Obtaining the URL of a hosted system

I’ve been reviewing some of our clients system security parameters, especially externally hosted systems.  I’m finding a real mix, some are fairly secure others just scream ‘attack me’.  For example I’ve found one externally hosted system that does not employ 2FA, minimum password age, password history or account lock after x incorrect passwords. So in theory if an attacker knows the URL and can guess or phish the naming convention for the user names, they can set up a programme to brute force account passwords until they get in.

Speaking to the system owners however and their defence is, ‘yes but you need to know the URL first’.  This doesn’t stand well with me, I’m pretty sure that if you searched their companies website or google, you would have a good chance of finding the URL in some documentation somewhere.  Or you can just ring them up and ask, I’m sure someone will tell you.

However if you got nowhere with this approach but you did find out that the system you’re after was hosted by a particular company, is it possible to get the URL by some kind of ‘probe’ at the hosting company.  I’m not an expert but can you do something with DNS to find URLs or anything to determine what it could be apart from searching websites for documentation that might have been made public with the URL?
LVL 2
jdc1944Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Well, i tend to disagree with knowing the URL or not is an issue, it isn't relevant at all.
If they just logged all the traffic passing their ports they would see there is a LOT of traffic just trying to find out if systems are at some address if so what ports are open (port scanning), and some try to exploit blindly depending on the mix of ports available...
I see telnet (appearantly it is useful to scan for), ssh, SIP, SQL Server, Various Micrsoft protocols.

Besides the various site that scan the net continously  (Shodan) that keep queryable databases wher you can fast select systems based on port and even if presented with version strings of servers.

And maybe some are trying here an excerpt from recent log:
[Feb 5 16:15] IP4 BLOCK IN=ppp0 OUT= MAC= SRC=5.102.211.218 DST=xx.xx.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=13798 DF PROTO=TCP SPT=12787 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
[Feb 5 16:16] IP4 DROP IN=ppp0 OUT= MAC= SRC=151.106.15.114 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=33887 PROTO=TCP SPT=53200 DPT=8259 WINDOW=1024 RES=0x00 SYN URGP=0
[ +10.764091] IP4 DROP IN=ppp0 OUT= MAC= SRC=151.106.15.114 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=39508 PROTO=TCP SPT=53471 DPT=8608 WINDOW=1024 RES=0x00 SYN URGP=0
[ +32.119489] IP4 DROP IN=ppp0 OUT= MAC= SRC=185.222.211.36 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=45421 PROTO=TCP SPT=40840 DPT=10509 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:17] IP4 DROP IN=ppp0 OUT= MAC= SRC=191.101.167.83 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=3769 PROTO=TCP SPT=43260 DPT=30002 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:18] IP4 BLOCK IN=ppp0 OUT= MAC= SRC=121.114.164.91 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=1506 PROTO=TCP SPT=44886 DPT=23 WINDOW=46925 RES=0x00 SYN URGP=0
[Feb 5 16:19] IP4 BLOCK IN=ppp0 OUT= MAC= SRC=222.138.116.174 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=29697 PROTO=TCP SPT=36170 DPT=23 WINDOW=38482 RES=0x00 SYN URGP=0
[  +8.032363] IP4 DROP IN=ppp0 OUT= MAC= SRC=5.188.11.10 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=44133 PROTO=TCP SPT=53814 DPT=53339 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:22] IP4 BLOCK IN=ppp0 OUT= MAC= SRC=177.180.20.1 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=5188 PROTO=TCP SPT=7251 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
[Feb 5 16:23] IP4 DROP IN=ppp0 OUT= MAC= SRC=185.222.211.36 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=9034 PROTO=TCP SPT=40840 DPT=27317 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:24] IP4 BLOCK IN=ppp0 OUT= MAC= SRC=61.86.89.227 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=24885 PROTO=TCP SPT=24508 DPT=23 WINDOW=28554 RES=0x00 SYN URGP=0
[Feb 5 16:25] IP4 DROP IN=ppp0 OUT= MAC= SRC=151.106.15.114 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=4659 PROTO=TCP SPT=53670 DPT=8915 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:26] IP4 DROP IN=ppp0 OUT= MAC= SRC=109.248.9.114 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=7676 PROTO=TCP SPT=44537 DPT=63393 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:27] IP4 BLOCK IN=ppp0 OUT= MAC= SRC=208.100.26.228 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=59660 PROTO=TCP SPT=40234 DPT=3389 WINDOW=1024 RES=0x00 SYN URGP=0
[ +12.850048] IP4 DROP IN=ppp0 OUT= MAC= SRC=185.222.211.36 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=6973 PROTO=TCP SPT=40840 DPT=63339 WINDOW=1024 RES=0x00 SYN URGP=0
[  +0.715927] IP4 DROP IN=ppp0 OUT= MAC= SRC=5.188.11.188 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=52987 PROTO=TCP SPT=53890 DPT=3338 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:29] IP4 DROP IN=ppp0 OUT= MAC= SRC=77.72.82.166 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=15431 PROTO=TCP SPT=59927 DPT=3402 WINDOW=1024 RES=0x00 SYN URGP=0
[ +34.279715] IP4 BLOCK IN=ppp0 OUT= MAC= SRC=115.187.245.38 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=40852 PROTO=TCP SPT=16306 DPT=2323 WINDOW=12192 RES=0x00 SYN URGP=0
[Feb 5 16:30] IP4 DROP IN=ppp0 OUT= MAC= SRC=151.106.15.114 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=41374 PROTO=TCP SPT=53600 DPT=8802 WINDOW=1024 RES=0x00 SYN URGP=0
[  +1.807499] IP4 DROP IN=ppp0 OUT= MAC= SRC=40.77.229.77 DST=xx.xx.xx.xx LEN=173 TOS=0x00 PREC=0x00 TTL=114 ID=9652 DF PROTO=TCP SPT=443 DPT=50946 WINDOW=7630 RES=0x00 ACK PSH URGP=0
[  +0.374933] IP4 DROP IN=ppp0 OUT= MAC= SRC=40.77.229.77 DST=xx.xx.xx.xx LEN=173 TOS=0x00 PREC=0x00 TTL=114 ID=9653 DF PROTO=TCP SPT=443 DPT=50946 WINDOW=7630 RES=0x00 ACK PSH URGP=0
[  +0.312758] IP4 DROP IN=ppp0 OUT= MAC= SRC=40.77.229.77 DST=xx.xx.xx.xx LEN=173 TOS=0x00 PREC=0x00 TTL=115 ID=9654 DF PROTO=TCP SPT=443 DPT=50946 WINDOW=7630 RES=0x00 ACK PSH URGP=0
[ +21.936819] IP4 DROP IN=ppp0 OUT= MAC= SRC=5.188.203.129 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=3853 PROTO=TCP SPT=50349 DPT=3384 WINDOW=1024 RES=0x00 SYN URGP=0
[  +3.607297] IP4 DROP IN=ppp0 OUT= MAC= SRC=151.106.15.114 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=50297 PROTO=TCP SPT=53435 DPT=8569 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:31] IP4 DROP IN=ppp0 OUT= MAC= SRC=62.210.202.185 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=53354 PROTO=TCP SPT=54967 DPT=8081 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:32] IP4 DROP IN=ppp0 OUT= MAC= SRC=191.101.167.250 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=39094 PROTO=TCP SPT=56614 DPT=7285 WINDOW=1024 RES=0x00 SYN URGP=0
[  +6.308091] IP4 DROP IN=ppp0 OUT= MAC= SRC=163.172.44.127 DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=14957 DF PROTO=TCP SPT=35760 DPT=8443 WINDOW=29200 RES=0x00 SYN URGP=0
[ +11.172593] IP4 DROP IN=ppp0 OUT= MAC= SRC=185.222.211.36 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=57237 PROTO=TCP SPT=40840 DPT=125 WINDOW=1024 RES=0x00 SYN URGP=0
[  +2.700539] IP4 DROP IN=ppp0 OUT= MAC= SRC=185.222.211.36 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=4463 PROTO=TCP SPT=40840 DPT=55893 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:33] IP4 BLOCK IN=ppp0 OUT= MAC= SRC=179.111.27.182 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=2908 PROTO=TCP SPT=47307 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
[ +19.487538] IP4 DROP IN=ppp0 OUT= MAC= SRC=185.222.211.36 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=57861 PROTO=TCP SPT=40840 DPT=40643 WINDOW=1024 RES=0x00 SYN URGP=0
[Feb 5 16:34] IP4 DROP IN=ppp0 OUT= MAC= SRC=151.106.15.114 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=51587 PROTO=TCP SPT=53171 DPT=8207 WINDOW=1024 RES=0x00 SYN URGP=0

