Find virtual hosts (vhosts) from IP addresses and hostnames

Related tags

Miscellaneousosintpython3penetration-testingipbug-bountyreconbugbountyvhostvhostsvirtual-hostshostnamesreconnaissancebugbounty-toolhostmapper
Overview

Features

Enumerate vhosts from a list of IP addresses and domain names.

Virtual Hosts are enumerated using the following process:

  • Supplied domains are resolved (all IPv4 and IPv6 addresses are added to scope)
  • All IP addresses are scanned for HTTP(S) services (using a default port list, see help)
  • Query external APIs (rapiddns) if enabled via --apis to find vhosts from IP or subdomains from domain
  • For all HTTP services, find vhosts using these techniques :
    • TLS certificate parsing (for hosts with TLS service running)
      • CertCN
      • AltNames
    • HTTP headers parsing (for detected HTTP services)
      • Location header
      • Access-Control-Allow-Origin header
      • Content-Security-Policy header
    • JavaScript redirect (*.location=) when contains absolute URL
  • The whole process is repeated N times (--recursion-depth, default 2) on newfound IP addresses and hostnames. Increasing recursion depth will enumerate more hosts but may go out of scope.

Install

pip3 install -r requirements.txt

Quick usage

targets.txt contains a newline-separated list of hostnames, ip addresses and CIDRS

$ cat targets.txt 
accounts.coinbase.com
api.coinbase.com
api.custody.coinbase.com
api.exchange.coinbase.com
api.pro.coinbase.com
api-public.sandbox.pro.coinbase.com
api.wallet.coinbase.com
app.analytics.coinbase.com
assethub-api.coinbase.com
assets.coinbase.com
assets-test.coinbase.com
beta.coinbase.com
billing-systems.coinbase.com
blockchain.wallet.coinbase.com
blog.coinbase.com
braintree-webhooks.coinbase.com
buy.coinbase.com
card.coinbase.com
cloud.coinbase.com
community.coinbase.com
...

Simple usage:

# ./vhostmap.py -t targets.txt 
################################################################################
# PASS 1
# IP to process: 0
# Hostnames to process: 70
################################################################################
[A] developer.coinbase.com 104.18.7.10
[A] developer.coinbase.com 104.18.6.10
[A] api.coinbase.com 104.18.7.10
[A] api.coinbase.com 104.18.6.10
[A] status.prime.coinbase.com 104.18.12.68
[A] status.prime.coinbase.com 104.18.13.68
[A] assethub-api.coinbase.com 104.18.7.10
[A] assethub-api.coinbase.com 104.18.6.10
[A] published-assets.coinbase.com 13.249.15.64
[A] published-assets.coinbase.com 13.249.15.5
[A] published-assets.coinbase.com 13.249.15.121

[...]

################################################################################
# PASS 2
# IP to process: 129
# Hostnames to process: 0
################################################################################
[HTTPService] 104.18.31.151 http://104.18.31.151:80
[HTTPService] 104.18.15.237 http://104.18.15.237:80
[HTTPService] 104.18.20.159 http://104.18.20.159:80
[HTTPService] 162.159.152.4 http://162.159.152.4:80
[CertCN] https://104.18.105.40:8443 billing-systems.coinbase.com
[CertAltName] https://104.18.105.40:8443 billing-systems.coinbase.com
[HTTPService] 104.18.105.40 https://104.18.105.40:443
[CertCN] https://104.18.105.40:443 billing-systems.coinbase.com
[CertAltName] https://104.18.105.40:443 billing-systems.coinbase.com
[HTTPService] 143.204.226.63 http://143.204.226.63:80
[HTTPService] 104.18.8.157 http://104.18.8.157:80
[HTTPService] 143.204.51.121 http://143.204.51.121:80
[HTTPService] 143.204.51.77 http://143.204.51.77:80
[HTTPService] 13.249.15.5 http://13.249.15.5:80

[...]

RESULTS
=========
104.18.6.10 assets-test.coinbase.com translations.coinbase.com sessions.coinbase.com assets.coinbase.com login.coinbase.com assethub-api.coinbase.com www42.coinbase.com graphql.coinbase.com widget.coinbase.com listing.coinbase.com api.coinbase.com braintree-webhooks.coinbase.com sourcemaps.coinbase.com developer.coinbase.com learn.coinbase.com support-dev.coinbase.com status.coinbase.com images.coinbase.com buy.coinbase.com events-service.coinbase.com www.coinbase.com support.coinbase.com cloud.coinbase.com jobs.coinbase.com taxforms.coinbase.com community.coinbase.com static.coinbase.com prime-brokerage.coinbase.com beta.coinbase.com ws.coinbase.com dev.coinbase.com pay.coinbase.com emails.coinbase.com
2606:4700::6812:60a assets-test.coinbase.com translations.coinbase.com sessions.coinbase.com assets.coinbase.com login.coinbase.com assethub-api.coinbase.com www42.coinbase.com graphql.coinbase.com widget.coinbase.com listing.coinbase.com api.coinbase.com braintree-webhooks.coinbase.com sourcemaps.coinbase.com developer.coinbase.com learn.coinbase.com support-dev.coinbase.com status.coinbase.com images.coinbase.com buy.coinbase.com events-service.coinbase.com www.coinbase.com support.coinbase.com cloud.coinbase.com jobs.coinbase.com taxforms.coinbase.com community.coinbase.com static.coinbase.com prime-brokerage.coinbase.com beta.coinbase.com ws.coinbase.com dev.coinbase.com pay.coinbase.com emails.coinbase.com
104.18.7.10 assets-test.coinbase.com translations.coinbase.com sessions.coinbase.com assets.coinbase.com login.coinbase.com assethub-api.coinbase.com www42.coinbase.com graphql.coinbase.com widget.coinbase.com listing.coinbase.com api.coinbase.com braintree-webhooks.coinbase.com sourcemaps.coinbase.com developer.coinbase.com learn.coinbase.com support-dev.coinbase.com status.coinbase.com images.coinbase.com buy.coinbase.com events-service.coinbase.com www.coinbase.com support.coinbase.com cloud.coinbase.com jobs.coinbase.com taxforms.coinbase.com community.coinbase.com static.coinbase.com prime-brokerage.coinbase.com beta.coinbase.com ws.coinbase.com dev.coinbase.com pay.coinbase.com emails.coinbase.com

[...]

