# Virtual Host

{% embed url="<https://pentest-tools.com/information-gathering/find-virtual-hosts>" %}

The key difference between VHosts and sub-domains is that a VHost is basically a 'sub-domain' served on the same server and has the same IP, such that a single IP could be serving two or more different websites.

{% hint style="info" %}
*`VHosts may or may not have public DNS records.`*
{% endhint %}

```shell-session
$ curl -s http://192.168.10.10 -H "Host: randomtarget.com"

<html>
    <head>
        <title>Welcome to randomtarget.com!</title>
    </head>
    <body>
        <h1>Success! The randomtarget.com server block is working!</h1>
    </body>
</html>
```

## Wordlists

### Seclists

`/opt/useful/SecLists/Discovery/DNS/namelist.txt`

### Avileox

{% embed url="<https://gist.githubusercontent.com/Avileox/941f5eb742bad690d04c16b78ac41b57/raw/7405075123c5fc6dba15dee09b876b7d3bdaeb3c/wl-vhost.txt>" %}

### Assetnote

{% embed url="<https://wordlists-cdn.assetnote.io/data/automated/httparchive_subdomains_2024_01_28.txt>" %}

## Gobuster

```
gobuster vhost -u http://domain.htb:8008 -w /usr/share/seclists/Discovery/DNS/namelist.txt --append-domain | grep -v "301"
```

Shorter list:

```
gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
```

## Custom vHost List

```shell-session
app
blog
dev-admin
forum
help
m
my
shop
some
store
support
www
```

## Fuzzing

```shell-session
cat ./vhosts | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://192.168.10.10 -H "HOST: ${vhost}.randomtarget.com" | grep "Content-Length: ";done
```

## Ffuf

### Exclude redirect 302

```
ffuf -u http://permx.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.permx.htb" -fs 0 -mc all -fc 302
```

### Filter by size

```shell-session
ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612
```

* `-w`: Path to our wordlist
* `-u`: URL we want to fuzz
* `-H "HOST: FUZZ.randomtarget.com"`: This is the `HOST` Header, and the word `FUZZ` will be used as the fuzzing point.
* `-fs 612`: Filter responses with a size of 612, default response size in this case.

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F0iY3h57BZsILVEQNmc9H%2FPasted%20image%2020240407100246.png?alt=media&#x26;token=d76befcc-deba-4cb6-b9a5-502d49f3de4d" alt=""><figcaption></figcaption></figure>

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FmQ7FSkRJ2FBW80EV7Xn5%2Fimage.png?alt=media&#x26;token=2960335c-f567-455f-a3c2-3432af760c93" alt=""><figcaption></figcaption></figure>

```
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://10.129.221.4 -H "HOST: FUZZ.inlanefreight.htb" -fs 10918
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FUdIa3g63olNveJ5GYMEv%2FPasted%20image%2020240407105256.png?alt=media&#x26;token=7938be4a-4768-4ba2-b7f5-9f4d8944391c" alt=""><figcaption></figcaption></figure>

```shell-session
ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'
```

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FtT3srZzbUxV8iN6zjNrl%2Fimage.png?alt=media&#x26;token=962e4759-e8b9-4e26-b998-6df524fdfaf8" alt=""><figcaption></figcaption></figure>

## Resources

{% embed url="<https://www.thehacker.recipes/web/recon/virtual-host-fuzzing>" %}

{% embed url="<https://www.freecodecamp.org/news/virtual-host-enumeration-tutorial/>" %}