Open in new window

1
Shaun VermaakTechnical Specialist IVCommented:
Yes, one of the methods to find these nuggets of information is Google Dorks. They might be surprised with what information is available.
https://www.exploit-db.com/google-hacking-database/
1
David Johnson, CD, MVPOwnerCommented:
Security by obscurity is not security
account lock after x incorrect passwords at minimum and auto-unlock after X minutes would slow down password guessing attempts.. You also have to log and alert this item
1
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Dr. KlahnPrincipal Software EngineerCommented:
I agree with what has been said above.  "Knowing the URL" as security is no security at all.  Many web sites respond just as happily to a URL prefix in the form of "http://www.xxx.yyy.zzz" in numeric form as they will to a URL with a proper FQDN.  When a scanner locates a web site by IP a brute-force attack usually ensues and the server had better have some backstops such as Apache mod_nsf to put a quick halt to it.

(As a side note, this "feature" can be defeated in Apache by using name-based virtual hosting so that IP-based URLs don't even get looked at.  imo that should be done even if there is only one web site on the server)
0
Shalom CarmelCTOCommented:
You need to Know the URL first. Right.  

Shodan is a full text searchable database of online services. https://www.shodan.io

Pentest Tools enumerate subdomains - what you call URLs. https://pentest-tools.com/information-gathering/find-subdomains-of-domain

A DNS zone transfer will tell you all subdomains from badly configured DNS servers.
Go to http://www.kloth.net/services/dig.php
First find the authoritative DNS for the domain by asking for NS records.
Then run a AXFR query for the domain using the servers returned by the previous query.  
Of course, this can be executed on the command line/shell as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
In addition to all other measures on access tools (webserver, ssh daemon etc) i use fail2ban to monitor logs of those tools and on certain conditions some ip addresses are just blocked full-stop minimal for a day and if two days in a row the locks starts again with a week.
This does effectively stop bruteforcing..., only the ones that try full line speed attempts more or less get 5 tries in stead of 3 before they get blocked.
0
jdc1944Author Commented:
Thanks for everyone's input
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Computing

From novice to tech pro — start learning today.