Create file with hostnames from website with cewl, then scan the webserver for vhosts with Metasploit vhost_scanner to find hidden virtual hosts on webserver. #infosec #hacking #pentest #pentesting #redteam #hackthebox #ctf #linux4hackers

We start to collect possible hostnames from websites with Cewl

cewl http://10.10.10.1 -w cewl.txt

You can also use some other switches like

-d = deph to look on the website for words

-m = minimum wordlengh

-w = outputfiel

So that the final command can look like this:

cewl http://10.10.10.1 -d 5 -w cewl.txt

When I tried this on a web page the difference between -d 1 and -d 2 is almost 1 minute.

-d 1:

time cewl -d 1 https://website.se -w cewl.txt 
real 0m52,795s
user 0m2,681s
sys 0m1,586s

-d 2:

time cewl -d 2 https://website.se -w cewl.txt
real 1m47,757s
user 0m16,250s
sys 0m0,160s

Then we want to create 1 file with only hostname i a-z

cat cewl.txt | sort > sortcewl.txt

Then we want to create 1 file with hostname and domain name

cat cewl.txt | sort > sortcewldomain.txt
sed -i 's/$/.website.se/' sortcewldomain.txt

Now we have 2 files that we can use in different tools. Google vhostscan!

In this case we use Metasploit!

Start Metsaploit:

msfdb start
msfconsole

Use vhost scanner:

use auxiliary/scanner/http/vhost_scanner
set RHOSTS 10.10.10.1
set SUBDOM_LIST sortcewl.txt
set DOMAIN website.se
set RPORT 80
run

The result:

[*] [10.10.10.1] Sending request with random domain ipRon.website.se 
[*] [10.10.10.1] Sending request with random domain NZFEe.website.se
[+] [10.10.10.1] Vhost found hidden.website.se 
[*] Scanned 1 of 1 hosts (100% complete)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.