TENDING_$type=grid$count=5$tbg=rainbow$meta=0$snip=0$rm=0$show=home

VHostScan: HTTP Virtual Host Scanner

VHostScan A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases, and dynamic default pages. Fir...

VHostScan

A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases, and dynamic default pages. First presented at SecTalks BNE in September 2017 (slidedeck).

Key Benefits

  • Quickly highlight unique content in catch-all scenarios
  • Locate the outliers in catch-all scenarios where results have dynamic content on the page (such as the time)
  • Identify aliases by tweaking the unique depth of matches
  • Wordlist supports standard words and a variable to input a base hostname (for e.g. dev.%s from the wordlist would be run as dev.BASE_HOST)
  • Work over HTTP and HTTPS
  • Ability to set the real port of the web server to use in headers when pivoting through ssh/nc
  • Add simple response headers to bypass some WAF products
  • Identify new targets by using reverse lookups and append to wordlist

Product Comparisons


Install Requirements

Using pip install via:
[$ pip install -r requirements.txt]

 Usage

ArgumentDescription
-h, --helpDisplay help message and exit
-t TARGET_HOSTSSet the target host.
-b BASE_HOSTSet host to be used during substitution in wordlist (default to TARGET).
-w WORDLISTSSet the wordlist(s) to use. You may specify multiple wordlists in comma delimited format (e.g. -w "./wordlists/simple.txt, ./wordlists/hackthebox.txt" (default ./wordlists/virtual-host-scanning.txt).
-p PORTSet the port to use (default 80).
-r REAL_PORTThe real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).
--ignore-http-codes IGNORE_HTTP_CODESComma separated list of http codes to ignore with virtual host scans (default 404).
--ignore-content-length IGNORE_CONTENT_LENGTHIgnore content lengths of specificed amount.
--first-hitReturn first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF).
--unique-depth UNIQUE_DEPTHShow likely matches of page content that is found x times (default 1).
--sslIf set then connections will be made over HTTPS instead of HTTP.
--fuzzy-logicIf set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it).
--no-lookupsDisbale reverse lookups (identifies new targets and append to wordlist, on by default).
--rate-limitAmount of time in seconds to delay between each scan (default 0).
--random-agentIf set, each scan will use a random user-agent from a predefined list.
--user-agentSpecify a user agent to use for scans.
--wafIf set then simple WAF bypass headers will be sent.
-oN OUTPUT_NORMALNormal output printed to a file when the -oN option is specified with a filename argument.
-oG OUTPUT_GREPABLEGrepable output printed to a file when the -oG is specified with a filename argument.
-oJ OUTPUT_JSONJSON output printed to a file when the -oJ option is specified with a filename argument.

Usage Examples

Note that a number of these examples reference 10.10.10.29. This IP refers to BANK.HTB, a retired target machine from HackTheBox (https://www.hackthebox.eu/).

Quick Example

The most straightforward example runs the default wordlist against example.com using the default of port 80:
[$ VHostScan.py -t example.com]

Click on this image to enlarge it.

Port forwarding

Say you have an SSH port forward listening on port 4444 forwarding traffic to port 80 on example.com's development machine. You could use the following to make VHostScan connect through your SSH tunnel via localhost:4444 but format the header requests to suit connecting straight to port 80:
[$ VHostScan.py -t localhost -b example.com -p 4444 -r 80]

STDIN 

VHostScan Supports piping from other applications and will treat information passed to VHostScan as wordlist data, for example:
[$ cat bank.htb | VHostScan.py -t 10.10.10.29]


STDIN and WordList

You can still specify a wordlist to use along with stdin. In these cases, wordlist information will be appended to stdin. For example:
[$ echo -e 'a.example.com\b.example.com' | VHostScan.py -t localhost -w ./wordlists/wordlist.txt]

Fuzzy Logic

Here is an example of fuzzy logic enabled. You can see the last comparison is much more similar than the first two (it is comparing the content, not the actual hashes):

Running the tests

The project includes a small battery of tests. It's really simple to run the tests:
[pip install -r test-requirements.txt]
[pytest] 
If you're thinking of adding a new feature to the project, consider also contributing with a couple of tests. A well-tested codebase is a sane codebase. :)

Important Notice

For Educational and Informational Purposes Only.

The information contained in our Website, Programs, and Services is for educational and informational purposes only and is made available to you as self-help tools for your own use. I am not responsible for any kind of damage hardware and software and not liable for any kind of unethical activity.
Name

Amazon,1,Amazon Web Service,1,Auditing,2,AWS,1,BaRMIe,1,Books,1,Brup Suite Plugin,1,Burp Suite,1,Cloudflare,1,CSRF,1,CVE,1,Cyber Crime,1,CyberScan,1,Data Breach,1,DumpsterFire Toolset,1,EllaScanner,1,Enumeration Tool,1,Exploit Pack,1,Exploiting,1,Github,1,Information Gathering,1,Kali Linux,1,Linux,4,Mac OS X,2,News,1,OWASP,1,Pentesting,2,Pentesting Framework,2,Privilege Escalation,1,Python Keylogger,1,Reflector,1,Reptile,1,Rootkit,1,Scanner,2,Seccubus,1,Security,2,theHarvester,1,Tools,17,VHostScan,1,Vulnerability,2,WAF,1,Whole Foods Market Breached,1,Windows,3,XSS,1,ZAP,1,
ltr
item
Exploitable — Cyber Security News & Hacking Tools: VHostScan: HTTP Virtual Host Scanner
VHostScan: HTTP Virtual Host Scanner
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB5siL5RbMJ9MSuGU8DGWR7q-olP6AZ_UmO9c5Ve_Myw4UuMY4pigQEzBHTGD6cA2zCBJDqicg1kuVyG7Jnwi2qwQKmSfzi1-ggNTfotzkStQX1TtlZux88Wyey9H16I-Q8oGdeVt0dLI/s320/http-virtual-host-scanner.png
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB5siL5RbMJ9MSuGU8DGWR7q-olP6AZ_UmO9c5Ve_Myw4UuMY4pigQEzBHTGD6cA2zCBJDqicg1kuVyG7Jnwi2qwQKmSfzi1-ggNTfotzkStQX1TtlZux88Wyey9H16I-Q8oGdeVt0dLI/s72-c/http-virtual-host-scanner.png
Exploitable — Cyber Security News & Hacking Tools
https://exploitables.blogspot.com/2017/10/vhostscan-http-virtual-host-scanner-tool.html
https://exploitables.blogspot.com/
https://exploitables.blogspot.com/
https://exploitables.blogspot.com/2017/10/vhostscan-http-virtual-host-scanner-tool.html
true
8536886516600496120
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy