loading
loading
Recon
A virtual host scanner that detects catch-all scenarios, aliases, and dynamic default pages.
overview
vhostscan finds the virtual hosts served from a single IP by sweeping a wordlist of candidate hostnames through the Host header and watching how the server responds. One web server commonly answers for many names (staging.example.com, admin.example.com, an old app no one links to), and vhostscan is built to surface those hidden names.
Fuzzy-logic mode compares the content of every reply and scores how similar they are, which isolates real virtual hosts even when the default page is dynamic and changes on each request. It can send WAF-bypass headers, use a real port in headers while pivoting, and add prefixes or suffixes to expand the wordlist on the fly.
On Trickest, vhostscan is a Recon node that takes a target host and a wordlist and writes a file and a folder of results. Run it after you have an IP and a base domain to enumerate the other names that IP serves, then probe the discovered hosts to confirm and classify them.
source github.com/codingo/VHostScan
use cases
Sweep a hostname wordlist through the Host header against a target IP to surface staging, admin, and legacy sites sharing the same server.
Enable --fuzzy-logic so vhostscan compares response content and scores similarity, isolating real vhosts even when the default page changes per request.
Set -r so headers carry the true webserver port while you scan through an SSH or netcat tunnel on a different local port.
Add --prefix or --suffix values like dev- and -staging to each wordlist entry to catch naming conventions without editing the list itself.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-hosts | STRING | -t | Set the target host. |
| wordlists | FILE | -w | Wordlist(s) to use; comma-delimited for multiple. |
| base-host | STRING | -b | Host used during substitution in the wordlist (default TARGET). |
| port | STRING | -p | Port to use (default 80). |
| ssl | BOOLEAN | --ssl | Make connections over HTTPS instead of HTTP. |
| fuzzy-logic | BOOLEAN | --fuzzy-logic | Compare unique content replies and score similarity to isolate vhosts. |
| waf | BOOLEAN | --waf | Send simple WAF bypass headers. |
| ignore-http-codes | STRING | --ignore-http-codes | Comma-separated HTTP codes to ignore (default 404). |
Showing key inputs. vhostscan exposes 17 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| ssl | BOOLEAN | --ssl | If set then connections will be made over HTTPS instead of HTTP. |
| waf | BOOLEAN | --waf | If set then simple WAF bypass headers will be sent. |
| port | STRING | -p | Set the port to use (default 80). |
| base-host | STRING | -b | Set host to be used during substitution in wordlist (default to TARGET). |
| real-port | STRING | -r | The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT). |
| wordlists | FILE | -w | Set the wordlist(s) to use. You may specify multiple wordlists in comma delimited format (e.g. -w "./wordlists/simple.txt, ./wordlists/hackthebox.txt" (default ./wordlists/virtual-host-scanning.txt). |
| user-agent | STRING | --user-agent | Specify a user agent to use for scans. |
| fuzzy-logic | BOOLEAN | --fuzzy-logic | If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it). |
| random-agent | BOOLEAN | --random-agent | If set, each scan will use a random user-agent from a predefined list. |
| target-hosts | STRING | -t | Set the target host. |
| ignore-http-codes | STRING | --ignore-http-codes | Comma separated list of http codes to ignore with virtual host scans (default 404). |
| ignore-content-length | STRING | --ignore-content-length | Ignore content lengths of specificed amount. |
| Delay-between-each-scan | STRING | --rate-limit | Amount of time in seconds to delay between each scan (default 0). |
| Disable-reverse-lookups | BOOLEAN | --no-lookups | Disbale reverse lookups (identifies new targets and append to wordlist, on by default). |
| First-successful-result | BOOLEAN | --first-hit | Return first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF). |
| Suffix-to-items-in-wordlist | STRING | --suffix | Add a suffix to each item in the wordlist, to add <word>dev, <word>dev |
| Prefix-to-items-in-wordlists | STRING | --prefix | Add a prefix to each item in the wordlist, to add dev-<word>, test-<word> etc |
example
# sweep vhosts over HTTPS with fuzzy catch-all detectionvhostscan -t 198.51.100.24 -b example.com -w vhosts.txt -p 443 --ssl --fuzzy-logic[+] Starting virtual host scan for 198.51.100.24 using port 443 and ssl[+] Using base host example.com for wordlist substitution[+] www.example.com[+] admin.example.com[+] staging.example.com[+] api.example.com[+] dev.example.com[+] mail.example.com[+] vpn.example.comguidance
Use vhostscan when one IP serves multiple sites and you need the hostnames that are not in DNS. Its fuzzy comparison handles catch-all servers that defeat simpler scanners. For directory and path brute forcing instead of vhost names, use gobuster or ffuf with its virtual-hosts mode.
Fast vhost fuzzing with ffuf. vhostscan adds fuzzy catch-all detection and aliasing logic.
Brute forces DNS subdomains. vhostscan finds vhosts on one IP via the Host header instead.
Passive subdomain discovery. vhostscan finds the names a single server answers for, not DNS records.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A target host and a hostname wordlist feed vhostscan, which sweeps the Host header and writes the discovered virtual hosts as a queryable output.
Facts on this page come from the live Trickest tool library.