Virtual Hosts (VHOSTS) Enumeration
We can find virtual hosts for websites by enumerating Host header value.
Enumeration
# Ffuf
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234
# follow redirect (-r)
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234 -r
# Sometimes, we have to specify the ip address not domain.
ffuf -u http://10.0.0.1/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234
# Wfuzz
wfuzz -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt --hl 138
Add Vhosts to Hosts File
If we found a vhost, add that ip&domain to the hosts file depending on your attack machine.
- Linux:
/etc/hosts - Windows:
C:\Windows\System32\drivers\etc\hosts
Related Domains
If we find the vhosts, we can try to search moreover with keywords.
For instance, assume we found “sub” domain.
sub-api.example.com
sub-dev.example.com
sub-prod.example.com
sub-mail.example.com
sub-email.example.com
api-sub.example.com
dev-sub.example.com
prod-sub.example.com
mail-sub.example.com
email-sub.example.com
OSINT
SAN (Subject Alternative Name) in the Certificate
SAN is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field.
We can also check it for finding subdomains.
Replace "example.com" with your target domain.