bing-ip2hosts

Overview

bing-ip2hosts is a command-line reconnaissance tool that uses Bing’s search engine to find hostnames associated with a given IP address. During penetration testing and OSINT investigations, it helps discover virtual hosts, co-hosted websites, and other domains sharing the same IP address. The tool queries Bing’s search index for domains and automatically handles pagination to retrieve comprehensive results.

Installation

Installation on Linux/macOS

# Clone the repository
git clone https://github.com/urbanadventurer/bing-ip2hosts.git
cd bing-ip2hosts

# Install dependencies (Perl)
# Usually pre-installed on most systems
perl --version

# Make executable
chmod +x bing-ip2hosts

# Verify installation
./bing-ip2hosts --help

Installation on Debian/Ubuntu

# Install Perl and required modules
sudo apt-get update
sudo apt-get install perl libwww-perl

# Clone repository
git clone https://github.com/urbanadventurer/bing-ip2hosts.git

# Navigate to directory
cd bing-ip2hosts
chmod +x bing-ip2hosts

Installation on Fedora/RHEL

sudo dnf install perl perl-libwww-perl

git clone https://github.com/urbanadventurer/bing-ip2hosts.git
cd bing-ip2hosts
chmod +x bing-ip2hosts

Installation on macOS with Homebrew

# Ensure Perl is installed
brew install perl

# Clone repository
git clone https://github.com/urbanadventurer/bing-ip2hosts.git
cd bing-ip2hosts
chmod +x bing-ip2hosts

Basic Usage

Simple IP Lookup

# Find all domains hosted on an IP
./bing-ip2hosts 8.8.8.8

# Look up specific IP
./bing-ip2hosts 1.1.1.1

# Check company IP block
./bing-ip2hosts 192.168.1.1

Output Structure

Searching Bing for IP: 8.8.8.8
Found: dns.google
Found: google-dns-a.google.com
Found: google.com
Found: maps.google.com
Found: www.google.com
Total: 5 unique hostnames

Command Options

Option	Description
`-h` or `--help`	Display help information
`-i <IP>`	Specify IP address to query
`-v` or `--verbose`	Verbose output with details
`-t <timeout>`	Set connection timeout (seconds)
`-r` or `--retries`	Number of retry attempts
`-d` or `--debug`	Enable debug output

Output Formats

Standard Output

# Default format shows one hostname per line
./bing-ip2hosts 8.8.8.8
dns.google
google-dns-a.google.com
google.com
maps.google.com

Verbose Mode

# Show additional information
./bing-ip2hosts -v 8.8.8.8
Searching for IP: 8.8.8.8
Page 1: Found 5 results
  [1] dns.google
  [2] google-dns-a.google.com
  [3] google.com
  [4] maps.google.com
  [5] www.google.com
Search complete - 5 unique hostnames

Debug Output

# Show request/response details
./bing-ip2hosts -d 8.8.8.8
[DEBUG] Connecting to Bing search engine...
[DEBUG] Query: "ip:8.8.8.8"
[DEBUG] User-Agent: Mozilla/5.0...
[DEBUG] Parsing response...
[DEBUG] Found 5 results on page 1
[DEBUG] No more pages
dns.google
google-dns-a.google.com
...

Practical Examples

Finding Virtual Hosts

# Discover all domains on shared hosting
./bing-ip2hosts 93.184.216.34
example.com
www.example.com
mail.example.com
ftp.example.com
admin.example.com

CDN IP Enumeration

# Find domains using same CDN node
./bing-ip2hosts 151.101.1.140
example1.com
example2.com
example3.com
competing-site.com

Cloud Provider IP Blocks

# AWS IP address enumeration
./bing-ip2hosts 54.192.0.0

# Azure IP enumeration
./bing-ip2hosts 13.107.42.0

# GCP address enumeration
./bing-ip2hosts 35.184.0.0

Integration with Reconnaissance Workflows

Single IP Targeting

# 1. Identify target IP
nslookup example.com
# Output: Address: 93.184.216.34

# 2. Find all domains on that IP
./bing-ip2hosts 93.184.216.34

# 3. Enumerate subdomains for each found domain
for domain in $(./bing-ip2hosts 93.184.216.34); do
    echo "=== $domain ==="
    nslookup $domain
done

