Exploit Notes

Virtual Hosts (VHOSTS) Enumeration

Last modified: 2023-03-16

Web

We can find virtual hosts for websites by enumerating Host header value.

Enumeration

# Ffuf
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234
# follow redirect (-r)
ffuf -r -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234

# Wfuzz
wfuzz -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt --hl 138

If we found vhosts, add them to the /etc/hosts in our machine.


HTTPS

To enumerate https, specify the IP addresss not domain to URL.

ffuf -u https://10.0.0.1 -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234

Relational Domains

If we find the vhosts, we can try to search moreover with keywords.
For instance, assume we found “sub” domain.

sub-api.example.com
sub-dev.example.com
sub-prod.example.com
sub-mail.example.com
sub-email.example.com

OSINT


SAN (Subject Alternative Name) in the Certificate

SAN is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field.
We can also check it for finding subdomains.
Replace "example.com" with your target domain.

openssl s_client -connect example.com:443 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.