Disclaimer: Only try this at hosts your have the right to do this. Some server admins handle actions like described above as "attack". This is only for learning purposes, don't do this out in the www.
Let's assume theres a website you'd like to hack but you do not find any security holes you can gain access. You already scanned for other services but only find another well secured ssh and ftp service which are not attackable cuz their are to good secured.
Then you need to extend your attack surface in order to probably find a hole you can exploit.
What is a vhosts?
First of all you need to understand what a vhost is.
For example you have a physical server A with an IP address 184.108.40.206 and a physical server B with the IP address 220.127.116.11.
When you operate in a non vhost environment each Server runs a webserver which delivers ONE website.
That means that one physical server handles ONE and only ONE website.
If you wanna surf to this webpage you can use its url example.com and it points to the webserver 18.104.22.168. This works also vice versa. You can enter the website via surfing directly to its IP address 22.214.171.124 and end up on the very same location.
This is not pretty cost effective since servers are not cheap. So vhosts got popular.
That means that ONE server with ONE ip address can handle multiple hosts, so called virtual hosts.
Webserver A for example is now upgraded to a vhost server. It has still ONE ip address 126.96.36.199 but there are multiple websites on it. Hosting companies usually do that in order to have competitive prices for their customers. That means that the customers share a server with other customers.
So lets assume that example2.com and example3.com run on the same server as two different vhosts.
If I surf to example2.com using HTTP I end up getting on server 188.8.131.52. And if I surf to example3.com using HTTP I also end up on server 184.108.40.206. But I see a different website? How is that possible?
We can find the answer described in RFC 2614 section 14.23
HTTP 1.1 has a header-field called "host". And this host has to point to the host we are surfing to. If you surf to example3.com your HTTP requests adds the host field "example3.com". Therefor the server knows which website you would like to see if multiple are available on a server.
So you send a HTTP request to 220.127.116.11 with the HTTP header "example3.com" or "example2.com". The server uses this field to know which webpage you want to see.
vhosts on a apache server
A very popular webserver software is apache. Lets get a quick look how its set up in oder to understand it better.
You can read an in-depth guide here: https://httpd.apache.org/docs/2.4/vhosts/name-based.html
But basically you can configure it this way:
This concept again makes clear that you operate on the very same server.
And wheres the bigger attack surface now?
If you not already noticed where the bigger attack surface is you maybe should not go further :D
If your target is example2.com but you cant find any security hole you can try to attack example3.com.
Why? Because its on the same server. If you can gain control over the server of example3.com you also have control over the server of example2.com. Why? Because its the same server ;)
And maybe its not limited to only two hosts. Some servers have 100 of vhosts configured, and only one of them needs to have a security hole you can exploit ;)
How to find out if a site is running on a vhost environment?
The next step is to find out, if your target site runs in a vhost environment. As described above according to rfc2616 http needs to send a "host" header field in order to identify a vhost on a server.
Lets use some real life examples. For example amazon.com. Its such a huge company the do not share their servers with other hosts.
Using the developer tools in chrome we can check the http header fields in the network tab. You see, there is no "host" field defined. That means amazon.com runs on a dedicated server which only serves their website. Lets check if this is true using its ip address.
First simply get the ip adress of amazon.com and then try to access amazon.com via its ip address.
Their ip address is 18.104.22.168 and entering this ip address directly into a browser leads me to amazon.com That means this ip address is only dedicated to the website of amazon.com. If there were multiple vhosts on the same server this would lead to an error since I do not define a host in the http head.
In the case of amazon.com we can't make our attack surface bigger using this method.
Good, lets check another website. Something small wich runs most likely as a vhost.
Let's use rgbtohex.net.
Okay surfing to rgbtohex.net with the open developer tools shows me that a host field is set:
This means if we directly access the server without providing a host header we should trigger an error since the server does not know which site he has to deliver:
The ip address of their server is 22.214.171.124. And accessing this server directly via ip without providing an http header leads to this:
The server is confused and redirects to "www.126.96.36.199"
So now we know, that rgbtohex.net runs on a vhost.
How to find vhosts on a server
Since there is not way to simply ask a server "hey list me all your vhosts" you have to rely on different source like search engines, databses, internet archives, pgp servers and so on.
My favorite tool for this is theHarvester from laramies.
You can get it here: https://github.com/laramies/theHarvester
I do not want to go to deep into details of theHarvester since its documented pretty well, but it does a good job in finding vhosts on a server:
So that's it. If you need to create a bigger attack surface on a server you now know how :)
For questions, just ask.