Paid Advertising
web application security lab

MSN IP Search

I’ve been meaning to write something about this for a while now, and a number of people have known and used this for a while too, but one of the most helpful tools out there for identifying subdomains of any given target is MSN IP search. I think Fierce is way better for finding subdomains if they aren’t on the same IP, but MSN IP search is way better at finding subdomains on the same IP.

Why is that important? Well, it turns out that a lot of companies use shared hosting, and as we all know, unless they have taken extreme steps to protect their clients, the hosting environments are basically saying that any compromise of any client means complete compromise of any of the other clients on the same machine. Great. So I created a small bookmarket that interfaces with MSN IP search. If you use Firefox, just drag it to your bookmarks and just go to a webpage of choice (other than ;) ) and click the bookmarklet. It sends the domain to which performs an IP lookup and forwards the browser back to MSN with the IP for that domain. It’s that simple. You’d be amazed how many companies use shared hosting.

17 Responses to “MSN IP Search”

  1. /pd Says:

    I love your “Security Bookmarklets” page.. jus awsome !

  2. x-tense Says: can do this too. This is a very usefull function :)

  3. ktalgerie Says:

    very good and practical ;)

  4. RSnake Says:

    myipneighbors uses the MSN IP search. The results will be the same, just a different format.

  5. Christian Says:

    Great trick, I’ve been using this one for a while. (Of course, Maltego CE also offers some of the same results, I’m unsure if the transform it uses for that query uses this search too).

  6. ktalgerie Says:

    with the results of msn ip, I have a lot of redondonces, but with the website There is a well-ordered list, I think it’s better

  7. Jac Says:

    Yaw, i love the one with yahoo search. Very practical! Thanks.

  8. Johann Says:

    Not bad, but Live seems to have less data about non-CNO domains than Google. I host 18 domains on my server but Live only finds 11 of them.

  9. RSnake Says:

    @Johann - I stay away from Google if I can help it. And anyway, Google doesn’t have an exposed IP search function so I don’t know how that would help you anyway.

  10. Vinícius K-Max Says:

    Awesome tip. Thanks :)

  11. mbridge Says:

    Interesting service. Helpful for security personnel to know which domain a hacker may be trying to infiltrate.

  12. jcran Says:

    robtex ftw! (

    for instance:

  13. RSnake Says:

    @jcran - I like robtex but it really does miss a lot. Not once does it put anywhere on the page, yet it’s the second most hit subdomain we have. Not exactly a winner there. ;)

  14. rvdh Says:

    how about using: ;)

  15. RSnake Says:

    Sure, but try it for .228… it misses what MSN IP search finds. Overall, it’s just not as good at finding subdomains.

  16. maluc Says:

    aside from having to answer a captcha, is a far more useful format for this than the normal msn.

    Although i also don’t like that it forces you to visit the first site/ip. Not exactly stealthy when my browser is requesting the target site with an IP as my host header (if searching by IP)

  17. CrYpTiC_MauleR Says:

    If you have the ShowIP extension for Firefox you can add the following to it: that way no need for a lookup since IP is already known and no need for bookmarklet. =o)