VHosts

Virtual Host (vhost) enumeration discovers additional websites hosted on the same IP address but responding to different hostnames.

Why VHost Enumeration Matters

Web servers can host multiple sites on one IP using the Host header
Subdomains may not have DNS records (internal/dev sites)
Different vhosts may have different security postures
Can reveal admin panels, staging environments, APIs

Enumeration Techniques

Using ffuf (Recommended)

# Basic vhost fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -u http://10.10.10.10 -H "Host: FUZZ.target.com" -fs 0

# Filter by response size (adjust based on default response)
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
  -u http://10.10.10.10 -H "Host: FUZZ.target.com" -fs 4242

# Filter by status code
ffuf -w wordlist.txt -u http://10.10.10.10 -H "Host: FUZZ.target.com" -fc 400,404

# With HTTPS
ffuf -w wordlist.txt -u https://10.10.10.10 -H "Host: FUZZ.target.com" -fs 0

Using gobuster

# Vhost mode
gobuster vhost -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# With specific IP
gobuster vhost -u http://10.10.10.10 -w wordlist.txt --domain target.com --append-domain

# Filter unwanted status codes
gobuster vhost -u http://target.com -w wordlist.txt --exclude-length 0

Using wfuzz

# Basic vhost fuzzing
wfuzz -c -w wordlist.txt -H "Host: FUZZ.target.com" --hc 400,404 http://10.10.10.10

# Hide responses by size
wfuzz -c -w wordlist.txt -H "Host: FUZZ.target.com" --hh 1234 http://10.10.10.10

# Hide responses by word count
wfuzz -c -w wordlist.txt -H "Host: FUZZ.target.com" --hw 50 http://10.10.10.10

Specialized Tools

# Virtual Host Discovery
# https://github.com/jobertabma/virtual-host-discovery
ruby scan.rb --ip=192.168.1.101 --host=domain.tld

# VHosts Sieve - Find vhosts in non-resolvable domains
# https://github.com/dariusztytko/vhosts-sieve
python3 vhosts-sieve.py -d domains.txt -o vhosts.txt

# HostHunter - Discover hostnames from IP ranges
# https://github.com/SpiderLabs/HostHunter
python3 hosthunter.py targets.txt -o hosts.txt

Finding VHosts Without DNS

# Extract potential hostnames from SSL certificates
echo | openssl s_client -connect 10.10.10.10:443 2>/dev/null | openssl x509 -noout -text | grep -oP '(?<=DNS:)[^,]+'

# Check certificate SAN (Subject Alternative Names)
nmap --script ssl-cert -p 443 10.10.10.10

# Reverse DNS lookup
host 10.10.10.10

# Check for common internal hostnames
for host in admin dev staging test api internal portal; do
  curl -s -o /dev/null -w "%{http_code} - $host.target.com\n" \
    -H "Host: $host.target.com" http://10.10.10.10
done

Adding Discovered VHosts

# Add to /etc/hosts for testing
echo "10.10.10.10 dev.target.com staging.target.com admin.target.com" | sudo tee -a /etc/hosts

# Or use curl with Host header directly
curl -H "Host: dev.target.com" http://10.10.10.10/

Wordlists for VHost Fuzzing

# SecLists
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

# Common internal hostnames
/usr/share/seclists/Discovery/DNS/namelist.txt

Subdomain Enumeration
Crawl/Fuzz
SSRF - VHosts can be internal SSRF targets

PreviousOAuth/PKCE Attacks NextTabnabbing

Last updated 8 days ago

Was this helpful?

hashtagWhy VHost Enumeration Matters

hashtagEnumeration Techniques

hashtagUsing ffuf (Recommended)

hashtagUsing gobuster

hashtagUsing wfuzz

hashtagSpecialized Tools

hashtagFinding VHosts Without DNS

hashtagAdding Discovered VHosts

hashtagWordlists for VHost Fuzzing

hashtagRelated Topics

Why VHost Enumeration Matters

Enumeration Techniques

Using ffuf (Recommended)

Using gobuster

Using wfuzz

Specialized Tools

Finding VHosts Without DNS

Adding Discovered VHosts

Wordlists for VHost Fuzzing

Related Topics