vhostscan
A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Name:vhostscan
Category:Recon
Publisher:trickest
Created:6/23/2021
Container:
quay.io/trickest/vhostscan:4a3a1eeOutput Type:
License:Unknown
Source:View Source
Parameters
--sslIf set then connections will be made over HTTPS instead of HTTP.--wafIf set then simple WAF bypass headers will be sent.-pSet the port to use (default 80).-bSet host to be used during substitution in wordlist (default to TARGET).-rThe real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).-wSet the wordlist(s) to use. You may specify multiple wordlists in comma delimited format (e.g. -w ./wordlists/simple.txt, ./wordlists/hackthebox.txt (default ./wordlists/virtual-host-scanning.txt).--user-agentSpecify a user agent to use for scans.--fuzzy-logicIf set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it).--random-agentIf set, each scan will use a random user-agent from a predefined list.-tSet the target host.--ignore-http-codesComma separated list of http codes to ignore with virtual host scans (default 404).--ignore-content-lengthIgnore content lengths of specificed amount.--rate-limitAmount of time in seconds to delay between each scan (default 0).--no-lookupsDisbale reverse lookups (identifies new targets and append to wordlist, on by default).--first-hitReturn first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF).--suffixAdd a suffix to each item in the wordlist, to add <word>dev, <word>dev--prefixAdd a prefix to each item in the wordlist, to add dev-<word>, test-<word> etc