vhost-brute

Virtual host detection tool.

Features

integrates with cdncheck to detect waf bypass
differentiates not-found responses per apex hostname.
- some servers return different not found responses for subdomains of specific apex domains
follows redirects on host, and filters redirect loops.
filters cross origin redirects.
option to filter virtual hosts with public dns records.
- uses retries to mitigate false positives from dns loadbalancing.
option to filter status codes.
request rate control.

Help Page

vhost-brute - v1.0.0

Usage: 
  ./vhost-brute [flags]

Flags:
GENERAL:
    -u, -url string            Target Url.
    -f, -file string           File containing hostnames to test. 
    -p, -proxy string          Proxy URL. For example: http://127.0.0.1:8080.
    -H, -header string[]       Add request header. 
    -r, -rps int               Requests per second.
    -oU, -only-unindexed       Only shows VHosts that dont have a public dns record.
    -fc, -filter-codes string  Filter status codes. (e.g. "429,503,504")
    -s, -silent                Suppress stderr output.


EXAMPLE:
    ./vhost-brute -u https://1.2.3.4 -f hostnames.txt

    ./vhost-brute -s --only-unindexed -u https://1.2.3.4 -f hostnames.txt

reewardius / vhost-brute

vhost-brute

About

Languages