Create file with hostnames from website with cewl, then scan the webserver for vhosts with Metasploit vhost_scanner to find hidden virtual hosts on webserver. #infosec #hacking #pentest #pentesting #redteam #hackthebox #ctf #linux4hackers

We start to collect possible hostnames from websites with Cewl

cewl -w cewl.txt

You can also use some other switches like

-d = deph to look on the website for words

-m = minimum wordlengh

-w = outputfiel

So that the final command can look like this:

cewl -d 5 -w cewl.txt

When I tried this on a web page the difference between -d 1 and -d 2 is almost 1 minute.

-d 1:

time cewl -d 1 -w cewl.txt 
real 0m52,795s
user 0m2,681s
sys 0m1,586s

-d 2:

time cewl -d 2 -w cewl.txt
real 1m47,757s
user 0m16,250s
sys 0m0,160s

Then we want to create 1 file with only hostname i a-z

cat cewl.txt | sort > sortcewl.txt

Then we want to create 1 file with hostname and domain name

cat cewl.txt | sort > sortcewldomain.txt
sed -i 's/$/' sortcewldomain.txt

Now we have 2 files that we can use in different tools. Google vhostscan!

In this case we use Metasploit!

Start Metsaploit:

msfdb start

Use vhost scanner:

use auxiliary/scanner/http/vhost_scanner
set SUBDOM_LIST sortcewl.txt
set RPORT 80

The result:

[*] [] Sending request with random domain 
[*] [] Sending request with random domain
[+] [] Vhost found 
[*] Scanned 1 of 1 hosts (100% complete)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.