Pentest Book
Search…
VHosts

Tools

1
# https://github.com/jobertabma/virtual-host-discovery
2
ruby scan.rb --ip=192.168.1.101 --host=domain.tld
3
4
# https://github.com/dariusztytko/vhosts-sieve
5
python3 vhosts-sieve.py -d domains.txt -o vhosts.txt
6
7
# Enum vhosts
8
fierce -dns example.com
9
10
# https://github.com/codingo/VHostScan
11
VHostScan -t example.com
Copied!

Techniques

1
# ffuf
2
badresponse=$(curl -s -H "host: totallynotexistsforsure.bugcrowd.com" https://bugcrowd.com | wc -c)
3
ffuf -u https://TARGET.com -H "Host: FUZZ.TARGET.com" -w werdlists/dns-hostnames/nmap-vhosts-all.txt -fs $badresponse
4
5
# Manual with subdomains list
6
for sub in $(cat subdomains.txt); do
7
echo "$sub $(dig +short a $sub | tail -n1)" | anew -q subdomains_ips.txt
8
done
9
Copied!
Last modified 8mo ago
Export as PDF
Copy link