Details

Category: Recon

Publisher: trickest

Created Date: 6/23/2021

Container: quay.io/trickest/vhostscan:4a3a1ee

Source URL: https://github.com/codingo/VHostScan

Parameters

ssl
boolean
Command: --ssl - If set then connections will be made over HTTPS instead of HTTP.
waf
boolean
Command: --waf - If set then simple WAF bypass headers will be sent.
port
string
Command: -p - Set the port to use (default 80).
base-host
string
Command: -b - Set host to be used during substitution in wordlist (default to TARGET).
real-port
string
Command: -r - The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).
wordlists
file
Command: -w - Set the wordlist(s) to use. You may specify multiple wordlists in comma delimited format (e.g. -w ./wordlists/simple.txt, ./wordlists/hackthebox.txt (default ./wordlists/virtual-host-scanning.txt).
user-agent
string
Command: --user-agent - Specify a user agent to use for scans.
fuzzy-logic
boolean
Command: --fuzzy-logic - If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it).
random-agent
boolean
Command: --random-agent - If set, each scan will use a random user-agent from a predefined list.
target-hosts
string
required
Command: -t - Set the target host.
ignore-http-codes
string
Command: --ignore-http-codes - Comma separated list of http codes to ignore with virtual host scans (default 404).
ignore-content-length
string
Command: --ignore-content-length - Ignore content lengths of specificed amount.
Delay-between-each-scan
string
Command: --rate-limit - Amount of time in seconds to delay between each scan (default 0).
Disable-reverse-lookups
boolean
Command: --no-lookups - Disbale reverse lookups (identifies new targets and append to wordlist, on by default).
First-successful-result
boolean
Command: --first-hit - Return first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF).
Suffix-to-items-in-wordlist
string
Command: --suffix - Add a suffix to each item in the wordlist, to add <word>dev, <word>dev
Prefix-to-items-in-wordlists
string
Command: --prefix - Add a prefix to each item in the wordlist, to add dev-<word>, test-<word> etc