How to find out what websites are associated with an IP that has port 80 open?

Question

New to security, so please forgive my ignornance - I have a machine with port 80 open, and I found the following information:

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-29 23:46 EDT
Nmap scan report for 127.0.0.1
Host is up (0.085s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh?
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-title: Trees of Large Sizes
|_Requested resource was site/index.php/

This clearly is information about a website of some sort, but I'm not sure how to go about finding out what/where that website is? Any pointers would be super helpful.

What do you mean by where? If I'm understanding it right: apache default root directory is /var/www/html This website can be accessed by typing ip:port on your browser. Is that it? I suppose not. — RF03, Oct 20 '16 at 03:21

score 0 · Answer 1 · answered Oct 20 '16 at 04:11

0

Try 127.0.0.1/site/index.php , seems default doc root is /var/www/html/site

answered Oct 20 '16 at 04:11

Arjun sharma

670
3
20

score 0 · Accepted Answer · edited Oct 07 '21 at 07:59

0

HTTP 1.0 and up has the host header which allows virtual hosts, or more than one website on a single IP address. You cannot know which websites are hosted by the IP address without seeing the code/configuration on the server. Imagine a CDN's server that hosts static assets of thousands of completely unrelated sites. You can see the long list of domains in a cloudflare's certificate for an example server.

The default website which you get by not specifying the host header appears to be http://[ip]/site/index.php

edited Oct 07 '21 at 07:59

Community

1

answered Oct 20 '16 at 04:14

Z.T.

8,504
1
25
39

Is there a way to discover a host header? – 123 Oct 20 '16 at 04:34
1

@123 No. It is sent by the browser. Open your /etc/hosts, invent a new domain name, set it to the ip of the server. Open a browser, navigate to the domain you invented. Your browser sent that domain in the host header of the request. The server might serve a special page only for that request. How many different web pages can the server serve for different domain names? As many as there are possible domain names. Infinity. Imagine the server is actually a proxy. How many websites are served by its IP address? All of them. – Z.T. Oct 20 '16 at 05:07

score 0 · Answer 3 · answered Oct 20 '16 at 15:49

nmap like you invoked it only scans the port. If you want to get more info about what is being served by the web server, try

nmap -p 80 --script=http-enum <ip>

or try to run a directory scanner like dirbuster, which will brute force lots of popular url paths in order to see which one of them returns a http 200 instead of 404.

How to find out what websites are associated with an IP that has port 80 open?

3 Answers3

Linked