Identifying Virtual Hosts - pentestfunctions/Hacking-For-Beginners GitHub Wiki

Techniques to Find Virtual Host Subdomains

Discovering virtual host subdomains is an essential aspect of penetration testing and reconnaissance, as these subdomains can host different content and applications. This guide outlines various techniques and command examples for identifying virtual host subdomains using example.com as the target.

Table of Contents

Introduction

Virtual hosts allow a single web server to host multiple domains or subdomains, each potentially having different content and security configurations. Identifying these virtual hosts can uncover hidden or less obvious parts of a target's web infrastructure.

Virtual Host Discovery Techniques

  1. Subdomain Enumeration

    • Discover potential virtual hosts through subdomain enumeration.
    • Tools: Amass, Sublist3r, subfinder.

  2. DNS Records Analysis

    • Analyze DNS records for clues about virtual hosts.
    • Tools: dig, nslookup.

  3. Brute-Forcing Virtual Host Names

    • Brute-force common subdomain names to uncover virtual hosts.
    • Tools: wfuzz, Gobuster.

  4. Using Host Header Injection

    • Manipulate the HTTP Host header to uncover virtual hosts.
    • Use tools like curl to send crafted requests.

  5. Certificate Transparency Logs

    • Review SSL/TLS certificates for listed subdomains.
    • Websites: crt.sh, SSLMate.

  6. Web Archives

    • Check web archives for historical records of subdomains.
    • Website: Wayback Machine.

Tools and Command Examples

  • Amass 
    amass enum -d example.com
  • Sublist3r 
    sublist3r -d example.com
  • subfinder 
    subfinder -d example.com
  • DNS Records Analysis with dig 
    dig +short example.com
dig +short -t CNAME example.com
  • Brute-Forcing with wfuzz 
    wfuzz -c -w subdomains.txt --hw 404 -u "http://example.com" -H "Host: FUZZ.example.com"
    Replace subdomains.txt with a list of potential subdomain names.
  • Host Header Injection with curl 
    curl -H "Host: subdomain.example.com" http://example.com
    Replace subdomain.example.com with suspected virtual host names.

Note: Always perform these actions ethically and with permission to avoid legal issues.