Metadata-Version: 2.4
Name: vhostcross
Version: 0.1.1
Summary: Virtual-host discovery for pentest and bug bounty
Keywords: vhost,security,bugbounty,pentest,recon
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.10
Classifier: Environment :: Console
Classifier: Intended Audience :: Information Technology
Classifier: Topic :: Security
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: rich>=13.0.0
Requires-Dist: tqdm>=4.0.0

# VHostCross

Virtual-host discovery tool for pentest and bug bounty.


## How It Works

Main question: `If I replay known subdomains as 'Host' headers on known target IPs, can I discover anything new?`

1. You give a list of subdomains.
2. The tool gets target IPs (from those domains, or from `--ips`).
3. Then it sends each subdomain as `Host` to each target IP.
4. Some magic: baseline checks + wildcard filtering.
5. Any clearly unusual or different response is treated as a candidate hit.


## Example:

### input
```bash
vhostcross --domains subdomains.txt
```

### output
```text
...
...
...
[HIT] status=200 target=https://178.248.236.149:443 host=cyberbones.standoff365.com
[HIT] status=404 target=https://178.248.236.149:443 host=hackbase.standoff365.com
[HIT] status=404 target=https://178.248.236.149:443 host=jsonformer.standoff365.com
...
...
...

 STATUS   TARGET                        DOMAIN                                                  DIFF LENGTH   DIFF FINGERPRINT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
    200   https://178.248.236.149:443   cyberbones.standoff365.com                                   ✓               ✓
    200   https://178.248.236.149:443   www.cyberbones.standoff365.com                               ✓               ✓
    301   http://178.248.232.45:80      meet.standoff365.com -> https://standoff365.com/             ✓               ✓
    301   http://178.248.236.149:80     archive.standoff365.com -> http://standoff365.com:80/        ✓               ✓
    301   https://178.248.236.149:443   archive.standoff365.com -> https://standoff365.com/          ✓               ✓
    403   https://178.248.236.149:443   nad.standoff365.com                                          ✓               ✓
    403   https://178.248.236.149:443   www.startbugbounty.standoff365.com                           ✓               ✓
    404   http://213.180.193.247:80     365-vpn.standoff365.com                                      -               ✓
    404   http://213.180.193.247:80     cfp.standoff365.com                                          -               ✓
    ...
    ...
    ...
```

### validate
```text
curl -k -i -s "https://cyberbones.standoff365.com" | wc -c
420

curl -k -i -s "https://178.248.236.149:443" -H "Host: cyberbones.standoff365.com" | wc -c
287329
```

The response sizes are very different, which confirms that the discovered virtual host behaves differently.


## Installation

```bash
pip3 install vhostcross
```
or
```bash
python -m pip install vhostcross
```


## Usage

```bash
vhostcross --domains subdomains.txt
```

```bash
vhostcross --domains domain.txt --ips ips_or_ips_with_specific_ports.txt
```

```bash
vhostcross --domains domain.txt --connect-timeout 0.5 --read-timeout 3.0
```

## Key Options

- `--domains` (required)
- `--ips` (optional; supports `IP`, `IP:port`, `http://IP:port`, `https://IP:port`)
- `--connect-timeout` (default `0.5`)
- `--read-timeout` (default `3.0`)
- `--threads` (default `5`)
- `--compare-mode` = `length | fingerprint | both` (default `both`)
- `--debug-reasons`
- `--output` (JSON, default `~/.vhostcross/result.json`)
