Virtual Hosts (VHOSTS) Enumeration

We can find virtual hosts for websites by enumerating Host header value.

Enumeration

# Ffuf
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234
# follow redirect (-r)
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234 -r
# Sometimes, we have to specify the ip address not domain.
ffuf -u http://10.0.0.1/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234

# Wfuzz
wfuzz -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt --hl 138

Add Vhosts to Hosts File

If we found a vhost, add that ip&domain to the hosts file depending on your attack machine.


If we find the vhosts, we can try to search moreover with keywords.
For instance, assume we found “sub” domain.

sub-api.example.com
sub-dev.example.com
sub-prod.example.com
sub-mail.example.com
sub-email.example.com

api-sub.example.com
dev-sub.example.com
prod-sub.example.com
mail-sub.example.com
email-sub.example.com



OSINT



SAN (Subject Alternative Name) in the Certificate

SAN is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field.
We can also check it for finding subdomains.
Replace "example.com" with your target domain.

openssl s_client -connect example.com:443 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns