VHosts-Sieve is a searching for virtual hosts among non-resolvable domains.
Installation
git clone https://github.com/dariusztytko/vhosts-sieve.git
pip3 install -r vhosts-sieve/requirements.txt
Usage
Get a list of subdomains (e.g. using Amass)
$ amass enum -v -passive -o domains.txt -d example.com -d example-related.com
Use vhosts-sieve.py to find virtual hosts
$ python3 vhosts-sieve.py -d domains.txt -o vhosts.txt
Logs dir: None
Max domains to resolve: -1
Max IPs to scan: -1
Max vhost candidates to check: -1
Ports to scan: [80, 443, 8000, 8008, 8080, 8443]
SNI enabled: False
Threads number: 16
Timeout HTTP: 5.0s
Timeout TCP: 3.0s
Verbose: False
User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Resolving 12 domains...
Scanning 1 IPs...
Finding vhosts (active IPs: 1, vhost candidates: 7)...
Saved results (4 vhosts)
Output file contains discovered virtual hosts in the following format
165.22.264.81 80 http False zxcv.example.com 301
165.22.264.81 443 https False zxcv.example.com 200 dev.example.com 200 admin.example.com 401
Each line contains the following information:
Logs
Responses of the discovered virtual hosts can be logged (-l, –logs-dir option).
How it works?
To discover virtual hosts, the following steps are performed:
Virtual Host Candidates Validation
Virtual host candidates validation is performed as follow:
Please notice that response status code is not taken into consideration. The main assumption is that everything other than reference response is worth to analyse in details. Even 4xx and 5xx responses.
SNI
For the HTTPS protocol, it may be useful to send virtual host candidate name via Host header and SNI (TLS extension). This may allow to go through poorly configured SNI proxy. Use –enable-sni option to enable SNI mode.
Optimization
For the large networks with thousands subdomains, it may take many hours to check all virtual host candidates. The following options can be used to speed up the process:
Additionally, it is recommended to use -v (verbosity) option to see the results continuously.
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…