Identifying Alternative Websites on Ports

This guide focuses on identifying alternative websites hosted on different ports of a target system. This is a crucial step in penetration testing and CTF challenges, as websites on non-standard ports might have different configurations or vulnerabilities.

Table of Contents

• Introduction
• Port Scanning
• Checking Web Servers on Identified Ports
• Tools for Port Scanning

---

Introduction

Identifying alternative websites involves scanning for open ports on the target system and then checking if these ports host web services. This process can reveal additional attack surfaces that are not visible through standard port 80 (HTTP) or port 443 (HTTPS).

Port Scanning

Port scanning is the first step. This can be done using tools like nmap, masscan, or similar.

Using Nmap

nmap -sV -p- target_domain_or_IP

This command scans all ports (-p-) on the target and attempts to identify services (-sV).

Using Masscan

masscan -p0-65535 target_domain_or_IP --rate=1000

Masscan is used for very fast scans over all ports, with a configurable rate.

Checking Web Servers on Identified Ports

After identifying open ports, the next step is to check if they host web services. This can be done manually by visiting http://target_domain_or_IP:port or https://target_domain_or_IP:port, or by using automated tools.

Manual Checking

Open a web browser and navigate to the target domain/IP with the identified port number.

Automated Tools

• Nmap Scripts

  nmap -sV -p identified_port --script=http-title target_domain_or_IP
  

  This script checks for HTTP services and grabs the title of the web page.

Tools for Port Scanning

• Nmap: Nmap Official Site
• Masscan: Masscan on GitHub

Note: Always ensure you have permission to perform port scanning and web service identification on the target to avoid legal issues.