1. How to Speed Up Virtual Host Scanning (VHostScan)
VHostScan is a utility often used to detect virtual hosts. It has proven itself to be an effective tool, as detailed in the article "Finding Web Server Virtual Hosts."
However, in practice, VHostScan performs poorly. Scanning even several dozen virtual hosts on a single server takes a significant amount of time. Furthermore, the utility does not support multithreading, and its acceleration using standard methods (without using Interlace or Parallel) is impossible.
(See also: "How to Speed Up Scanning Large Numbers of Websites. Part 1: Interlace for Multithreaded Web Application Scanning")
There is often a need to scan a large number of virtual hosts or subdomains that do not have DNS records. This has led to the search for and development of a tool that can very quickly determine which virtual hosts are active on a specific server.
Examples of "subdomains without DNS records" familiar to those training at HackTheBox:
pma.planning.htb
grafana.planning.htb
blog.planning.htb
shop.planning.htb
Such domains and subdomains with non-standard domain extensions (TLDs) are also found in real corporate networks. They operate thanks to corporate DNS servers, which can resolve any names, including those with non-existent TLDs or none at all. (Corporate DNS servers are widespread because, for example, Active Directory cannot function without them.)
Therefore, finding virtual hosts, including subdomains without DNS records, is a relevant practical task.
2. GoVHost Usage Guide
This guide covers the GoVHost program. This utility is not included in standard distributions for pentesters; I found it on GitHub. GoVHost is open source and can be studied (the program is very compact).
Installation instructions and a full list of options are available on the program page: https://kali.tools/?p=7444. (I won't duplicate this information on HackWare.ru, as it changes frequently and I have to update it in several places, including my English-language resources. So, please refer to the program page at the link provided.)
GoVHost requires a dictionary. You can use any suitable dictionary, such as those supplied with the Amass utility.
The program has two required options:
-domains DICTIONARY: Specify a file containing a list of hostnames.
-ip IP_ADDRESS: Specify the IP address of the server on which to search for virtual hosts.
An example command for scanning virtual hosts from the domains.txt file on a server with IP address 192.168.1.100:
govhost -ip 192.168.1.100 -domains domains.txt
By default, scanning is performed in 5 threads, and a timeout is set for HTTP connections.
1
govhost -domains domains.txt -ip 192.168.1.100 -threads 100 -timeout 5 -match "200,302"
3. How to search for subdomains without DNS records. How to search for subdomains HackTheBox
But what if you need to find subdomains, for example, for the site planning.htb (or any other site with a non-existent top-level domain)?
There are many good, effective, and fast tools for searching subdomains (including those without brute-forcing), for example:
Searching for subdomains and building network structure graphs with Amass
Searching for subdomains without brute-forcing
The fastest subdomain search and monitoring for new subdomains (works on Windows too!)
However, in the case of non-existent top-level domains, subdomains need to be searched as virtual hosts (of course, subdomains are also virtual hosts—I think you understand the difference). So, we'll use the GoVHost utility.
But we need a dictionary. I'll use /usr/share/amass/wordlists/all.txt as the basis for the dictionary (as you can guess from the file path, I got this file when installing Amass). The following command will append the string ".DOMAIN" to each line in the file all.txt, and the new lines will be saved to the file NEW.txt.
1 sed -e 's/$/.DOMAIN/' /usr/share/amass/wordlists/all.txt > NEW.txt
Actual command:
1 sed -e 's/$/.planning.htb/' /usr/share/amass/wordlists/all.txt > planning.htb.txt
Let's check what I got:
As you can see, I received a very large list of subdomains for the domain name planning.htb. The file contains over 420,000 entries. Let's check if GoVHost can handle this number of virtual hosts and how long it takes:
So, one virtual host, grafana.planning.htb, was found, as indicated by the following line:
1 http://grafana.planning.htb (IP: 10.10.11.68) - Status: 200
Note: cURL returns HTTP/1.1 302 Found for this host:
1 curl -v --header 'Host: grafana.planning.htb' 10.10.11.68
Anyway, the host was found, which is great.
See also: Linux Command Line Basics (Part 4)
The following command will show how long it takes to scan 420,000 virtual hosts if the scan is performed in 1000 threads:
1 time govhost -domains planning.htb.txt -ip 10.10.11.68 -threads 1000 -timeout 5 -match "200,302"
As you can see, the virtual host was found again, and it took only 4.5 minutes! In my opinion, this is a simply amazing result.
Bottom Line: During testing, GoVHost proved itself to be a high-performance utility for lightning-fast virtual host searches. It's worth noting that 1,000 threads may be excessive, especially with limited internet bandwidth. In my experiments, despite occasional connection failures with the target website (likely caused by network or web server overload), GoVHost successfully identified virtual hosts every time. If you experience any difficulties, it's recommended to review the settings.
