how to expend your attack surface

How to expand your attack surface

with Reverse IP lookups

Often, we face a situation where we receive a domain to pentest, and after each attempt in the playbook, we still don’t find any way to get in.

So, how to expand your attack surface?

When you run out of options for breaking into one door, you might want to try a different door… or a window.

In this case, it might be better to give up on that domain and try to find a different domain hosted on the same web server. After all, we are not really interested in the domain itself, but in the access to the server. This is where Reverse IP lookup services come in handy.

What are Reverse IP lookup services?

Reverse IP lookup services will find all A records associated with an IP address. This makes your attack surface (and also your likelihood of success) much larger than before. In short, if you input a domain or IP, it will output all other domains associated with the IP of that server.

I personally use the following two online services:

The last service mentioned is my favourite. It has an API which I was able to include into a simple script. It use aquatone to automatically scan the index page of every domain on a web server.

What is Aquatone?

Aquatone is a tool which, given a domain or a list of domains, will first scan the domain for web servers on common ports (80, 443 etc.). After that, it will detect the web app name and version for each one (example: WordPress v5.0.1, Joomla etc), take a screenshot, and generate an HTML report.

If you want to find more about aquatone, I recommend the following site: .

Putting them together

I am going to use the Reverse IP lookup API and pass the results as input for aquatone. As an example, I am going to expand the attack surface for

Of course, I don’t expect to find any vulnerable web apps, but it will highlight the functionality I am talking about.

Hackertarget’s API finds every domain hosted on the same web server as This gets passed to aquatone, which proceeds to detect the web app on the index page and its version for each domain. Also, it screenshots it for easier visualisation when we are dealing with large amounts of domains:

As you can see above, we’ve gone through 265 domains, screenshooted everyone of them. Furthermore, it detected the web app name and version and generated an HTML report in 3 minutes and 41 seconds.

The report looks like this:

The tags in blue are the technologies / web apps used and their versions if available. This format makes it very easy for a pentester to choose a potential target and save time on an assessment.

To summarise, if you find nothing on one domain, no worries. There are dozens of others that could give you access to the same server.

If everything is discussed and agreed with the client, this should be a very efficient way of increasing the chances of success for any pentester.

Let me know in the comments below if you’ve had success with this method. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *