search
The Hacker's Notes
githubEdit

Virtual Hosts (VHOSTS)

hashtag
Virtual Hosts (VHOSTS) Enumeration

We can find virtual hosts for websites by enumerating Host header value.

hashtag
Enumeration

# Ffuf
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234
# follow redirect (-r)
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234 -r
# Sometimes, we have to specify the ip address not domain.
ffuf -u http://10.0.0.1/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234

# Wfuzz
wfuzz -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt --hl 138

hashtag
Add Vhosts to Hosts File

If we found a vhost, add that ip&domain to the hosts file depending on your attack machine.

  • Linux: /etc/hosts

  • Windows: C:\Windows\System32\drivers\etc\hosts

hashtag
Related Domains

If we find the vhosts, we can try to search moreover with keywords. For instance, assume we found “sub” domain.

hashtag
OSINT

hashtag
SAN (Subject Alternative Name) in the Certificate

SAN is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. We can also check it for finding subdomains. Replace "example.com" with your target domain.

hashtag
Tools

hashtag
virtual-host-discovery

https://github.com/jobertabma/virtual-host-discovery

Example:

hashtag
vhosts-sieve

https://github.com/dariusztytko/vhosts-sieve

Example:

hashtag
fierce

(fierce DNS scanner)

Example:

hashtag
VHostScan

https://github.com/codingo/VHostScan

Example:

hashtag
Techniques

Reference: https://pentestbook.six2dez.com/enumeration/webservices/vhosts#techniques

Copy of common techniques:

PreviousIISNextFirebase

Last updated