>> Is there any possible way to get a list of the virtual hosts running on a
>> web server given the IP address of that server (assuming that you don't run
>> the server)?
>No, I don't think so.
>> I've thought of DNS - a good enough solution would be to get a list of
>> domains registered to an IP address given that IP address, but NetSol
>> doesn't appear to offer this service and I can't figure out how else I
>> would get this list.
>You are asking the question: how do I determine all the names that map to
>a specific IP address? I think this answer is: you can't.
However, for those who PROPERLY know how to set up domain files, there will be
PTR records in the reverse (IP-address) domain pointing back to the valid domain
names for the host. This may or may not include all a host's aliases, and it
may include those which are used for services other than http/https. It will
probably not include wildcard entries (so that "user.domain" -> "domain/~user"
mappings work) nor need it include any "forward-only" DNS entries.
Following the reverse mapping will only give an indication of the virtual
hostnames. The subset could be the entire set - or not.
>> So my other thought is that they may be a way to send some sort of request
>> to the webserver asking for it's domains. An unlikely chance, but I
>> thought I'd ask.
>Nope. The webserver will not give you that information.
An Apache webserver can give that to any user who can run "httpd -S" on the
local system, but not to external users. Those same users can start the server
program - so it's usually restricted to system administrators (i.e. the
superuser) only. There is no remote way.
However, the server-status handler will list recent requests and include the
virtual hostname requested.