To scan for VHosts, without manually adding the entire wordlist to our /etc/hosts, we will be fuzzing HTTP headers, specifically the Host header.
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://{targetSite.tld}:PORT/ -H 'Host: FUZZ.{targetSite.tld}'
* the -H flag specifies a header and will use the FUZZ keyword within it
* several 200 OK with similar response sizes will be returned in the output. this is
expected, as you're simply changing the header while visiting the target site. if
the VHost does exist and we send a correct one in the header, you should receive
a 200 OK that has different response size from the rest.
root@oco:~$ sudo nano /etc/hosts
{ipAddress} {targetSite.tld:port}
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://{targetSite.tld}:{port}/ -H 'Host: FUZZ.{targetSite.tld}}'
root@oco:~$ ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://{targetSite.tld}:{port}/ -H 'Host: FUZZ.{targetSite.tld}}' -fs {986}
* -fs filters HTTP response size. Comma separated list of sizes and ranges
