We start to collect possible hostnames from websites with Cewl
cewl http://10.10.10.1 -w cewl.txt
You can also use some other switches like
-d = deph to look on the website for words
-m = minimum wordlengh
-w = outputfiel
So that the final command can look like this:
cewl http://10.10.10.1 -d 5 -w cewl.txt
When I tried this on a web page the difference between -d 1 and -d 2 is almost 1 minute.
-d 1:
time cewl -d 1 https://website.se -w cewl.txt real 0m52,795s user 0m2,681s sys 0m1,586s
-d 2:
time cewl -d 2 https://website.se -w cewl.txt real 1m47,757s user 0m16,250s sys 0m0,160s
Then we want to create 1 file with only hostname i a-z
cat cewl.txt | sort > sortcewl.txt
Then we want to create 1 file with hostname and domain name
cat cewl.txt | sort > sortcewldomain.txt sed -i 's/$/.website.se/' sortcewldomain.txt
Now we have 2 files that we can use in different tools. Google vhostscan!
In this case we use Metasploit!
Start Metsaploit:
msfdb start msfconsole
Use vhost scanner:
use auxiliary/scanner/http/vhost_scanner set RHOSTS 10.10.10.1 set SUBDOM_LIST sortcewl.txt set DOMAIN website.se set RPORT 80 run
The result:
[*] [10.10.10.1] Sending request with random domain ipRon.website.se [*] [10.10.10.1] Sending request with random domain NZFEe.website.se [+] [10.10.10.1] Vhost found hidden.website.se [*] Scanned 1 of 1 hosts (100% complete)
Tips and Tricks 
Leave a Reply