vhsRekon

vhsRekon is a reconnaissance/research tool used for resolving domains or subdomains vHosts (for example nginx or Caddy) are listening for.
Often this information is hidden behind wildcard domains, Cloudflare or other obstructive ways..
This tool solves this issue for the research phase of penetration testing by resolving the domains/technologies to specific IPs and providing the information in an easy to use format.

Who is this for?

This tool is for anyone who wishes to use it. Whether you're a SysAdmin, Server Admin, Network admin or other IT employee.
Do note that the tool is created by and for, Cybersecurity professionals. It only gives information which might be relevant to those use cases.

Why?

Most tools I've encountered has issues. Either, they're written in Python (which is great!) and the packages are too outdated to run. Or, they're multi-use tools which fail to properly validate - which causes a long work time with no results when scanning vHosts.
vhsRekon aims to solve both those issues. Written in Rust it's quick, lightweight and optimized. Making it work easily both as a standalone program and as a container.
For information on exactly what features vhsRekon has, check the features section.

Features

• Automated Scanning
• Wordlist Integration
• Multiscan: Multiple IPs & Domains
• Port Selection
• Server Information
• Results Report
• Catch-All Scenarios
• Dynamic Catch-All Scenarios
• HTTP Code Filter
• Header Validation
• Response Validation
• DNS Resolution Validation
• SSL/Certificate Validation

Roadmap

• Port Selection
• Detect Catch-All
• Dynamic Catch-All
• vHost Report: Server Info
• Alias Discovery
• Fuzzer
• Redirects
• Integrate Other Tools

Usage

                        █▓           
                     ▒█▓▓▓█▓         
                   ▒██▓▓█████        
                 ░██▓▓████▓████      
               ▒█▓▓▓████▓░░▒████     
             ░█▓▓▓█████▓▓▒▒▒░ ▓▒▒█   
           ░██▓▓█████    ▓░░░░ ▒▒██  
         ░██▓▓█████        ▓░░░▒█████
       ▒██▓██████ ▒  ▒░▒    ▓▓█████▒ 
     ▒█▓▓██████▓ ▓  ▓ ░▒░ ▒ ▓█████   
   ▒██▓▓█████▓ ▓ ▒     ▒   █████     
 ▒███▒█████▓██▓ ▒░   ░   █████▒      
 ███▓████▓▓▒▒▓▒▓▓      ██████        
  ▒██████░▒▒▒▒ ░░▓▓  ▓█████          
    ▒▒▒█▓▒░▒ ░░ ▒▒░▓█████▒           
      ▒▒▒█▓░░░░ ░░██████             
        ▒▒█▓░░▒░██████               
         ░▒▒▓███████▒ vhsRekon       
           ▒▒▒█████ @0xnoid          
             ▒▒▒█ https://github.com/0xnoid                      


Scan virtual hosts

Usage: vhsrekon [OPTIONS] --ip <IP>

Options:
  -i, --ip <IP>                          Target IP or file (one per line)
  -d, --domain <DOMAIN>                  Target domain or file (e.g. foo.com)
  -p, --ports <PORTS>...                 Ports to scan (e.g. -p 80 443)
  -w, --wordlist <WORDLIST>              Wordlist [integrated: 'services', 'namelist', 'top500']
  -v, --verbose                          Enable verbose output
  -o, --output <OUTPUT>                  Save output to a file
  -z, --verbose-output <VERBOSE_OUTPUT>  Save verbose output to a file
  -f, --show-failed                      Show failed attempts
  -c, --concurrent <CONCURRENT>          Max concurrent requests (Default: 100)
  -q                                     Detailed output (verification type, etc.)
  -s, --scenario-catch                   Enable dynamic catch-all detection
  -h, --help                             Print help (see more with '--help')
  -V, --version                          Print version

Examples:

vhsrekon -i 127.0.0.1 -d foo.com

vhsrekon -i 127.0.0.1 -d foo.com -w wordlist.txt -o result.txt

vhsrekon -i ips.txt -d domains.txt -o results.txt

Argument Info

Wordlists -w {arg} / --wordlist {arg}
Use: Not required. Defaults to the wordlist services.
We recommend creating your own wordlist using OWASP Amass to ease the process.
However, there are 3 wordlists included: Services (SecLists), Namelist (SecLists) and Top 500 (dnsscan).

To use the integrated wordlists we can use the arguments services, namelist or top500. Example: -w top500
To use a custom wordlist, make your wordlist in .txt with 1 subdomain per line. We may then use the argument wordlist.txt. Example: -w mywordlist.txt

Output -o {arg} / --output {arg}
This command generates a report containing what vHosts were found, including how it was validated. Example: -o result.txt

Verbose -v / --verbose
Verbose: File -z/ --verbose-output {arg}
We may use either or both at the same time. They are not mutually inclusive/exclusive.
Example (Terminal Output): -v
Example (File Output): -z verbose.txt
Example (Both): -v -z verbose.txt

Show failed -f / --show-failed
Includes failed attempts in result. Useful for small wordlists, but refrain from using with bigger ones.

