codingo / Vhostscan
Licence: gpl-3.0
A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
Stars: ✭ 767
Programming Languages
python
139335 projects - #7 most used programming language
Labels
Projects that are alternatives of or similar to Vhostscan
Reconnoitre
A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
Stars: ✭ 1,824 (+137.81%)
Mutual labels: hacking, security-tools, penetration-testing, scanner, hacking-tool, security-audit, oscp, offensive-security
Nosqlmap
Automated NoSQL database enumeration and web application exploitation tool.
Stars: ✭ 1,928 (+151.37%)
Mutual labels: hacking, security-tools, penetration-testing, scanner, hacking-tool, security-audit, offensive-security, bugbounty
Crithit
Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
Stars: ✭ 182 (-76.27%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool, security-audit, offensive-security, bugbounty
Minesweeper
A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 23000 malicious cryptocurrency mining domains (cryptojacking).
Stars: ✭ 162 (-78.88%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool, security-audit, bugbounty
Interlace
Easily turn single threaded command line applications into a fast, multi-threaded application with CIDR and glob support.
Stars: ✭ 760 (-0.91%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool, oscp, bugbounty
Knary
A simple HTTP(S) and DNS Canary bot with Slack/Discord/MS Teams & Pushover support
Stars: ✭ 187 (-75.62%)
Mutual labels: security-tools, penetration-testing, ctf-tools, offensive-security, bugbounty
Cheatsheet God
Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet
Stars: ✭ 3,521 (+359.06%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool, oscp
Dirsearch
Web path scanner
Stars: ✭ 7,246 (+844.72%)
Mutual labels: hacking, penetration-testing, scanner, hacking-tool, bugbounty
Resources
A Storehouse of resources related to Bug Bounty Hunting collected from different sources. Latest guides, tools, methodology, platforms tips, and tricks curated by us.
Stars: ✭ 62 (-91.92%)
Mutual labels: hacking, security-tools, penetration-testing, security-audit, bugbounty
Scilla
🏴☠️ Information Gathering tool 🏴☠️ DNS / Subdomains / Ports / Directories enumeration
Stars: ✭ 116 (-84.88%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool, ctf-tools
Security Tools
Collection of small security tools, mostly in Bash and Python. CTFs, Bug Bounty and other stuff.
Stars: ✭ 509 (-33.64%)
Mutual labels: hacking, security-tools, scanner, ctf-tools, bugbounty
Hellraiser
Vulnerability scanner using Nmap for scanning and correlating found CPEs with CVEs.
Stars: ✭ 413 (-46.15%)
Mutual labels: hacking, security-tools, scanner, hacking-tool, security-audit
Osmedeus
Fully automated offensive security framework for reconnaissance and vulnerability scanning
Stars: ✭ 3,391 (+342.11%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool, bugbounty
Recsech
Recsech is a tool for doing Footprinting and Reconnaissance on the target web. Recsech collects information such as DNS Information, Sub Domains, HoneySpot Detected, Subdomain takeovers, Reconnaissance On Github and much more you can see in Features in tools .
Stars: ✭ 173 (-77.44%)
Mutual labels: security-tools, penetration-testing, scanner, hacking-tool, security-audit
Hosthunter
HostHunter a recon tool for discovering hostnames using OSINT techniques.
Stars: ✭ 427 (-44.33%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool, bugbounty
Rapidscan
🆕 The Multi-Tool Web Vulnerability Scanner.
Stars: ✭ 775 (+1.04%)
Mutual labels: security-tools, penetration-testing, scanner, oscp, offensive-security
Awesome Bbht
A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
Stars: ✭ 190 (-75.23%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool, bugbounty
Jok3r
Jok3r v3 BETA 2 - Network and Web Pentest Automation Framework
Stars: ✭ 645 (-15.91%)
Mutual labels: hacking, security-tools, scanner, hacking-tool, security-audit
Cameradar
Cameradar hacks its way into RTSP videosurveillance cameras
Stars: ✭ 2,775 (+261.8%)
Mutual labels: hacking, security-tools, penetration-testing, hacking-tool
Arachni
Web Application Security Scanner Framework
Stars: ✭ 2,942 (+283.57%)
Mutual labels: hacking, penetration-testing, scanner, security-audit
VHostScan
A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 (slidedeck).
