VHOST Discovery

How to find virtual hosts on a web server.

Web servers can be used to host many websites using multiple different domain names. In this scenario, the server IP address would remain the same but the host you are connecting to would change. There are two typical ways to define a virtual host:

1) Using the "Host:" HTTP request header.

2) Via the HTTPS Server Name Indication (SNI) phase of TLS.

Performing VHOST Discovery

Firstly, it should be noted that this is not recommended for web servers using CloudFlare.

To perform VHOST discovery, gobuster can be used with a good wordlist.

https://github.com/OJ/gobuster

Using this command, gobuster will brute force the target server for other VHOSTs.

gobuster vhost --wordlist <wordlist.txt> --url <URL>

Wordlists

To be succesful with this discovery, a good wordlist should be used. We recommend using the following page to find a wordlist. Specifically, subdomains discovery wordlists can be used here.

https://pentestlist.com/wordlists

PreviousParameter Discovery NextCMS Scanners

Last updated 4 months ago