Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • Performing VHOST Discovery
  • Wordlists
  1. OFFENSIVE SECURITY
  2. Web Application
  3. Discovery

VHOST Discovery

How to find virtual hosts on a web server.

PreviousParameter DiscoveryNextCMS Scanners

Last updated 1 year ago

Web servers can be used to host many websites using multiple different domain names. In this scenario, the server IP address would remain the same but the host you are connecting to would change. There are two typical ways to define a virtual host:

1) Using the "Host:" HTTP request header.

2) Via the HTTPS Server Name Indication (SNI) phase of TLS.

Performing VHOST Discovery

Firstly, it should be noted that this is not recommended for web servers using CloudFlare.

To perform VHOST discovery, gobuster can be used with a good wordlist.

Using this command, gobuster will brute force the target server for other VHOSTs.

gobuster vhost --wordlist <wordlist.txt> --url <URL>

Wordlists

To be succesful with this discovery, a good wordlist should be used. We recommend using the following page to find a wordlist. Specifically, subdomains discovery wordlists can be used here.

https://github.com/OJ/gobuster
https://pentestlist.com/wordlists