Question 1

How to use VHostScan with SSH tunnels for port forwarding?

Accepted Answer

Use the -p flag for the local port and -r for the real server port, as shown in the README example: 'VHostScan -t localhost -b example.com -p 4444 -r 80' to route through an SSH tunnel while correctly formatting headers.

Question 2

What wordlists are best for scanning modern cloud environments?

Accepted Answer

The included cloud-modern.txt wordlist is optimized for cloud infrastructure like AWS and Kubernetes, containing entries for containers and DevOps tools. For comprehensive scans, combine it with common-vhosts.txt using the -w flag.

Question 3

Can VHostScan bypass web application firewalls effectively?

Accepted Answer

Yes, with the --waf flag, it adds simple response headers to bypass some WAF products, though the README notes this is basic and effectiveness may vary against advanced firewalls.

Question 4

How does VHostScan compare to gobuster for virtual host brute-forcing?

Accepted Answer

VHostScan excels in handling dynamic catch-all scenarios with fuzzy logic, while gobuster is faster for static brute-forcing but may miss vhosts on pages with changing content. Choose VHostScan for tricky, real-world edge cases.

Question 5

How to output results in JSON for automation pipelines?

Accepted Answer

Use the -oJ flag with a filename to generate JSON output, which can be easily parsed by scripts. The README also supports grepable (-oG) and normal formats for integration into security workflows.

Question 6

Is VHostScan good for CTF challenges involving subdomains?

Accepted Answer

Yes, its features like --first-hit for quick results and specialized wordlists make it ideal for CTFs, though the README cautions that --first-hit should only be used when sure no catch-all is configured.

VHostScan

What is VHostScan?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions