Virtual Hosts (VHOSTS) Enumeration

Last modified: 2024-03-17


We can find virtual hosts for websites by enumerating Host header value.


# Ffuf
ffuf -u -H "Host:" -w wordlist.txt -fs 1234
# follow redirect (-r)
ffuf -u -H "Host:" -w wordlist.txt -fs 1234 -r
# Sometimes, we have to specify the ip address not domain.
ffuf -u -H "Host:" -w wordlist.txt -fs 1234

# Wfuzz
wfuzz -u -H "Host:" -w wordlist.txt --hl 138

Add Vhosts to Hosts File

If we found a vhost, add that ip&domain to the hosts file depending on your attack machine.

  • Linux: /etc/hosts
  • Windows: C:\Windows\System32\drivers\etc\hosts

If we find the vhosts, we can try to search moreover with keywords.
For instance, assume we found “sub” domain.


SAN (Subject Alternative Name) in the Certificate

SAN is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field.
We can also check it for finding subdomains.
Replace "" with your target domain.

openssl s_client -connect < /dev/null | openssl x509 -noout -text | grep -C3 -i dns