Bing-IP2hosts – Enumerate hostnames for an IP using

This is useful during the reconnaissance phase of a penetration test and for website hosting provider research.

Introduction is a search engine owned by Microsoft formerly known as MSN Search and Live Search. It has a unique feature to search for websites hosted on a specific IP address. This feature is can be used with the IP: parameter in the search query as shown in the image above. Bing-ip2hosts uses this feature to enumerate all hostnames which Bing has indexed for a specific IP address. This technique is considered best practice during the reconnaissance phase of a penetration test in order to discover a larger potential attack surface. Bing-ip2hosts is written in the Bash scripting language for Linux. This uses the mobile interface and no API key is required.


License GPLv3
Author Andrew Horton aka urbanadventurer, MorningStar Security
Released December 19th, 2013.

Older Versions
* Version 0.3, September 2012
* Version 0.2, April 2010
* Version 0.1, December 2009


$ ./bing-ip2hosts bing-ip2hosts (o.4) by Andrew Horton aka urbanadventurer Homepage:

Useful for web intelligence and attack surface mapping of vhosts during penetration tests. Find hostnames that
share an IP address with your target which can be a hostname or an IP address. This makes use of Microsoft ability to seach by IP address, e.g. "IP:".
Usage: ./bing-ip2hosts [OPTIONS] <IP|hostname>
OPTIONS are: -n Turn off the progress indicator animation -t <DIR> Use this directory instead of /tmp. The directory must exist. -i Optional CSV output. Outputs the IP and hostname on each line, separated by a comma. -p Optional http:// prefix output. Useful for right-clicking in the shell.

Example usage and output

$ ./bing-ip2hosts
[ | Scraping 10-19 of 27 | Found 13 | \ ]