Virtual-host discovery for pentest and bug bounty
Project description
VHostCross
Virtual-host discovery tool for pentest and bug bounty.
How It Works
Main question: If I replay known subdomains as 'Host' headers on known target IPs, can I discover anything new?
- You give a list of subdomains.
- The tool gets target IPs (from those domains, or from
--ips). - Then it sends each subdomain as
Hostto each target IP. - Some magic: baseline checks + wildcard filtering.
- Any clearly unusual or different response is treated as a candidate hit.
Example:
input
vhostcross --domains subdomains.txt
output
...
...
...
[HIT] status=200 target=https://178.248.236.149:443 host=cyberbones.standoff365.com
[HIT] status=404 target=https://178.248.236.149:443 host=hackbase.standoff365.com
[HIT] status=404 target=https://178.248.236.149:443 host=jsonformer.standoff365.com
...
...
...
STATUS TARGET DOMAIN DIFF LENGTH DIFF FINGERPRINT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
200 https://178.248.236.149:443 cyberbones.standoff365.com ✓ ✓
200 https://178.248.236.149:443 www.cyberbones.standoff365.com ✓ ✓
301 http://178.248.232.45:80 meet.standoff365.com -> https://standoff365.com/ ✓ ✓
301 http://178.248.236.149:80 archive.standoff365.com -> http://standoff365.com:80/ ✓ ✓
301 https://178.248.236.149:443 archive.standoff365.com -> https://standoff365.com/ ✓ ✓
403 https://178.248.236.149:443 nad.standoff365.com ✓ ✓
403 https://178.248.236.149:443 www.startbugbounty.standoff365.com ✓ ✓
404 http://213.180.193.247:80 365-vpn.standoff365.com - ✓
404 http://213.180.193.247:80 cfp.standoff365.com - ✓
...
...
...
validate
curl -k -i -s "https://cyberbones.standoff365.com" | wc -c
420
curl -k -i -s "https://178.248.236.149:443" -H "Host: cyberbones.standoff365.com" | wc -c
287329
The response sizes are very different, which confirms that the discovered virtual host behaves differently.
Installation
pip3 install vhostcross
or
python -m pip install vhostcross
Usage
vhostcross --domains subdomains.txt
vhostcross --domains domain.txt --ips ips_or_ips_with_specific_ports.txt
vhostcross --domains domain.txt --connect-timeout 0.5 --read-timeout 3.0
Key Options
--domains(required)--ips(optional; supportsIP,IP:port,http://IP:port,https://IP:port)--connect-timeout(default0.5)--read-timeout(default3.0)--threads(default5)--compare-mode=length | fingerprint | both(defaultboth)--debug-reasons--output(JSON, default~/.vhostcross/result.json)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vhostcross-0.1.1.tar.gz.
File metadata
- Download URL: vhostcross-0.1.1.tar.gz
- Upload date:
- Size: 10.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
27f9f0cce78f9696e721a2d7174dd691b9b8192fe6c878a195b0bb4f3847c5c0
|
|
| MD5 |
0ac9c94e8b526093ff17f226d4ec50da
|
|
| BLAKE2b-256 |
3923b145c6242948d63cb3bd752a04451c6108d6b2a5c5edc95e58edbaaf5d33
|
File details
Details for the file vhostcross-0.1.1-py3-none-any.whl.
File metadata
- Download URL: vhostcross-0.1.1-py3-none-any.whl
- Upload date:
- Size: 13.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dcca1e0dcbcbb4ec908a5929267a1ee737b3516f031ca5f9b4d44de7948205a4
|
|
| MD5 |
19243116710faaa723c3bf7f10b20a57
|
|
| BLAKE2b-256 |
d911cd588a2a4ce8b6df38917b74919267eb0ec68ff99cd075ac1bacd9012bc0
|