A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 (slidedeck).

Key Benefits

Quickly highlight unique content in catch-all scenarios
Locate the outliers in catch-all scenarios where results have dynamic content on the page (such as the time)
Identify aliases by tweaking the unique depth of matches
Wordlist supports standard words and a variable to input a base hostname (for e.g. dev.%s from the wordlist would be run as dev.BASE_HOST)
Work over HTTP and HTTPS
Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc
Add simple response headers to bypass some WAF products

Usage

Argument	Description
-h, --help	Display help message and exit
-t TARGET_HOSTS	Set the target host.
-b BASE_HOST	Set host to be used during substitution in wordlist (default to TARGET).
-w WORDLIST	Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt)
-p PORT	Set the port to use (default 80).
-r REAL_PORT	The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).
--ignore-http-codes IGNORE_HTTP_CODES	Comma separated list of http codes to ignore with virtual host scans (default 404).
--ignore-content-length IGNORE_CONTENT_LENGTH	Ignore content lengths of specificed amount.
--unique-depth UNIQUE_DEPTH	Show likely matches of page content that is found x times (default 1).
--ssl	If set then connections will be made over HTTPS instead of HTTP.
--fuzzy-logic	If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it).
--waf	If set then simple WAF bypass headers will be sent.
-oN OUTPUT_NORMAL	Normal output printed to a file when the -oN option is specified with a filename argument.
-	By passing a blank '-' you tell VHostScan to expect input from stdin (pipe).

Github Project

Key Benefits

Quickly highlight unique content in catch-all scenarios

Locate the outliers in catch-all scenarios where results have dynamic content on the page (such as the time)

Identify aliases by tweaking the unique depth of matches

Wordlist supports standard words and a variable to input a base hostname (for e.g. dev.%s from the wordlist would be run as dev.BASE_HOST)

Work over HTTP and HTTPS

Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc

Add simple response headers to bypass some WAF products

Usage

Argument	Description
-h, --help	Display help message and exit
-t TARGET_HOSTS	Set the target host.
-b BASE_HOST	Set host to be used during substitution in wordlist (default to TARGET).
-w WORDLIST	Set the wordlist to use (default ./wordlists/virtual-host-scanning.txt)
-p PORT	Set the port to use (default 80).
-r REAL_PORT	The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).
--ignore-http-codes IGNORE_HTTP_CODES	Comma separated list of http codes to ignore with virtual host scans (default 404).
--ignore-content-length IGNORE_CONTENT_LENGTH	Ignore content lengths of specificed amount.
--unique-depth UNIQUE_DEPTH	Show likely matches of page content that is found x times (default 1).
--ssl	If set then connections will be made over HTTPS instead of HTTP.
--fuzzy-logic	If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it).
--waf	If set then simple WAF bypass headers will be sent.
-oN OUTPUT_NORMAL	Normal output printed to a file when the -oN option is specified with a filename argument.
-	By passing a blank '-' you tell VHostScan to expect input from stdin (pipe).

VHostScan - Virtual host scanner that can be used with pivot tools

Key Benefits

Usage

VHostScan - Virtual host scanner that can be used with pivot tools

Key Benefits

Usage