{"id":34553262,"url":"https://github.com/0xnoid/vhsrekon","last_synced_at":"2026-05-27T22:37:06.754Z","repository":{"id":286683401,"uuid":"962203531","full_name":"0xnoid/vhsRekon","owner":"0xnoid","description":"Reconnaissance tool for detecting vHosts","archived":false,"fork":false,"pushed_at":"2025-05-06T12:12:10.000Z","size":658,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-05-27T22:36:20.230Z","etag":null,"topics":["penetration-testing","penetration-testing-tools","reconnaissance","reconnaissance-tool","virtual-host","virtual-hosts"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xnoid.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-04-07T20:02:06.000Z","updated_at":"2025-09-08T02:01:09.000Z","dependencies_parsed_at":"2025-04-07T21:27:09.181Z","dependency_job_id":"fb1a3be1-8ddf-4de3-91a7-fced92868f38","html_url":"https://github.com/0xnoid/vhsRekon","commit_stats":null,"previous_names":["0xnoid/vhsrekon"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/0xnoid/vhsRekon","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2FvhsRekon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2FvhsRekon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2FvhsRekon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2FvhsRekon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xnoid","download_url":"https://codeload.github.com/0xnoid/vhsRekon/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xnoid%2FvhsRekon/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33586820,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["penetration-testing","penetration-testing-tools","reconnaissance","reconnaissance-tool","virtual-host","virtual-hosts"],"created_at":"2025-12-24T08:17:53.414Z","updated_at":"2026-05-27T22:37:06.748Z","avatar_url":"https://github.com/0xnoid.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vhsRekon\nvhsRekon is a reconnaissance/research tool used for resolving domains or subdomains vHosts (for example nginx or Caddy) are listening for.\\\nOften this information is hidden behind wildcard domains, Cloudflare or other obstructive ways..\\\nThis tool solves this issue for the research phase of penetration testing by resolving the domains/technologies to specific IPs and providing the information in an easy to use format.\n\u003cdl\u003e\n\u003ch3\u003e\u003ci\u003eWho is this for?\u003c/i\u003e\u003c/h3\u003e\n    \u003cdd\u003e\n        This tool is for anyone who wishes to use it. Whether you're a SysAdmin, Server Admin, Network admin or other IT employee.\u003cbr /\u003e\n        Do note that the tool is created by and for, Cybersecurity professionals. It only gives information which might be relevant to those use cases.\n    \u003c/dd\u003e\n\n\u003ch3\u003e\u003ci\u003eWhy?\u003c/i\u003e\u003c/h3\u003e\n    \u003cdd\u003e\n        Most tools I've encountered has issues. Either, they're written in Python (which is great!) and the packages are too outdated to run. Or, they're multi-use tools which fail to properly validate - which causes a long work time with no results when scanning vHosts.\u003cbr /\u003e\n        vhsRekon aims to solve both those issues. Written in Rust it's quick, lightweight and optimized. Making it work easily both as a standalone program and as a container.\u003cbr /\u003e\n        For information on exactly what features vhsRekon has, check the features section.\n    \u003c/dd\u003e\n\u003c/dl\u003e\n\n![vhsRekon in Progress](https://github.com/0xnoid/vhsRekon/blob/142f2c9260af31a10bc70f0d9f1696c3ab8e0109/vhsRekonScreenshotProg.png)\n\n## Features\n- [x] Automated Scanning\n- [x] Wordlist Integration\n- [x] Multiscan: Multiple IPs \u0026 Domains\n- [x] Port Selection\n- [x] Server Information\n- [x] Results Report\n- [x] Catch-All Scenarios\n- [x] Dynamic Catch-All Scenarios\n- [x] HTTP Code Filter\n- [x] Header Validation\n- [x] Response Validation\n- [x] DNS Resolution Validation\n- [x] SSL/Certificate Validation\n\n### Roadmap\n- [x] Port Selection\n- [x] Detect Catch-All\n- [x] Dynamic Catch-All\n- [x] vHost Report: Server Info\n- [ ] Alias Discovery\n- [ ] Fuzzer\n- [ ] Redirects\n- [ ] Integrate Other