Virtual Host

LogoVirtual host discovery for any IP addressPentest-Tools.com

The key difference between VHosts and sub-domains is that a VHost is basically a 'sub-domain' served on the same server and has the same IP, such that a single IP could be serving two or more different websites.

VHosts may or may not have public DNS records.

$ curl -s http://192.168.10.10 -H "Host: randomtarget.com"

<html>
    <head>
        <title>Welcome to randomtarget.com!</title>
    </head>
    <body>
        <h1>Success! The randomtarget.com server block is working!</h1>
    </body>
</html>

Wordlists

Seclists

/opt/useful/SecLists/Discovery/DNS/namelist.txt

Avileox

https://gist.githubusercontent.com/Avileox/941f5eb742bad690d04c16b78ac41b57/raw/7405075123c5fc6dba15dee09b876b7d3bdaeb3c/wl-vhost.txtgist.githubusercontent.com

Assetnote

https://wordlists-cdn.assetnote.io/data/automated/httparchive_subdomains_2024_01_28.txtwordlists-cdn.assetnote.io

Gobuster

Shorter list:

Custom vHost List

Fuzzing

Ffuf

Exclude redirect 302

Filter by size

  • -w: Path to our wordlist

  • -u: URL we want to fuzz

  • -H "HOST: FUZZ.randomtarget.com": This is the HOST Header, and the word FUZZ will be used as the fuzzing point.

  • -fs 612: Filter responses with a size of 612, default response size in this case.

Resources

LogoSubdomain & vhost fuzzing | The Hacker Recipeswww.thehacker.recipes
LogoVirtual Host Enumeration – How to Uncover Hidden Web AssetsfreeCodeCamp.org
PreviousDNS Subdomain EnumerationNextFingerprinting / Crawling

Last updated