]
Name: test3.wegame.com
Name: test3.wegame.com
Name: medproc3.wegame.com
Name: medproc3.wegame.com
Name: db2.wegame
Name: db2.wegame
Name: vip1.wegame.com
Name: fw.wegame
Name: medproc1.wegame
Name: medproc1.wegame
Name: medproc2.wegame
Name: medproc2.wegame
Name: test2.wegame
Name: test2.wegame
Name: test1.wegame
Name: test1.wegame
. DONE!