About this tool

This tool attempts to discover virtual hosts that are configured on a given IP address.

A single web server can be configured to run multiple websites at once, under different domain names. These are the virtual hosts (or vhosts) and they are usually found in shared hosting environments.

Example:

• www.company1.com -> 109.11.231.5
• test.company2.com   -> 109.11.231.5
• sales.company3.com -> 109.11.231.5

As a penetration tester, finding all the vhosts that run on a web server (based on its IP address) is important because each website may contain vulnerabilities that affect the same server. Furthermore, if one website is compromised, there is a high chance that the attacker gains unauthorized access to the other websites also that are running on the same server. Hence, testing all the vhosts is necessary for a complete coverage of the penetration test.

Parameters

• IP address or hostname: This identifies the server on which you search for virtual hosts. If a hostname is given, DNS resolution will be attempted first in order to find its IP address.
• DNS enumeration: This option is enabled by default. The tool will attempt to do DNS enumeration as an additional method of finding virtual hosts. DNS enumeration will be done for each domain name previously discovered in order to find subdomains that point to the same IP address.

How it works

There are multiple discovery techniques which are implemented by this tool like: searching in public search engines, DNS resolutions, web redirects, getting information from ssl certificates and others.