VHostScan is a utility often used to detect virtual hosts. It has proven itself to be an effective tool, as detailed in the article "Finding Web Server Virtual Hosts."
However, in practice, VHostScan performs poorly. Scanning even several dozen virtual hosts on a single server takes a significant amount of time. Furthermore, the utility does not support multithreading, and its acceleration using standard methods (without using Interlace or Parallel) is impossible.
(See also: "How to Speed Up Scanning Large Numbers of Websites. Part 1: Interlace for Multithreaded Web Application Scanning")
There is often a need to scan a large number of virtual hosts or subdomains that do not have DNS records. This has led to the search for and development of a tool that can very quickly determine which virtual hosts are active on a specific server.
Examples of "subdomains without DNS records" familiar to those training at HackTheBox:
pma.planning.htb
grafana.planning.htb
blog.planning.htb
shop.planning.htb
Such domains and subdomains with non-standard domain extensions (TLDs) are also found in real corporate networks. They operate thanks to corporate DNS servers, which can resolve any names, including those with non-existent TLDs or none at all. (Corporate DNS servers are widespread because, for example, Active Directory cannot function without them.)
Therefore, finding virtual hosts, including subdomains without DNS records, is a relevant practical task.
2. GoVHost Usage Guide
This guide covers the GoVHost program. This utility is not included in standard distributions for pentesters; I found it on GitHub. GoVHost is open source and can be studied (the program is very compact).
Installation instructions and a full list of options are available on the program page: https://kali.tools/?p=7444. (I won't duplicate this information on HackWare.ru, as it changes frequently and I have to update it in several places, including my English-language resources. So, please refer to the program page at the link provided.)
GoVHost requires a dictionary. You can use any suitable dictionary, such as those supplied with the Amass utility.
The program has two required options:
-domains DICTIONARY: Specify a file containing a list of hostnames.
-ip IP_ADDRESS: Specify the IP address of the server on which to search for virtual hosts.
An example command for scanning virtual hosts from the domains.txt file on a server with IP address 192.168.1.100:
govhost -ip 192.168.1.100 -domains domains.txt
By default, scanning is performed in 5 threads, and a timeout is set for HTTP connections.
1
govhost -domains domains.txt -ip 192.168.1.100 -threads 100 -timeout 5 -match "200,302"
3. How to search for subdomains without DNS records. How to search for subdomains HackTheBox
But what if you need to find subdomains, for example, for the site planning.htb (or any other site with a non-existent top-level domain)?
There are many good, effective, and fast tools for searching subdomains (including those without brute-forcing), for example:
Searching for subdomains and building network structure graphs with Amass
Searching for subdomains without brute-forcing
The fastest subdomain search and monitoring for new subdomains (works on Windows too!)
However, in the case of non-existent top-level domains, subdomains need to be searched as virtual hosts (of course, subdomains are also virtual hosts—I think you understand the difference). So, we'll use the GoVHost utility.
But we need a dictionary. I'll use /usr/share/amass/wordlists/all.txt as the basis for the dictionary (as you can guess from the file path, I got this file when installing Amass). The following command will append the string ".DOMAIN" to each line in the file all.txt, and the new lines will be saved to the file NEW.txt.
1 sed -e 's/$/.DOMAIN/' /usr/share/amass/wordlists/all.txt > NEW.txt
Actual command:
1 sed -e 's/$/.planning.htb/' /usr/share/amass/wordlists/all.txt > planning.htb.txt
Let's check what I got:
As you can see, I received a very large list of subdomains for the domain name planning.htb. The file contains over 420,000 entries. Let's check if GoVHost can handle this number of virtual hosts and how long it takes:
So, one virtual host, grafana.planning.htb, was found, as indicated by the following line:
1 http://grafana.planning.htb (IP: 10.10.11.68) - Status: 200
Note: cURL returns HTTP/1.1 302 Found for this host:
1 curl -v --header 'Host: grafana.planning.htb' 10.10.11.68
Anyway, the host was found, which is great.
See also: Linux Command Line Basics (Part 4)
The following command will show how long it takes to scan 420,000 virtual hosts if the scan is performed in 1000 threads:
1 time govhost -domains planning.htb.txt -ip 10.10.11.68 -threads 1000 -timeout 5 -match "200,302"
As you can see, the virtual host was found again, and it took only 4.5 minutes! In my opinion, this is a simply amazing result.
Bottom Line: During testing, GoVHost proved itself to be a high-performance utility for lightning-fast virtual host searches. It's worth noting that 1,000 threads may be excessive, especially with limited internet bandwidth. In my experiments, despite occasional connection failures with the target website (likely caused by network or web server overload), GoVHost successfully identified virtual hosts every time. If you experience any difficulties, it's recommended to review the settings.