Key Benefits
- Quickly highlight unique content in catch-all scenarios
- Locate the outliers in catch-all scenarios where results have dynamic content on the page (such as the time)
- Identify aliases by tweaking the unique depth of matches
- Wordlist supports standard words and a variable to input a base hostname (for e.g. dev.%s from the wordlist would be run as dev.BASE_HOST)
- Works over HTTP and HTTPS
- Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc
- Add simple response headers to bypass some WAF products
- Identify new targets by using reverse lookups and append to wordlist
Product Comparisons
Install Requirements
Install using:
$ python3 setup.py install
Dependencies will then be installed and VHostScan will be added to your path. If there is an issue regarding
running python3 setup.py build_ext, you will need to reinstall numpy using pip uninstall numpy and pip install numpy==1.12.0. This should resolve the issue as there are sometimes issues with numpy being installed through setup.py.
Usage
| Argument | Description |
|---|---|
| -h, --help | Display help message and exit |
| -t TARGET_HOSTS | Set the target host. |
| -b BASE_HOST | Set host to be used during substitution in wordlist (default to TARGET). |
| -w WORDLISTS | Set the wordlist(s) to use. You may specify multiple wordlists in comma delimited format (e.g. -w "./wordlists/simple.txt, ./wordlists/hackthebox.txt" (default ./wordlists/virtual-host-scanning.txt). |
| -p PORT | Set the port to use (default 80). |
| -r REAL_PORT | The real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT). |
| --ignore-http-codes IGNORE_HTTP_CODES | Comma separated list of http codes to ignore with virtual host scans (default 404). |
| --ignore-content-length IGNORE_CONTENT_LENGTH | Ignore content lengths of specificed amount. |
| --prefix PREFIX | Add a prefix to each item in the wordlist, to add dev-<word>, test-<word> etc |
| --suffix SUFFIX | Add a suffix to each item in the wordlist, to add <word>dev, <word>dev |
| --first-hit | Return first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF). |
| --unique-depth UNIQUE_DEPTH | Show likely matches of page content that is found x times (default 1). |
| --ssl | If set then connections will be made over HTTPS instead of HTTP. |
| --fuzzy-logic | If set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it). |
| --no-lookups | Disbale reverse lookups (identifies new targets and append to wordlist, on by default). |
| --rate-limit | Amount of time in seconds to delay between each scan (default 0). |
| --random-agent | If set, each scan will use a random user-agent from a predefined list. |
| --user-agent | Specify a user agent to use for scans. |
| --waf | If set then simple WAF bypass headers will be sent. |
| -oN OUTPUT_NORMAL | Normal output printed to a file when the -oN option is specified with a filename argument. |
| -oG OUTPUT_GREPABLE | Grepable output printed to a file when the -oG is specified with a filename argument. |
| -oJ OUTPUT_JSON | JSON output printed to a file when the -oJ option is specified with a filename argument. |
| -v VERBOSE | Increase the output of the tool to show progress |
Usage Examples
Note that a number of these examples reference 10.10.10.29. This IP refers to BANK.HTB, a retired target machine from HackTheBox (https://www.hackthebox.eu/).
Quick Example
The most straightforward example runs the default wordlist against example.com using the default of port 80:
$ VHostScan -t example.com
Quick Example with SSL
If your connection requires SSL, you can use:
$ VHostScan -t example.com --ssl
Port forwarding
Say you have an SSH port forward listening on port 4444 fowarding traffic to port 80 on example.com's development machine. You could use the following to make VHostScan connect through your SSH tunnel via localhost:4444 but format the header requests to suit connecting straight to port 80:
$ VHostScan -t localhost -b example.com -p 4444 -r 80
STDIN
VHostScan Supports piping from other applications and will treat information passed to VHostScan as wordlist data, for example:
$ cat bank.htb | VHostScan -t 10.10.10.29
STDIN and WordList
You can still specify a wordlist to use along with stdin. In these cases wordlist information will be appended to stdin. For example:
$ echo -e 'a.example.com\b.example.com' | VHostScan -t localhost -w ./wordlists/wordlist.txt
Fuzzy Logic
Here is an example with fuzzy logic enabled. You can see the last comparison is much more similar than the first two (it is comparing the content not the actual hashes):
Running the tests
This project includes a small battery of tests. It's really simple to run the tests:
pip install -r test-requirements.txt
pytest
Or you can optionally run:
pip install -r test-requirements.txt
python3 setup.py test
If you're thinking of adding a new feature to the project, consider also contributing with a couple of tests. A well-tested codebase is a sane codebase. :)
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].