Tools\n\n\n\n## Usage\n\n```sh\n                        █▓           \n                     ▒█▓▓▓█▓         \n                   ▒██▓▓█████        \n                 ░██▓▓████▓████      \n               ▒█▓▓▓████▓░░▒████     \n             ░█▓▓▓█████▓▓▒▒▒░ ▓▒▒█   \n           ░██▓▓█████    ▓░░░░ ▒▒██  \n         ░██▓▓█████        ▓░░░▒█████\n       ▒██▓██████ ▒  ▒░▒    ▓▓█████▒ \n     ▒█▓▓██████▓ ▓  ▓ ░▒░ ▒ ▓█████   \n   ▒██▓▓█████▓ ▓ ▒     ▒   █████     \n ▒███▒█████▓██▓ ▒░   ░   █████▒      \n ███▓████▓▓▒▒▓▒▓▓      ██████        \n  ▒██████░▒▒▒▒ ░░▓▓  ▓█████          \n    ▒▒▒█▓▒░▒ ░░ ▒▒░▓█████▒           \n      ▒▒▒█▓░░░░ ░░██████             \n        ▒▒█▓░░▒░██████               \n         ░▒▒▓███████▒ vhsRekon       \n           ▒▒▒█████ @0xnoid          \n             ▒▒▒█ https://github.com/0xnoid                      \n\n\nScan virtual hosts\n\nUsage: vhsrekon [OPTIONS] --ip \u003cIP\u003e\n\nOptions:\n  -i, --ip \u003cIP\u003e                          Target IP or file (one per line)\n  -d, --domain \u003cDOMAIN\u003e                  Target domain or file (e.g. foo.com)\n  -p, --ports \u003cPORTS\u003e...                 Ports to scan (e.g. -p 80 443)\n  -w, --wordlist \u003cWORDLIST\u003e              Wordlist [integrated: 'services', 'namelist', 'top500']\n  -v, --verbose                          Enable verbose output\n  -o, --output \u003cOUTPUT\u003e                  Save output to a file\n  -z, --verbose-output \u003cVERBOSE_OUTPUT\u003e  Save verbose output to a file\n  -f, --show-failed                      Show failed attempts\n  -c, --concurrent \u003cCONCURRENT\u003e          Max concurrent requests (Default: 100)\n  -q                                     Detailed output (verification type, etc.)\n  -s, --scenario-catch                   Enable dynamic catch-all detection\n  -h, --help                             Print help (see more with '--help')\n  -V, --version                          Print version\n\n```\n\nExamples:\n\n```sh\nvhsrekon -i 127.0.0.1 -d foo.com\n```\n\n```sh\nvhsrekon -i 127.0.0.1 -d foo.com -w wordlist.txt -o result.txt\n```\n\n```sh\nvhsrekon -i ips.txt -d domains.txt -o results.txt\n```\n\n### Argument Info\n***Wordlists*** `-w {arg}` / `--wordlist {arg}`\u003cbr /\u003e\nUse: Not required. Defaults to the wordlist `services`.\\\nWe recommend creating your own wordlist using [OWASP Amass](https://github.com/owasp-amass/amass) to ease the process.\\\nHowever, there are 3 wordlists included: Services ([SecLists](https://github.com/danielmiessler/SecLists)), Namelist ([SecLists](https://github.com/danielmiessler/SecLists)) and Top 500 ([dnsscan](https://github.com/rbsec/dnscan)).\n\u003cbr /\u003e\u003cbr /\u003e\nTo use the integrated wordlists we can use the arguments `services`, `namelist` or `top500`. Example: `-w top500`\u003cbr\u003e\nTo use a custom wordlist, make your wordlist in `.txt` with 1 subdomain per line. We may then use the argument `wordlist.txt`. Example: `-w mywordlist.txt`\n\u003cbr /\u003e\u003cbr /\u003e\n***Output*** `-o {arg}` / `--output {arg}`\u003cbr /\u003e\nThis command generates a report containing what vHosts were found, including how it was validated. Example: `-o result.txt`\n\u003cbr /\u003e\u003cbr /\u003e\n***Verbose*** `-v` / `--verbose`\u003cbr /\u003e\n***Verbose: File*** `-z`/ `--verbose-output {arg}`\u003cbr /\u003e\nWe may use either or both at the same time. They are not mutually inclusive/exclusive.\\\nExample (Terminal Output): `-v`\u003cbr /\u003e\nExample (File Output): `-z verbose.txt`\u003cbr /\u003e\nExample (Both): `-v -z verbose.txt`\n\u003cbr /\u003e\u003cbr /\u003e\n***Show failed*** `-f` / `--show-failed`\u003cbr /\u003e\nIncludes failed attempts in result. Useful for small wordlists, but refrain from using with bigger ones.\n\u003cbr /\u003e\u003cbr /\u003e\n***Concurrent*** `-c {arg}` / `--concurrent {arg}`\u003cbr /\u003e\nSets the maximum concurrent connections to the target.\\\nThe default is set to `100`. We do not recommend going above `150` as you may be struck with rate limiting and/or IP ban.