How to find web server virtual host
This is a virtual host scanner manual, devoted to VHostScan tool.
What are virtual hosts?
A web server can host more than one site. Each of this site is a virtual host. The name (identifier) of the virtual host can be:
- Domain name
- Subdomain (of any level, for example, kali.tools, en.kali.tools, test.en.kali.tools – these are all virtual hosts that can have different settings and even different IP addresses)
- Arbitrary names (any string that is not a valid domain name or subdomain)
Note: now I mean name-based virtual hosts, in addition IP-based virtual hosts and port-based virtual hosts exist.
About the search for virtual hosts, actually sites on one IP, as well as subdomains, I already wrote and I’ll give you links to these articles at the end of this instruction. Now I want to consider the option of searching for arbitrary host names, which is particularly relevant for local networks. But the tool I am talking about can also be used to search for domains and subdomains.
In a local network (for example, an organization’s corporate network), all connected computers can use the organization’s own DNS server. Such a DNS server normally processes requests for domains (that is, for example, it will send IP 185.26.122.50 to the miloserdov.org request), and can also be configured to process additional names.
For example, the system administrator can add there such names as
- files.loc – for local file sharing
- forum – for announcements and discussions
- info.all – web resource with information for all
- info.man – web resource with information for managers
- etc.
As a result, instead of the IP address, users of the local network can type http://info.all in address bar of a browser.
Or the following address: http://forum/
If you need to make these local hostnames work on the same computer, you do not need to use the DNS name server — you just need to edit the /etc/hosts file.
The peculiarity of such virtual hosts is that they can hardly be found using third-party services, since they can be purely local. Therefore, they have to look for brute force methods, and for this you need special tools, for example VHostScan.
Installing VHostScan on Kali Linux
Installing VHostScan is simple, but the official help for some reason indicates the use of Python3, which in practice makes it impossible to install some obsolete dependencies and the program does not start (I wasted a few hours trying to solve the associated problems). But when using Python2, everything runs smoothly:
git clone https://github.com/codingo/VHostScan cd VHostScan/ sudo python2 setup.py install
How to search for virtual hosts
The essence of the search for virtual hosts is quite simple – a request is made to the web server with the indication of the hostname and the received response is analyzed. But there are a few pitfalls.
The VHostScan program is quite intelligent. It knows about the existence of default virtual hosts of the web server — these are the hosts whose contents are shown in case the requested host is not found. Thanks to this technique, the program does not show false results if the web server responds to all hosts in a row. And the program itself determines what exactly is shown by the default virtual host – based on the analysis of all the results obtained. By the way, for this reason it is useless to check one single hostname at a time — the program simply cannot find out if it really exists, or the default content is shown.
It happens that the web server when accessing non-existent hosts is configured to show similar, but not identical pages. An example of such a response:
Host not found. The current time is 19 hours 18 minutes 30 seconds.
Or
Host_NAME_HOST not found
Strictly speaking, such pages are unique and can confuse some programs, resulting in false results. In turn, VHostScan is able to work with this problem and analyzes the submitted pages in parts. That is, if the server sends something similar, the non-existent hosts will not be included in the list of found ones, or they will receive a low probability of existence.
Search for virtual hosts by dictionary
For the work of the program you need a target address and a dictionary. Moreover, several dictionaries are supplied with VHostScan and if you have not specified your own, the program will use the default dictionary. That is, only the target address is required. As an address, you can specify a domain, IP address or a range of IP addresses.
An example of searching for other virtual hosts with the default dictionary virtual-host-scanning.txt on a web server running hackware.ru:
VHostScan -t hackware.ru
Since this is a hosting service, no extra virtual hosts were found. By the way, the default dictionary is more suitable for the local network.
How to brute-force for sites on a single IP
In addition to searching for non-standard virtual host names, you can search for ordinary domains and subdomains. For example, create a file vhosts.dic and copy into it
mi-al.ru mi2-al.ru localhost sdsdfsdf.ru hackware.ru www.hackware.ru www2.hackware.ru www3.hackware.ru en.hackware.ru test.hackware.ru ssssdfsdfsd.org suay.ru one-more-fake.site admin mysql local suip.biz www.suip.biz test.suip.biz test.en.suip.biz forum dash administration
To search for virtual hosts on the IP address (-t 185.26.122.50) with the dictionary (-w vhosts.dic):
VHostScan -t 185.26.122.50 -w vhosts.dic
To specify your dictionary, use the -w option. Results:
[+] Most likely matches with a unique count of 1 or less: [>] mi-al.ru [>] hackware.ru [>] test.hackware.ru [>] suay.ru
How to search subdomains. How to search domains in different domain zones
The option --prefix will make that a specific string is put in front of each entry from the dictionary – this way you can search for certain subdomains. For example:
VHostScan -t 185.26.122.50 -w vhosts.dic --prefix 'test.'
More precisely, a search will be made on all the words from the dictionary, and then another search is made with a prefix.
If you have a dictionary without specifying a top-level domain, for example:
site super-app installoffice myblog admin-notes waytogo
and so on, using the option --suffix with strings of the form “.ru”, “.org”, “.net”, etc. So you can search for the same names in different top-level domains.
Search for virtual hosts using SSL
For a web server (using Apache for example), the address http://suip.biz and https://suip.biz (they differ only in the HTTP and HTTPS protocols) are two different virtual hosts! Of course, when setting up a web server in such cases, the same files are usually specified as the contents of the site, but you need to remember such an unusual opportunity – to show different sites with the same domain name, but with a different protocol (if more precisely, these are two port-based virtual hosts for the web server). It may be the case that for one of these protocols (including HTTP), the virtual host setup is simply not available.
