# VHosts Virtual Host (vhost) enumeration discovers additional websites hosted on the same IP address but responding to different hostnames. ## Why VHost Enumeration Matters * Web servers can host multiple sites on one IP using the `Host` header * Subdomains may not have DNS records (internal/dev sites) * Different vhosts may have different security postures * Can reveal admin panels, staging environments, APIs ## Enumeration Techniques ### Using ffuf (Recommended) ```bash # Basic vhost fuzzing ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -u http://10.10.10.10 -H "Host: FUZZ.target.com" -fs 0 # Filter by response size (adjust based on default response) ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \ -u http://10.10.10.10 -H "Host: FUZZ.target.com" -fs 4242 # Filter by status code ffuf -w wordlist.txt -u http://10.10.10.10 -H "Host: FUZZ.target.com" -fc 400,404 # With HTTPS ffuf -w wordlist.txt -u https://10.10.10.10 -H "Host: FUZZ.target.com" -fs 0 ``` ### Using gobuster ```bash # Vhost mode gobuster vhost -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # With specific IP gobuster vhost -u http://10.10.10.10 -w wordlist.txt --domain target.com --append-domain # Filter unwanted status codes gobuster vhost -u http://target.com -w wordlist.txt --exclude-length 0 ``` ### Using wfuzz ```bash # Basic vhost fuzzing wfuzz -c -w wordlist.txt -H "Host: FUZZ.target.com" --hc 400,404 http://10.10.10.10 # Hide responses by size wfuzz -c -w wordlist.txt -H "Host: FUZZ.target.com" --hh 1234 http://10.10.10.10 # Hide responses by word count wfuzz -c -w wordlist.txt -H "Host: FUZZ.target.com" --hw 50 http://10.10.10.10 ``` ### Specialized Tools ```bash # Virtual Host Discovery # https://github.com/jobertabma/virtual-host-discovery ruby scan.rb --ip=192.168.1.101 --host=domain.tld # VHosts Sieve - Find vhosts in non-resolvable domains # https://github.com/dariusztytko/vhosts-sieve python3 vhosts-sieve.py -d domains.txt -o vhosts.txt # HostHunter - Discover hostnames from IP ranges # https://github.com/SpiderLabs/HostHunter python3 hosthunter.py targets.txt -o hosts.txt ``` ## Finding VHosts Without DNS ```bash # Extract potential hostnames from SSL certificates echo | openssl s_client -connect 10.10.10.10:443 2>/dev/null | openssl x509 -noout -text | grep -oP '(?<=DNS:)[^,]+' # Check certificate SAN (Subject Alternative Names) nmap --script ssl-cert -p 443 10.10.10.10 # Reverse DNS lookup host 10.10.10.10 # Check for common internal hostnames for host in admin dev staging test api internal portal; do curl -s -o /dev/null -w "%{http_code} - $host.target.com\n" \ -H "Host: $host.target.com" http://10.10.10.10 done ``` ## Adding Discovered VHosts ```bash # Add to /etc/hosts for testing echo "10.10.10.10 dev.target.com staging.target.com admin.target.com" | sudo tee -a /etc/hosts # Or use curl with Host header directly curl -H "Host: dev.target.com" http://10.10.10.10/ ``` ## Wordlists for VHost Fuzzing ```bash # SecLists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt # Common internal hostnames /usr/share/seclists/Discovery/DNS/namelist.txt ``` ## Related Topics * [Subdomain Enumeration](/recon/subdomain-enum.md) * [Crawl/Fuzz](/enumeration/web/crawl-fuzz.md) * [SSRF](/enumeration/web/ssrf.md) - VHosts can be internal SSRF targets --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/enumeration/web/vhosts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.