Batch IP Processing

# Create file with target IPs
cat > ips.txt << EOF
8.8.8.8
1.1.1.1
8.8.4.4
1.0.0.1
EOF

# Process each IP
while read ip; do
    echo "=== Hosts on $ip ==="
    ./bing-ip2hosts "$ip"
    echo ""
done < ips.txt

IP Range Enumeration

# Find hosts across IP range (requires external tool)
for ip in 192.168.1.{1..254}; do
    hosts=$(./bing-ip2hosts "$ip" 2>/dev/null | wc -l)
    if [ $hosts -gt 0 ]; then
        echo "$ip: $hosts hosts"
    fi
done

Filtering Results

Extract Specific Domains

# Get results containing specific pattern
./bing-ip2hosts 8.8.8.8 | grep "google"

# Get all subdomains of specific domain
./bing-ip2hosts 8.8.8.8 | grep "\.example\.com"

# Exclude certain patterns
./bing-ip2hosts 8.8.8.8 | grep -v "www"

Domain-Only Results

# Remove port numbers from results
./bing-ip2hosts 8.8.8.8 | cut -d: -f1 | sort -u

# Get count of unique domains
./bing-ip2hosts 8.8.8.8 | wc -l

# Sort alphabetically
./bing-ip2hosts 8.8.8.8 | sort

Output Redirection

Saving Results

# Save to file
./bing-ip2hosts 8.8.8.8 > hosts.txt

# Append multiple IPs to same file
./bing-ip2hosts 8.8.8.8 >> all_hosts.txt
./bing-ip2hosts 1.1.1.1 >> all_hosts.txt

# Save with timestamp
./bing-ip2hosts 8.8.8.8 > hosts_$(date +%Y%m%d).txt

Formatted Output

# CSV format
./bing-ip2hosts 8.8.8.8 | while read host; do
    echo "8.8.8.8,$host"
done > report.csv

# JSON format
{
  "ip": "8.8.8.8",
  "hosts": [
    $(./bing-ip2hosts 8.8.8.8 | sed 's/^/"/' | sed 's/$/"/' | paste -sd, -)
  ]
}

Advanced Techniques

Combining with DNS Tools

# For each found domain, get its DNS records
./bing-ip2hosts 8.8.8.8 | while read domain; do
    echo "=== $domain ==="
    dig +short $domain A
    dig +short $domain MX
done

Security Header Analysis

# Check security headers on discovered domains
./bing-ip2hosts 8.8.8.8 | while read domain; do
    echo "=== $domain ==="
    curl -s -I "http://$domain" | grep -i "security\|x-frame\|content-security"
done

Certificate Transparency Search

# Use CT logs alongside bing-ip2hosts
# CT Logs show SSL certificates for domains
# Compare with bing-ip2hosts results for comprehensive view

# Example workflow:
# 1. Run bing-ip2hosts on target IP
# 2. Check CT logs for additional subdomains
# 3. Cross-reference results

Reverse Whois Lookup

# After finding domains, check registrant information
./bing-ip2hosts 8.8.8.8 | while read domain; do
    whois "$domain" | grep -i "registrant\|company\|org"
done

Handling Multiple IPs

Process IP Ranges

# Create script to process multiple IPs
#!/bin/bash
TARGET_RANGE="8.8.4.0/24"

for ip in $(nmap -sL $TARGET_RANGE -n | grep "Nmap scan" | awk '{print $NF}'); do
    echo "Checking $ip..."
    ./bing-ip2hosts "$ip" >> all_results.txt
done

