VHostScan: A virtual host scanner that can pivot, detect catch-all scenarios, and dynamic page data

edited September 2017 in Tools

Today we're releasing VHostScan: https://github.com/codingo/VHostScan

This is an enumeration tool designed to help you quickly find virtual hosts even in situations where a catch-all default page has been setup with dynamic pages (such as the time on the page). Very open to pull requests, feature ideas, bug reports, new wordlists, etc’ towards future releases. You can find me on twitter at https://twitter.com/codingo_

Key Benefits

  • Quickly highlight unique content in catch-all scenarios
  • Locate the outliers in catch-all scenarios where results have dynamic content on the page (such as the time)
  • Identify aliases by tweaking the unique depth of matches
  • Wordlist supports standard words and a variable to input a base hostname (for e.g. dev.%s from the wordlist would be run as dev.BASE_HOST)
  • Work over HTTP and HTTPS
  • Ability to set the real port of the webserver to use in headers when pivoting through ssh/nc
  • Add simple response headers to bypass some WAF products


  • Awesome job man, this will be super useful.


  • This has now been updated to do reverse lookups during a scan and add any findings to the wordlist.. Quite valuable for bug bounty hunting!

  • Good job!


  • If you're participating or would like to participate in HackToberfest and are looking for a project, I'm happy to mentor improvements on this. Feel free to ping me on twitter @codingo_

    I'm not longer on the chat since it moved to mattermost, but you can also find me on a variety of slack servers.

Sign In to comment.