vhost-enumeration

Community

Uncover hidden virtual hosts on shared IPs

Authoruphiago
Version1.0.0
Installs0

System Documentation

What problem does it solve?

Standard subdomain enumeration often misses internal-only, development, or admin virtual hosts that share an IP address with public services, as these hosts only respond to specific Host headers or are only listed in SSL certificate SAN fields, leaving them invisible to standard DNS-based reconnaissance techniques.

Core Features & Use Cases

  • Host Header Fuzzing: Brute-force valid virtual hostnames using ffuf with custom Host headers to identify hosts that return unique responses.
  • SSL Certificate SAN Extraction: Parse TLS certificates to extract all domain names associated with an IP address, revealing hidden services exposed via HTTPS.
  • PTR Reverse DNS Lookup: Resolve PTR records for IP ranges to discover hostnames associated with target network ranges.
  • Use Case: When assessing a company's public infrastructure, this skill can uncover unlisted staging environments or internal admin panels that are not present in public DNS records, expanding your reconnaissance coverage.

Quick Start

Use the vhost-enumeration skill to fuzz the Host header for target IP 203.0.113.10 with your DNS wordlist and extract all associated hostnames from its SSL certificate SAN field.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: vhost-enumeration
Download link: https://github.com/uphiago/recon-skills/archive/main.zip#vhost-enumeration

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 537,000+ vetted skills library on demand.