Parallel Processing

# Process multiple IPs simultaneously (faster)
cat ips.txt | xargs -P 5 -I {} ./bing-ip2hosts {} > results.txt

# Using GNU parallel if available
cat ips.txt | parallel ./bing-ip2hosts {} > results.txt

Comparison with Other Tools

bing-ip2hosts vs Google-based Tools

Aspect	bing-ip2hosts	Google OSINT
Search Index	Bing	Google
Results Quality	Good	Often better
Rate Limiting	Moderate	Stricter
Speed	Fast	Variable
Accuracy	High	High

bing-ip2hosts vs Shodan

# Shodan API approach
shodan search "ip:8.8.8.8"

# bing-ip2hosts approach
./bing-ip2hosts 8.8.8.8

# Trade-offs:
# - Shodan: More detailed data, paid API
# - bing-ip2hosts: Free, simpler output, focuses on hostnames

bing-ip2hosts vs Censys

# Censys query
# Visit censys.io and search for IP

# bing-ip2hosts query
./bing-ip2hosts 8.8.8.8

# Differences:
# - Censys: SSL certificates, detailed scans, API available
# - bing-ip2hosts: Lightweight, no registration required

Troubleshooting

No Results Returned

# Check IP address format
./bing-ip2hosts 8.8.8.8  # Correct
./bing-ip2hosts 8.8.8    # Incomplete

# Try verbose mode to debug
./bing-ip2hosts -v 8.8.8.8

# Check internet connectivity
ping -c 1 8.8.8.8
curl -I https://www.bing.com

Connection Issues

# Timeout error - increase timeout
./bing-ip2hosts -t 30 8.8.8.8

# Slow responses - try again later
sleep 60
./bing-ip2hosts 8.8.8.8

# Proxy issues
# Edit bing-ip2hosts script to use proxy if needed

Rate Limiting

# Bing may rate limit requests
# Solution: Add delays between queries
for ip in $(cat ips.txt); do
    ./bing-ip2hosts "$ip"
    sleep 5  # Wait 5 seconds between queries
done

Optimizations

Caching Results

# Store results to avoid repeated queries
CACHE_DIR="./cache"
mkdir -p $CACHE_DIR

# Check cache first
IP="8.8.8.8"
CACHE_FILE="$CACHE_DIR/$IP.txt"

if [ -f "$CACHE_FILE" ]; then
    cat "$CACHE_FILE"
else
    ./bing-ip2hosts "$IP" | tee "$CACHE_FILE"
fi

Result Deduplication

# Combine results from multiple sources, remove duplicates
cat results1.txt results2.txt | sort -u > final_results.txt

# Count unique domains
sort -u final_results.txt | wc -l

Security Considerations

Ethical Use

# Only use on systems you own or have permission to test
# Respect Bing's Terms of Service
# Don't overload with excessive requests
# Use for authorized security testing only

Data Privacy

# Results may contain sensitive hostnames
# Store results securely
# Limit access to reconnaissance findings
# Follow responsible disclosure practices

Practical Reconnaissance Workflow

#!/bin/bash
# Complete reconnaissance workflow

TARGET_IP="8.8.8.8"
OUTPUT_DIR="recon_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"

echo "[+] Starting reconnaissance on $TARGET_IP"

# 1. Find virtual hosts
echo "[*] Finding virtual hosts..."
./bing-ip2hosts "$TARGET_IP" > "$OUTPUT_DIR/hostnames.txt"

# 2. Enumerate DNS records for each
echo "[*] Enumerating DNS records..."
while read host; do
    echo "=== $host ===" >> "$OUTPUT_DIR/dns_records.txt"
    dig +short "$host" A >> "$OUTPUT_DIR/dns_records.txt" 2>/dev/null
    dig +short "$host" MX >> "$OUTPUT_DIR/dns_records.txt" 2>/dev/null
done < "$OUTPUT_DIR/hostnames.txt"

# 3. Check HTTP headers
echo "[*] Checking HTTP headers..."
while read host; do
    echo "=== $host ===" >> "$OUTPUT_DIR/headers.txt"
    curl -s -I "http://$host" >> "$OUTPUT_DIR/headers.txt" 2>/dev/null
done < "$OUTPUT_DIR/hostnames.txt"

echo "[+] Reconnaissance complete"
echo "[+] Results saved in $OUTPUT_DIR"

References

Bing search syntax documentation
OWASP Reconnaissance techniques
Virtual hosting concepts
OSINT methodology guides