To use the secure HTTPS protocol there is an option --ssl. By default, VHostScan uses port 80 and the option --ssl does not change this! That is, in addition to this option, you also need to specify the correct port number with the -p option:
VHostScan -t 185.117.153.79 -w vhosts.dic --ssl -p 443
The result:
[+] Most likely matches with a unique count of 1 or less: [>] suip.biz
Hot to get hostnames from standard input
You can pipe hostnames from other tools to VHostScan. The program will interpret this data as a list of words, for example:
cat bank.htb | VHostScan -t 10.10.10.29
If you wish, you can combine the use of the dictionary with the standard input. In this case, the lines from the dictionary will be added to the lines piped from another program:
echo -e 'a.example.com\r\nb.example.com' | VHostScan -t localhost -w ./wordlists/wordlist.txt
Notice how the string is passed with echo:
- the -e option is used
- as the domain separator is used the string \r\n
BaseHost Substitution
The program supports the insertion of the basehost on the fly. To do this, use the string %s in the dictionary, for example:
admin.%s beta.%s dev.%s development.%s m.%s mobile.%s old.%s secure.%s www.%s
You can create a separate dictionary with such strings, or use it in conjunction with regular static strings. The %s will be replaced with the base host, which must be specified with the -b option. If you did not specify a base host, then what is specified as a target with the -t option will be substituted – this can be either a domain or an IP address.
Port Forwarding
VHostScan is suitable for use with pivoting techniques as well. By the way, see the article ‘Network pivoting: concept, examples, techniques, tools’.
If you are using SSH configured to redirect traffic from the local port 4444 to port 80 of the example.com machine you are auditing, you can use the following command to make VHostScan connects through your localhost:4444 SSH tunnel, but make the request headers suitable for a direct connection to port 80:
VHostScan -t localhost -b example.com -p 4444 -r 80
Conclusion
VHostScan help
Usage:
VHostScan [-h] -t TARGET_HOSTS [-w WORDLISTS] [-b BASE_HOST] [-p PORT] [--prefix PREFIX] [--suffix SUFFIX] [-r REAL_PORT] [--ignore-http-codes IGNORE_HTTP_CODES] [--ignore-content-length IGNORE_CONTENT_LENGTH] [--first-hit] [--unique-depth UNIQUE_DEPTH] [--ssl] [--fuzzy-logic] [--no-lookups] [--rate-limit RATE_LIMIT] [--waf] [-v] [-oN OUTPUT_NORMAL | -oJ OUTPUT_JSON | -oG OUTPUT_GREPABLE] [--random-agent | --user-agent USER_AGENT]
Optional arguments:
-h, --help show this help message and exit -t TARGET_HOSTS Set a target range of addresses to target. Ex 10.11.1.1-255 -w WORDLISTS Set the wordlists to use (default ./wordlists/virtual- host-scanning.txt) -b BASE_HOST Set host to be used during substitution in wordlist (default to TARGET). -p PORT Set the port to use (default 80). --prefix PREFIX Add a prefix to each item in the word list (dev, test etc) --suffix SUFFIX Add a suffix to each item in the word list -r REAL_PORT The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT). --ignore-http-codes IGNORE_HTTP_CODES Comma separated list of http codes to ignore with virtual host scans (default 404). --ignore-content-length IGNORE_CONTENT_LENGTH Ignore content lengths of specificed amount (default 0). --first-hit Return first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF). --unique-depth UNIQUE_DEPTH Show likely matches of page content that is found x times (default 1). --ssl If set then connections will be made over HTTPS instead of HTTP (default http). --fuzzy-logic If set then fuzzy match will be performed against unique hosts (default off). --no-lookups Disable reverse lookups (identifies new targets and appends to wordlist, on by default). --rate-limit RATE_LIMIT Amount of time in seconds to delay between each scan (default 0). --waf If set then simple WAF bypass headers will be sent. -v Print verbose output -oN OUTPUT_NORMAL Normal output printed to a file when the -oN option is specified with a filename argument. -oJ OUTPUT_JSON JSON output printed to a file when the -oJ option is specified with a filename argument. -oG OUTPUT_GREPABLE Grepable output printed to a file when the -oG option is specified with a filename argument. --random-agent If set, then each scan will use random user-agent from predefined list. --user-agent USER_AGENT Specify a user-agent to use for scans
Information on configuring virtual hosts for the Apache web server
These articles are recommended for a deeper understanding of the work of virtual hosts from the inside, so that you can look at virtual hosts through the eyes of a webmaster and a web server, as well as practice their configuration.
Alternative ways to search for virtual hosts
To search for certain types of virtual hosts (domains and subdomains), you can use more efficient techniques than brute-forcing, dictionary attack. Methods and instructions for the relevant tools in the articles:
- Search subdomains and build graphs of network structure with Amass
- How to find out hostnames for many IP addresses
Related articles:
- Reconnoitre: Web Application Analysis Assistant (64.2%)
- Basics of working with a web server for a pentester (63.1%)
- Perimeter analysis for website security audit (62.8%)
- How to hack websites (55.3%)
- How to hack websites (part 2) (55.3%)
- jSQL Injection usage guide: a multifunctional tool for scanning and exploiting SQL injection in Kali Linux (RANDOM - 51.9%)
I'd like to ask a beginner question and I'd be happy if you answer.
How can we use this virtual host information of a site? let's say we found a couple of names like dev.sub.target.com and staging.sub.target.com, we can't directly reach these links via browser right?
Why not?