vhostscan
A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Details
Category: Recon
Publisher: trickest
Created Date: 6/23/2021
Container: quay.io/trickest/vhostscan:4a3a1ee
Source URL: https://github.com/codingo/VHostScan
Parameters
ssl
boolean
Command:
--ssl - If set then connections will be made over HTTPS instead of HTTP.waf
boolean
Command:
--waf - If set then simple WAF bypass headers will be sent.port
string
Command:
-p - Set the port to use (default 80).base-host
string
Command:
-b - Set host to be used during substitution in wordlist (default to TARGET).real-port
string
Command:
-r - The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).wordlists
file
Command:
-w - Set the wordlist(s) to use. You may specify multiple wordlists in comma delimited format (e.g. -w ./wordlists/simple.txt, ./wordlists/hackthebox.txt (default ./wordlists/virtual-host-scanning.txt).user-agent
string
Command:
--user-agent - Specify a user agent to use for scans.fuzzy-logic
boolean
Command:
--fuzzy-logic - If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it).random-agent
boolean
Command:
--random-agent - If set, each scan will use a random user-agent from a predefined list.target-hosts
string
requiredCommand:
-t - Set the target host.ignore-http-codes
string
Command:
--ignore-http-codes - Comma separated list of http codes to ignore with virtual host scans (default 404).ignore-content-length
string
Command:
--ignore-content-length - Ignore content lengths of specificed amount.Delay-between-each-scan
string
Command:
--rate-limit - Amount of time in seconds to delay between each scan (default 0).Disable-reverse-lookups
boolean
Command:
--no-lookups - Disbale reverse lookups (identifies new targets and append to wordlist, on by default).First-successful-result
boolean
Command:
--first-hit - Return first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF).Suffix-to-items-in-wordlist
string
Command:
--suffix - Add a suffix to each item in the wordlist, to add <word>dev, <word>devPrefix-to-items-in-wordlists
string
Command:
--prefix - Add a prefix to each item in the wordlist, to add dev-<word>, test-<word> etc