\n\u003cbr /\u003e\u003cbr /\u003e\n***Catch-All Scenarios*** `-s` / `--scenario-catch`\nHashes results and analyzes part of page contents, comparing them automatically. This is usually not needed and will increase scan time.\\\nDefault mode is to run without this function.\n\n## Installation\nThere are multiple options, but I recommend installing the tool directly for ease of use which will allow better organization of input/output files.\\\nThe easiest way to achieve this is to install the premade packages:\n```sh\ncurl -sSL https://raw.githubusercontent.com/0xnoid/vhsrekon/main/install.sh | sudo bash\n```\n\u003csup\u003e\u003csup\u003eThe script currently supports the following package managers: `deb`, `rpm` and `pacman`.\u003c/sup\u003e\u003c/sup\u003e\n\n\n### Docker\nIf you prefer using Docker, you'll need to compile it.\n\n\u003cdetails\u003e\u003csummary\u003eQuick Script\u003c/summary\u003e\nYou may use the quick script:\n\n```sh\ncurl -sSL https://raw.githubusercontent.com/0xnoid/vhsrekon/main/install-docker.sh | bash\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eManually\u003c/summary\u003e\nOr, if you prefer to do it manually:\n\n```sh\ngit clone https://github.com/0xnoid/vhsrekon\ncd vhsrekon\ndocker build -t vhsrekon .\n```\n\u003c/details\u003e\n\nOnce built, simply run it:\n\n```sh\ndocker run -it --rm vhsrekon --help\n```\n\nThen after that we may reuse the container whenever:\n\n```sh\ndocker run -it vhsrekon {arg}\n```\n\n### Build it yourself\n\u003cdetails\u003e\nTo build it yourself, there are a few requirements.\\\nFirst, you'll need Rust\n\n```sh\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n```\nNext, you'll need build tools\n\n\n\u003cdetails\u003e\u003csummary\u003eDebian Based\u003c/summary\u003e\n\n```sh\nsudo apt install build-essential\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eArch Based\u003c/summary\u003e\n\n```sh\nsudo pacman -S base-devel\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eFedora Based\u003c/summary\u003e\n\n```sh\nsudo dnf install make automake gcc gcc-c++ kernel-devel  \n```\n\nOR:\n\n```sh\nsudo dnf install @development-tools\n```\n\nOR:\n```sh\ndnf group install \"Development Tools\"\n```\n\nThe first one will install the least amount of required tools.\n\u003c/details\u003e\n\nAfter that, clone this and build it\n\n```sh\ngit clone https://github.com/0xnoid/vhsrekon\ncd vhsrekon\ncargo build --release\n```\n\nYou may then either move it, or use it from the folder.\\\nWe suggest moving it to your `/usr/bin/`.\n\n```sh\n./target/release/vhsrekon -h\n```\n\n\u003c/details\u003e\n\n\n## Preparation\nvhsRekon may be used as a standalone program, but there are some suggestions on how to improve your scans.\\\nThis includes using other tools to create Wordlists and IP lists, which will drastically improve both your success rate and scan time - especially for multi-target use.\n\n***Why***?\\\nBy preparing we can avoid hitting the Target when we don't need to. This will allow our requests to look more legitimate and avoid detection.\n\n***What should I prepare***?\\\nYou'll want to prepare both a Wordlist and an IP list, the tools below will help generate both of these items.\n\n\u003cdl\u003e\n\u003ch3\u003e\u003ci\u003eWordlist\u003c/i\u003e\u003c/h3\u003e\n    \u003cdd\u003e\n        Creating a Wordlist of subdomains will aid us in finding the subdomains which may not be listed in public sources.\u003cbr /\u003e\n        This often includes wildcard domains and other items which the Target's domain/range might be listning for.\u003cbr /\u003e\n        Useful tools for this portion of Discovery:\n        \u003cdl\u003e\n            \u003cdt\u003e\u003ca href=\"https://github.com/owasp-amass/amass\"\u003eOWASP Amass\u003c/a\u003e\u003c/dt\u003e\n                \u003cdd\u003e\n                    \u003cb\u003e\u003ci\u003eEnumeration tool.\u003c/i\u003e\u003c/b\u003e This tool can scan both passively and actively scan, it's one of the most full fletched tools you can use for finding any subdomain with bruteforce, wordlists, etc.\u003cbr /\u003e\n                    Highly recommended for creating your wordlist. Built in with most pentest OSes.