Concurrent -c {arg} / --concurrent {arg}
Sets the maximum concurrent connections to the target.
The default is set to 100. We do not recommend going above 150 as you may be struck with rate limiting and/or IP ban.

Catch-All Scenarios -s / --scenario-catch Hashes results and analyzes part of page contents, comparing them automatically. This is usually not needed and will increase scan time.
Default mode is to run without this function.

Installation

There are multiple options, but I recommend installing the tool directly for ease of use which will allow better organization of input/output files.
The easiest way to achieve this is to install the premade packages:

curl -sSL https://raw.githubusercontent.com/0xnoid/vhsrekon/main/install.sh | sudo bash

^{The script currently supports the following package managers: deb, rpm and pacman.}

Docker

If you prefer using Docker, you'll need to compile it.

Quick Script

You may use the quick script:

curl -sSL https://raw.githubusercontent.com/0xnoid/vhsrekon/main/install-docker.sh | bash

Manually

Or, if you prefer to do it manually:

git clone https://github.com/0xnoid/vhsrekon
cd vhsrekon
docker build -t vhsrekon .

Once built, simply run it:

docker run -it --rm vhsrekon --help

Then after that we may reuse the container whenever:

docker run -it vhsrekon {arg}

Build it yourself

To build it yourself, there are a few requirements.\ First, you'll need Rust

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Next, you'll need build tools

Debian Based

sudo apt install build-essential

Arch Based

sudo pacman -S base-devel

Fedora Based

sudo dnf install make automake gcc gcc-c++ kernel-devel  

OR:

sudo dnf install @development-tools

OR:

dnf group install "Development Tools"

The first one will install the least amount of required tools.

After that, clone this and build it

git clone https://github.com/0xnoid/vhsrekon
cd vhsrekon
cargo build --release

You may then either move it, or use it from the folder.
We suggest moving it to your /usr/bin/.

./target/release/vhsrekon -h

Preparation

vhsRekon may be used as a standalone program, but there are some suggestions on how to improve your scans.
This includes using other tools to create Wordlists and IP lists, which will drastically improve both your success rate and scan time - especially for multi-target use.

Why?
By preparing we can avoid hitting the Target when we don't need to. This will allow our requests to look more legitimate and avoid detection.

What should I prepare?
You'll want to prepare both a Wordlist and an IP list, the tools below will help generate both of these items.

Wordlist

Creating a Wordlist of subdomains will aid us in finding the subdomains which may not be listed in public sources.
This often includes wildcard domains and other items which the Target's domain/range might be listning for.
Useful tools for this portion of Discovery:

OWASP Amass

Enumeration tool. This tool can scan both passively and actively scan, it's one of the most full fletched tools you can use for finding any subdomain with bruteforce, wordlists, etc.
Highly recommended for creating your wordlist. Built in with most pentest OSes.

dnsenum

Enumeration tool. This tool is easy to use and has multiple options, such as brute force, Google scraping and passive enumeration (DNS).
Highly recommended for creating your wordlist with the XML output, but needs to be converted before use. Built in with most pentest OSes.

IP Discovery

Finding the target IPs can often be easy, there are of course multiple ways to do this. If the target is simple, we may of course use tools such as whois, traceroute and DNS querying.
However, since most hosts nowadays use CloudFlare to obfuscate the IP we might also need to dig deeper for the source IP.
Useful tools:

CloudFail

Find IPs and Subdomains. Easy to use tool that scans CloudFlare leaked IPs, compares the domains and subdomains listed towards misconfigurations and previously leaked IPs by using multiple datasets and databases.
Highly recommended for any target behind Cloudflare. Easy to use tool that can generate both IP list and Subdomain list.

whois

Whois terminal client. Tool by Marco d'Itri that comes built in with most GNU/Linux distributions. Easy to use, but usually won't return all the data you need.
Will not work if Cloudflare is enabled. Will only return domain you search.

Dig

Query DNS name servers. Tool by ISC that comes built in with GNU/Linux. Easy to use.
Will not work if Cloudflare is enabled. Will only return domain you search.

dnsenum

Enumeration tool. This tool is mentioned in the Wordlist, but it also returns IPs listed in the DNS.
Will not work if Cloudflare is enabled. Will only return domain you search.

Scripts

While most of these tools are useful, actually combining the data into a wordlist/ip list can be tedious.

Amass Report Generator

Wrapper bash script for OWASP Amass to generate HTML reports, subdomain wordlist and IP list.

Other

Commercial Requirements? Require a license for your operations? Reach out