VHostScan
by codingo
VHostScan is an advanced virtual host scanner designed to discover and analyze web server configurations, including catch-all scenarios, wildcards, and aliases.
A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
Primary Use Case
This tool is invaluable for penetration testers and security researchers who need to identify all virtual hosts hosted on a single IP address. It helps uncover hidden or misconfigured subdomains by intelligently testing potential hostnames against a target, aiding in the discovery of new attack surfaces.
- Detects catch-all scenarios and outliers with dynamic content
- Identifies aliases by adjusting unique match depth
- Supports wordlists with variable substitution for base hostnames
- Scans over both HTTP and HTTPS
- Allows setting the real webserver port for headers when pivoting
- Can add simple response headers to bypass some WAFs
- Utilizes reverse lookups to identify new targets and append to wordlists
- Modernized codebase with Python 3.8+ and type hints
Installation
- Clone the repository: `git clone https://github.com/codingo/VHostScan.git`
- Navigate to the directory: `cd VHostScan`
- Install using pip: `pip install VHostScan`
- Or install from source: `pip install .`
- For development, install in editable mode: `pip install -e .`
- Install on Docker: `docker build -t vhostscan .`
Usage
>_ docker run --rm -it vhostscan -tRun VHostScan using Docker against a target.
>_ vhostscan -t TARGET_HOSTSScan the specified target host(s).
>_ vhostscan -b BASE_HOSTSet the base host for wordlist substitution.
>_ vhostscan -w WORDLISTSSpecify one or more wordlists (comma-delimited).
>_ vhostscan -p PORTSet the port to scan (default 80).
>_ vhostscan -r REAL_PORTSet the real webserver port for headers.
>_ vhostscan --ignore-http-codes IGNORE_HTTP_CODESSpecify HTTP status codes to ignore.
>_ vhostscan --ignore-content-length IGNORE_CONTENT_LENGTHIgnore content lengths of a specific amount.
- Integrate VHostScan with pivoting tools (e.g., SSH tunnels, netcat) to enhance lateral movement simulation during red team exercises.
- Use the tool's catch-all detection and alias identification features to uncover hidden or shadow IT assets during blue team threat hunting.
- Automate virtual host enumeration as part of continuous vulnerability scanning in CI/CD pipelines to detect misconfigurations early.
- Leverage custom response headers to bypass WAFs and simulate advanced adversary evasion techniques for purple team training.
- Combine reverse DNS lookups with dynamic wordlists to expand target discovery and improve reconnaissance coverage.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about VHostScan. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
caddy
caddyserver/caddy
Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
nginx
nginx/nginx
The official NGINX Open Source repository.
nginxconfig.io
digitalocean/nginxconfig.io
⚙️ NGINX config generator on steroids 💉
SafeLine
chaitin/SafeLine
SafeLine is a self-hosted WAF(Web Application Firewall) / reverse proxy to protect your web apps from attacks and exploits.
DOMPurify
cure53/DOMPurify
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
anubis
TecharoHQ/anubis
Weighs the soul of incoming HTTP requests to stop AI crawlers