\n                \u003c/dd\u003e\n            \u003cdt\u003e\u003ca href=\"https://github.com/SparrowOchon/dnsenum2\"\u003ednsenum\u003c/a\u003e\u003c/dt\u003e\n                \u003cdd\u003e\n                    \u003cb\u003e\u003ci\u003eEnumeration tool.\u003c/i\u003e\u003c/b\u003e This tool is easy to use and has multiple options, such as brute force, Google scraping and passive enumeration (DNS).\u003cbr /\u003e\n                    Highly recommended for creating your wordlist with the XML output, but needs to be converted before use. Built in with most pentest OSes.\n                \u003c/dd\u003e\n        \u003c/dl\u003e\n    \u003c/dd\u003e\n\u003ch3\u003e\u003ci\u003eIP Discovery\u003c/i\u003e\u003c/h3\u003e\n    \u003cdd\u003e\n        Finding the target IPs can often be easy, there are of course multiple ways to do this. If the target is simple, we may of course use tools such as whois, traceroute and DNS querying.\u003cbr /\u003e\n        However, since most hosts nowadays use CloudFlare to obfuscate the IP we might also need to dig deeper for the source IP.\u003cbr /\u003e\n        Useful tools:\n        \u003cdl\u003e\n            \u003cdt\u003e\u003ca href=\"https://github.com/0xnoid/CloudFail\"\u003eCloudFail\u003c/a\u003e\u003c/dt\u003e\n                \u003cdd\u003e\n                    \u003cb\u003e\u003ci\u003eFind IPs and Subdomains.\u003c/i\u003e\u003c/b\u003e Easy to use tool that scans CloudFlare leaked IPs, compares the domains and subdomains listed towards misconfigurations and previously leaked IPs by using multiple datasets and databases.\u003cbr /\u003e\n                    Highly recommended for any target behind Cloudflare. Easy to use tool that can generate both IP list and Subdomain list.\n                \u003c/dd\u003e\n            \u003cdt\u003e\u003ca href=\"https://github.com/rfc1036/whois\"\u003ewhois\u003c/a\u003e\u003c/dt\u003e\n                \u003cdd\u003e\n                    \u003cb\u003e\u003ci\u003eWhois terminal client.\u003c/i\u003e\u003c/b\u003e Tool by Marco d'Itri that comes built in with most GNU/Linux distributions. Easy to use, but usually won't return all the data you need.\u003cbr /\u003e\n                    Will not work if Cloudflare is enabled. Will only return domain you search.\n                \u003c/dd\u003e\n            \u003cdt\u003e\u003ca href=\"https://linux.die.net/man/1/dig\"\u003eDig\u003c/a\u003e\u003c/dt\u003e\n                \u003cdd\u003e\n                    \u003cb\u003e\u003ci\u003eQuery DNS name servers.\u003c/i\u003e\u003c/b\u003e Tool by ISC that comes built in with GNU/Linux. Easy to use.\u003cbr /\u003e\n                    Will not work if Cloudflare is enabled. Will only return domain you search.\n                \u003c/dd\u003e\n            \u003cdt\u003e\u003ca href=\"https://github.com/SparrowOchon/dnsenum2\"\u003ednsenum\u003c/a\u003e\u003c/dt\u003e\n                \u003cdd\u003e\n                    \u003cb\u003e\u003ci\u003eEnumeration tool.\u003c/i\u003e\u003c/b\u003e This tool is mentioned in the Wordlist, but it also returns IPs listed in the DNS.\u003cbr /\u003e\n                    Will not work if Cloudflare is enabled. Will only return domain you search.\n                \u003c/dd\u003e\n        \u003c/dl\u003e\n\u003ch4\u003eScripts\u003c/h4\u003e\n    \u003cdd\u003e\n        While most of these tools are useful, actually combining the data into a wordlist/ip list can be tedious.\n        \u003cdl\u003e\n            \u003cdt\u003e\u003ca href=\"https://github.com/0xnoid/kit/blob/master/report/amass.sh\"\u003eAmass Report Generator\u003c/a\u003e\u003c/dt\u003e\n                \u003cdd\u003e\n                    Wrapper bash script for OWASP Amass to generate HTML reports, subdomain wordlist and IP list.\n                \u003c/dd\u003e\n        \u003c/dl\u003e\n\u003c/dl\u003e\n\n\n## Other\nCommercial Requirements? Require a license for your operations? \u003ca href=\"mailto:tools@mimmikk.com\"\u003eReach out\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xnoid%2Fvhsrekon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xnoid%2Fvhsrekon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xnoid%2Fvhsrekon/lists"}