VHostScan - Virtual host scanner that can be used with pivot tools
A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 (slidedeck).
Key Benefits
- Quickly highlight unique content in catch-all scenarios
- Locate the outliers in catch-all scenarios where results have dynamic content on the page (such as the time)
- Identify aliases by tweaking the unique depth of matches
- Wordlist supports standard words and a variable to input a base hostname (for e.g. dev.%s from the wordlist would be run as dev.BASE_HOST)
- Work over HTTP and HTTPS
- Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc
- Add simple response headers to bypass some WAF products
Usage
| Argument | Description |
|---|---|
| -h, --help | Display help message and exit |
| -t TARGET_HOSTS | Set the target host. |
| -b BASE_HOST | Set host to be used during substitution in wordlist (default to TARGET). |
| -w WORDLIST | Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt) |
| -p PORT | Set the port to use (default 80). |
| -r REAL_PORT | The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT). |
| --ignore-http-codes IGNORE_HTTP_CODES | Comma separated list of http codes to ignore with virtual host scans (default 404). |
| --ignore-content-length IGNORE_CONTENT_LENGTH | Ignore content lengths of specificed amount. |
| --unique-depth UNIQUE_DEPTH | Show likely matches of page content that is found x times (default 1). |
| --ssl | If set then connections will be made over HTTPS instead of HTTP. |
| --fuzzy-logic | If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it). |
| --waf | If set then simple WAF bypass headers will be sent. |
| -oN OUTPUT_NORMAL | Normal output printed to a file when the -oN option is specified with a filename argument. |
| - | By passing a blank '-' you tell VHostScan to expect input from stdin (pipe). |
Post a Comment