icon

Virtual Hosts (VHOSTS) Enumeration

Last modified: 2024-03-17

We can find virtual hosts for websites by enumerating Host header value.

Enumeration

# Ffuf
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234
# follow redirect (-r)
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234 -r
# Sometimes, we have to specify the ip address not domain.
ffuf -u http://10.0.0.1/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234

# Wfuzz
wfuzz -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt --hl 138

Add Vhosts to Hosts File

If we found a vhost, add that ip&domain to the hosts file depending on your attack machine.

  • Linux: /etc/hosts
  • Windows: C:\Windows\System32\drivers\etc\hosts

If we find the vhosts, we can try to search moreover with keywords.
For instance, assume we found “sub” domain.

sub-api.example.com
sub-dev.example.com
sub-prod.example.com
sub-mail.example.com
sub-email.example.com

api-sub.example.com
dev-sub.example.com
prod-sub.example.com
mail-sub.example.com
email-sub.example.com



OSINT



SAN (Subject Alternative Name) in the Certificate

SAN is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field.
We can also check it for finding subdomains.
Replace "example.com" with your target domain.

openssl s_client -connect example.com:443 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns