Skip to content

Virtual Hosts

  • Once the DNS directs traffic to the correct server, the web server configuration determines how the incoming requests are handled.
    • EG of web servers: Apache, Nginx, IIS
  • These web servers host multiple websites or apps on a single server
  • This is done through virtual hosting - VHosts
    • Web servers distinguish between multiple websites or apps sharing the same IP address using the Host HTTP header

  • Subdomains: DNS-level concept; separate domains under the same parent.

  • Vhosts: Web server-level concept; differentiates sites served from one server.
  • The /etc/hosts file allows you to bypass the DNS config
  • There will be domains that are available only internally in a system.
  • VHost fuzzing is a technique to discover public and non-public subdomains and VHosts by testing various hostnames against a known IP address.

Types of VHosting:

  1. Name Based - Host HTTP header
  2. IP based - Client sends the IP in the destination field (replaced by Name Based)\
  3. Port Based - Send port number in the request URL.

Commands:

  • tools will probe the target server to uncover potential vhosts.
  • gobuster , feroxbuster. ffuf

GoBuster:

  • gobuster vhost -u http://<target_IP_address>:<port> -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
    • -t <number> - Use number of threads
    • -k - Ignore SSL/TLS certificate errors
    • -o - Save the output
  • ffuf -u 'http://ghost.htb' -H 'Host: FUZZ.ghost.htb' -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fs 7676
  • gobuster dns -r 10.10.11.14 -d ghost.htb -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt