A single web server can be configured to run multiple websites at once, under different domain names. These are the virtual hosts (or vhosts) and they are usually found in shared hosting environments.
The host name discovery phase is an information gathering act to get a complete and detailed view of target resources and attack points. During an attack or a penetration test, the attacker needs to known as much information as possible about the entry points to attack. An entry point can be identified with an IP address, a service port, and some application level information, like the virtual host name in the case of a web server hosting several sites. As a penetration tester, finding all the vhosts that run on a web server (based on its IP address) is important because each website may contain vulnerabilities that affect the same server. Furthermore, if one website is compromised, there is a high chance that the attacker gains unauthorized access to the other websites also that are running on the same server. Hence, testing all the vhosts is necessary for a complete coverage of the penetration test.
So! Last night i was testing a Bug Bounty Program, so I get to the Vhosts enumeration part I uses some basic tools and Common names of Vhosts manually to get a Positive response.
there are many tools available to enumerate Vhosts But some of the best tools are as follows!
https://github.com/jobertabma/virtual-host-discovery ( By Jobert abma )
https://pentest-tools.com/information-gathering/find-virtual-hosts ( Pentest-tools )
https://nmap.org/nsedoc/scripts/http-vhosts.html ( Nmap http-vhosts )
I was checking manually for common Vhosts like, app,beta,admin,webmail,localhost when i hit a positive response on the Vhost “localhost” That gave me “200 OK” response, and Luckily it had Directory listing enabled 😉 so I got access to a Juicy part of the website
Now I decided to Hunt for some stuff so that i can report the issue to the company!
What Data i got from the localhost?
Well I was able to download files like, .yml,.php,.xml.json etc and The some data type i found in the files was
I reported the issue To the company They resolved it after a little chat ( Coz The subdomain i found it on was out of scope ) and I got Paid 😉
Also here’s a Common Wordlist i use to Enumerate Vhosts 🙂