A script to enumerate virtual hosts on a server.
Switch branches/tags
Nothing to show
Clone or download
Latest commit 8dd4510 Dec 28, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Added output.txt to git ignore list Dec 28, 2017
README.md minor fix of the description Aug 28, 2017
scan.rb Expand path before loading it Dec 28, 2017
wordlist Added some more subdomains Aug 28, 2017


Virtual host scanner

This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.


The tool comes with a few basic options. They are listed below and help narrow down virtual hosts.

ruby scan.rb --ip= --host=domain.tld

Here's a list of all available options:

  • --ignore-http-codes: a comma-separated list of HTTP status codes to be ignored in the scan results. This may become useful when the scan results are poluted with false-positives that are identified by their HTTP response code.
  • --ignore-content-length: a content length filter which should be ignored in the scan results. This may become useful when a server returns a static page on every virtual host guess.
  • --port: when the web server isn't running on port 80.
  • --wordlist: specify an alternative location for the wordlist.
  • --ssl: on or off depending on whether you want to connect with SSL.
  • --output: optionally specify an alternative file to write the output to. Defaults to output.txt in the current directory.


There's a default, small, wordlist in this repository. To use your own wordlist, use the --wordlist option. %s will be replaced with the given --host header in every line of the wordlist file.