Introduction
In this lab, you will learn how to use Gobuster to perform a basic virtual host (vhost) scan. Virtual hosts are a common way for web servers to host multiple websites on a single IP address. Discovering these hidden vhosts can reveal additional attack surfaces or sensitive information during a penetration test or security assessment. Gobuster is a powerful tool for brute-forcing URIs, DNS subdomains, and virtual host names.
Understand What Virtual Hosts (VHosts) Are
In this step, you will learn about virtual hosts (vhosts) and why they are important in web security.
A virtual host allows a single server to host multiple domain names on the same IP address. For example, www.example.com and blog.example.com could both be hosted on the same server, distinguished by the Host header in the HTTP request. When a web browser sends a request to a server, it includes a Host header specifying the domain name it wants to access. The web server then uses this header to determine which website to serve.
Discovering these virtual hosts is crucial for security assessments because:
- Hidden Content: A vhost might host an old, unpatched application, a development version of a site, or an administrative interface that is not linked from the main website.
- Expanded Attack Surface: Each discovered vhost represents a potential new entry point for attacks, such as SQL injection, cross-site scripting (XSS), or directory traversal.
- Information Disclosure: Sometimes, vhosts can reveal internal network structures, sensitive files, or misconfigurations.
Tools like Gobuster can automate the process of trying common vhost names against a target to identify active ones.
Select a Target IP Address or Domain
In this step, you will identify the target for your Gobuster vhost scan.
For this lab, we will use localhost as our target, specifically http://127.0.0.1:8080. We have set up a simple web server on port 8080 that simulates multiple virtual hosts. In a real-world scenario, you would replace 127.0.0.1:8080 with the actual IP address or domain name of your target.
To confirm the web server is running, you can use curl to make a request to it.
curl http://127.0.0.1:8080
You should see output similar to this, indicating the server is active:
This is vhost1 content.
This output is from the default vhost (or the first one served by the simple Python server). Our goal is to find other "hidden" vhosts.
Construct the Basic gobuster vhost Command
In this step, you will learn how to construct the basic gobuster command for a vhost scan.
The gobuster command for vhost scanning uses the vhost mode. The essential flags for a vhost scan are:
-u: Specifies the target URL.-w: Specifies the wordlist to use for brute-forcing vhost names.
The basic syntax will be gobuster vhost -u <target_url> -w <wordlist_path>.
For our lab, the target URL is http://127.0.0.1:8080. We have also prepared a wordlist at /tmp/vhost_wordlist.txt that contains potential virtual host names.
Let's examine the content of the wordlist:
cat /tmp/vhost_wordlist.txt
You should see the following output:
vhost1
vhost2
hidden_vhost
test
dev
admin
This wordlist contains some common and some specific vhost names that we expect to find.
Execute the Scan with -u and -w Flags
In this step, you will execute the gobuster vhost scan using the target URL and the provided wordlist.
Now, combine the target URL and the wordlist path into the gobuster command.
gobuster vhost -u http://127.0.0.1:8080 -w /tmp/vhost_wordlist.txt
Press Enter to run the command. Gobuster will start iterating through the wordlist, sending requests with each word as a Host header, and reporting any discovered virtual hosts.
The output will show the progress and any successful findings. It might look similar to this:
===============================================================
Gobuster v3.6
by OJ (https://github.com/OJ/gobuster)
===============================================================
[+] Url: http://127.0.0.1:8080
[+] Wordlist: /tmp/vhost_wordlist.txt
[+] Threads: 10
[+] Timeout: 10s
[+] User Agent: gobuster/3.6
===============================================================
2024/07/30 10:00:00 Starting gobuster in vhost mode
===============================================================
Found: vhost1 (Status: 200) [Size: 20]
Found: vhost2 (Status: 200) [Size: 20]
Found: hidden_vhost (Status: 200) [Size: 27]
===============================================================
2024/07/30 10:00:05 Finished
===============================================================
You can see that gobuster successfully found vhost1, vhost2, and hidden_vhost.
Review the Output for Discovered Virtual Hosts
In this step, you will analyze the output from the gobuster scan to understand the discovered virtual hosts.
The output from gobuster provides key information for each discovered virtual host:
Found:: The virtual host name that was successfully resolved.(Status: 200): The HTTP status code returned by the server. A200 OKtypically indicates that the vhost exists and served content successfully. Other status codes (e.g.,301,302,403,404) might also be relevant depending on the server's configuration.[Size: XX]: The size of the response body in bytes. This can sometimes help distinguish between different types of content or default pages.
From the previous step's output, you should have seen:
Found: vhost1 (Status: 200) [Size: 20]Found: vhost2 (Status: 200) [Size: 20]Found: hidden_vhost (Status: 200) [Size: 27]
These entries indicate that gobuster successfully identified three virtual hosts on http://127.0.0.1:8080 using the provided wordlist. In a real-world scenario, you would then investigate these discovered vhosts further by browsing to them (e.g., curl -H "Host: vhost1" http://127.0.0.1:8080) or using other web security tools.
This concludes the basic vhost scanning lab. You have successfully used gobuster to identify virtual hosts.
Summary
In this lab, you learned how to perform a basic virtual host scan using Gobuster. You understood the concept of virtual hosts, selected a target, constructed the gobuster command with the -u (URL) and -w (wordlist) flags, executed the scan, and interpreted the results. This skill is fundamental for discovering hidden web applications and expanding the attack surface during security assessments.



