vhostscan

--sslIf set then connections will be made over HTTPS instead of HTTP.

--wafIf set then simple WAF bypass headers will be sent.

-pSet the port to use (default 80).

-bSet host to be used during substitution in wordlist (default to TARGET).

-rThe real port of the webserver to use in headers when not 80 (see RFC2616 14.23), useful when pivoting through ssh/nc etc (default to PORT).

-wSet the wordlist(s) to use. You may specify multiple wordlists in comma delimited format (e.g. -w ./wordlists/simple.txt, ./wordlists/hackthebox.txt (default ./wordlists/virtual-host-scanning.txt).

--user-agentSpecify a user agent to use for scans.

--fuzzy-logicIf set then all unique content replies are compared and a similarity ratio is given for each pair. This helps to isolate vhosts in situations where a default page isn't static (such as having the time on it).

--random-agentIf set, each scan will use a random user-agent from a predefined list.

-tSet the target host.

--ignore-http-codesComma separated list of http codes to ignore with virtual host scans (default 404).

--ignore-content-lengthIgnore content lengths of specificed amount.

--rate-limitAmount of time in seconds to delay between each scan (default 0).

--no-lookupsDisbale reverse lookups (identifies new targets and append to wordlist, on by default).

--first-hitReturn first successful result. Only use in scenarios where you are sure no catch-all is configured (such as a CTF).

--suffixAdd a suffix to each item in the wordlist, to add <word>dev, <word>dev

--prefixAdd a prefix to each item in the wordlist, to add dev-<word>, test-<word> etc