Virtual Host

The key difference between VHosts and sub-domains is that a VHost is basically a 'sub-domain' served on the same server and has the same IP, such that a single IP could be serving two or more different websites.

VHosts may or may not have public DNS records.

$ curl -s http://192.168.10.10 -H "Host: randomtarget.com"

<html>
    <head>
        <title>Welcome to randomtarget.com!</title>
    </head>
    <body>
        <h1>Success! The randomtarget.com server block is working!</h1>
    </body>
</html>

Wordlists

Seclists

/opt/useful/SecLists/Discovery/DNS/namelist.txt

Avileox

Assetnote

Gobuster

gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

Custom vHost List

app
blog
dev-admin
forum
help
m
my
shop
some
store
support
www

Fuzzing

cat ./vhosts | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://192.168.10.10 -H "HOST: ${vhost}.randomtarget.com" | grep "Content-Length: ";done

Ffuf

Exclude redirect 302

ffuf -u http://permx.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.permx.htb" -fs 0 -mc all -fc 302

Filter by size

ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612

-w: Path to our wordlist
-u: URL we want to fuzz
-H "HOST: FUZZ.randomtarget.com": This is the HOST Header, and the word FUZZ will be used as the fuzzing point.
-fs 612: Filter responses with a size of 612, default response size in this case.

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://10.129.221.4 -H "HOST: FUZZ.inlanefreight.htb" -fs 10918

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'

Resources

PreviousDNS Subdomain Enumeration NextFingerprinting / Crawling

Last updated 1 month ago

$ curl -s http://192.168.10.10 -H "Host: randomtarget.com" <html> <head> <title>Welcome to randomtarget.com!</title> </head> <body> <h1>Success! The randomtarget.com server block is working!</h1> </body> </html>

Ffuf

Exclude redirect 302

ffuf -u http://permx.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.permx.htb" -fs 0 -mc all -fc 302

Filter by size

ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612

-w: Path to our wordlist

-u: URL we want to fuzz

-H "HOST: FUZZ.randomtarget.com": This is the HOST Header, and the word FUZZ will be used as the fuzzing point.

-fs 612: Filter responses with a size of 612, default response size in this case.

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://10.129.221.4 -H "HOST: FUZZ.inlanefreight.htb" -fs 10918

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'