Blacksheepwall: Hostname Discovery with Node

By Jason Doyle, Tom Steele ·

Introducing Blacksheepwall

Hostname discovery is a critical step in the execution of a complete penetration test. You can’t attack what you can’t see. Many times you can’t view a web application by IP address due to, for example, name-based virtual hosting. This is commonly used to host several web applications using a single IP.  In order to access a virtually-hosted website, you must use its hostname so the server knows which web application to serve. Otherwise, you may just see a default page, receive an HTTP error, or some other innocuous message. Inexperienced attackers may misinterpret these responses and think that there is simply no content and move on; when in reality, the web server may be hosting many applications which, unfortunately, will go untested.

If you have ever played StarCraft you may know that the cheat “black sheep wall” removed the fog of war, revealing the entire map. That’s what we intended to do for host discovery, reveal all of the hosts and vhosts present on a target domain or IP address. Host and domain reconnaissance is not a new idea and there are many similar tools already written to handle this task, including fierce and dnsrecon. Both do an excellent job.

However, FishNet Security wanted something faster that provides additional functionality and we built blacksheepwall using Node to offer just that. This allows us to create a ton of requests asynchronously, making it possible to look up 2000+ names in just over 5 seconds. It creates so many requests that if you don’t set your name server for something like, well, you’re going to have a bad time.

We’ve built out all of the standard options that you would expect including dictionary based host discovery, but also added some new methods for discovery including Bing and certificate parsing. There are a handful of other options, all hopefully well documented in the usage.

Give the tool a shot and let us know what you think. If you find a bug or a have a feature request, tell us! Also, remember, this is a work in progress and in constant development. So check back for updates frequently.

The tool is available on NPM and can be installed globally with the following command `npm install –g blacksheepwall`.

Download: blacksheepwall