Example 2 :

# ./vhostmap.py -t targets.txt -p large --apis -o out
  • --apis : Use external API to find subdomains and virtual hosts (rapiddns)
  • -p large : Search for web services on a larger port list
  • -o out : Store results in "out" folder

Output folder contains multiple result files:

  • all-hostnames.txt : final hostname list, one by line
  • all-ips.txt : final list of all IP address associated with one or more hostnames, one by line
  • all-urls.txt : all valid web services found, one by line
  • hosts.txt : /etc/hosts format file associating IP addresses with vhosts
  • log.txt : tool output
Owner
GitHub Repository
ESteg - A simple steganography program for python

ESteg A simple steganography program to embed the contents of a text file into a

Jithin Renji 1 Jan 02, 2022
Python library for creating PEG parsers

PyParsing -- A Python Parsing Module Introduction The pyparsing module is an alternative approach to creating and executing simple grammars, vs. the t

Pyparsing 1.7k Jan 03, 2023
The-White-Noise-Project - The project creates noise intentionally

The-White-Noise-Project High quality audio matters everywhere, even in noise. Be

Ali Hakim Taşkıran 1 Jan 02, 2022
dotfiles - Cristian Valero Abundio

In this repository you can find various configurations to configure your Linux operating system, preferably ArchLinux and its derivatives.

Cristian Valero Abundio 1 Jan 09, 2022
A minimal configuration for a dockerized kafka project.

Docker Kafka Quickstart A minimal configuration for a dockerized kafka project. Usage: Run this command to build kafka and zookeeper containers, and c

Nouamane Tazi 5 Jan 12, 2022
Small projects for python beginners.

Python Mini Projects For Beginners I recently started doing the #100DaysOfCode Challenge in Python. I've used Python before, but I had switched to JS

Sreekesh Iyer 10 Dec 12, 2022
Waydroid is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.

Waydroid is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.

WayDroid 4.7k Jan 08, 2023
Simple GUI menu for micropython using a rotary encoder and basic display.

Micropython encoder based menu This is a simple menu system written in micropython. It uses a switch, a rotary encoder and an OLED display.

80 Jan 07, 2023
Perform oocyst segmentation in mercurochrome stained mosquito midgut

Midgut_oocyst_segmentation Perform oocyst segmentation in mercurochrome stained mosquito midguts This oocyst segmentation model also powers the webtoo

Duo Peng 3 Oct 27, 2021
A hackerank problems, solution repository

This is a repository for all hackerank challenges kindly note this is for learning purposes and if you wish to contribute, dont hesitate all submision

Tyler Mwalo Kenneth's 1 Dec 20, 2021
Runtime fault injection platform by Daniele Rizzieri (2021)

GDBitflip [v1.04] Runtime fault injection platform by Daniele Rizzieri (2021) This platform executes N times a binary and during each execution it inj

Daniele Rizzieri 1 Dec 07, 2021
Addon for Blender 2.8+ that automatically creates NLA tracks for all animations. Useful for GLTF export.

PushDownAll An addon for Blender 2.8+ that runs Push Down on all animations, creating NLA tracks for each. This is useful if you have an object with m

Cory Petkovsek 16 Oct 06, 2022
Installer, package manager, build wrapper and version manager for Piccolo

Piccl Installer, package manager, build wrapper and version manager for Piccolo

1 Dec 19, 2021
Repls goes to sleep due to inactivity, but to keep it awake, simply host a webserver and ping it.

Repls goes to sleep due to inactivity, but to keep it awake, simply host a webserver and ping it. This repo will help you make a webserver with a bit of console controls.

2 Mar 01, 2022
An async API wrapper for Dress To Impress written in Python.

dti.py An async API wrapper for Dress To Impress written in Python. Some notes: For the time being, there are no front-facing docs for this beyond doc

Steve C 1 Dec 14, 2022
A QGIS integration plugin for Kart repositories

QGIS Kart Plugin A plugin to work with Kart repositories Installation The Kart plugin is available in the QGIS Plugins server. To install the latest v

Koordinates 27 Jan 04, 2023
Paxos in Python, tested with Jepsen

Python implementation of Multi-Paxos with a stable leader and reconfiguration, roughly following "Paxos Made Moderately Complex". Run python3 paxos/st

A. Jesse Jiryu Davis 25 Dec 15, 2022
NORETURN is an esoteric programming language, based around the idea of not going back

NORETURN NORETURN is an esoteric programming language, based around the idea of not going back Concept Program coded in noreturn runs over one array,

1 Dec 15, 2021
Open-source library for analyzing the results produced by ABINIT

Package Continuous Integration Documentation About AbiPy is a python library to analyze the results produced by Abinit, an open-source program for the

ABINIT 91 Dec 09, 2022
Example teacher bot for deployment to Chai app.

Create and share your own chatbot Here is the code for uploading the popular "Ms Harris (Teacher)" chatbot to the Chai app. You can tweak the config t

Chai 1 Jan 10, 2022