{"id":26550,"date":"2026-06-10T09:04:00","date_gmt":"2026-06-10T07:04:00","guid":{"rendered":"https:\/\/cirosec.de\/?p=26550"},"modified":"2026-06-10T11:53:40","modified_gmt":"2026-06-10T09:53:40","slug":"fuzzing-vhosts-with-snitch","status":"publish","type":"post","link":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/","title":{"rendered":"Fuzzing vhosts with SNI(tch)"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"26550\" class=\"elementor elementor-26550\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7e746ecc elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"7e746ecc\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5ac708b6\" data-id=\"5ac708b6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-63f37bad elementor-widget elementor-widget-template\" data-id=\"63f37bad\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<header data-elementor-type=\"header\" data-elementor-id=\"6422\" class=\"elementor elementor-6422 elementor-941 elementor-941\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3c20b09 elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"3c20b09\" data-element_type=\"section\" data-e-type=\"section\" id=\"header--sticky\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;sticky&quot;:&quot;top&quot;,&quot;sticky_on&quot;:[&quot;desktop&quot;,&quot;tablet_extra&quot;],&quot;sticky_offset&quot;:0,&quot;sticky_effects_offset&quot;:0,&quot;sticky_anchor_link_offset&quot;:0}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-2c6b6ea\" data-id=\"2c6b6ea\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-920f2b0 elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"920f2b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-full size-full wp-image-5868 lazyload\" alt=\"\" sizes=\"(max-width: 626px) 100vw, 626px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\">\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-b85d260\" data-id=\"b85d260\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-db0098d elementor-widget__width-auto elementor-hidden-desktop elementor-widget elementor-widget-shortcode\" data-id=\"db0098d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t\t\t\t\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-current=\"page\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\" class=\"wpml-ls-flag lazyload\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" alt=\"German\" loading=\"lazy\" width=\"15\" height=\"9\" data-src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65a0be9 elementor-widget__width-initial elementor-widget-tablet__width-initial elementor-nav-menu--dropdown-mobile elementor-nav-menu--stretch elementor-nav-menu__align-start elementor-widget-mobile__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra elementor-widget-mobile_extra__width-initial elementor-nav-menu__text-align-aside elementor-nav-menu--toggle elementor-nav-menu--burger elementor-widget elementor-widget-nav-menu\" data-id=\"65a0be9\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;full_width&quot;:&quot;stretch&quot;,&quot;layout&quot;:&quot;horizontal&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;toggle&quot;:&quot;burger&quot;}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-horizontal e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26842\"><a href=\"https:\/\/cirosec.de\/en\/services\/security-management-and-compliance\/\" class=\"elementor-sub-item\">Sec\u00adurity Manag\u00adement and Comp\u00adliance<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t<div class=\"elementor-menu-toggle\" role=\"button\" tabindex=\"0\" aria-label=\"Menu Toggle\" aria-expanded=\"false\">\n\t\t\t<i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--open eicon-menu-bar\"><\/i><i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--close eicon-close\"><\/i>\t\t<\/div>\n\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26842\"><a href=\"https:\/\/cirosec.de\/en\/services\/security-management-and-compliance\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Sec\u00adurity Manag\u00adement and Comp\u00adliance<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\" tabindex=\"-1\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ee7d03 elementor-widget-mobile__width-auto elementor-hidden-desktop elementor-widget-tablet_extra__width-auto elementor-widget-tablet__width-auto elementor-widget-mobile_extra__width-auto elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"9ee7d03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<a class=\"elementor-icon\" href=\"#elementor-action%3Aaction%3Dpopup%3Aopen%26settings%3DeyJpZCI6MTI1MDcsInRvZ2dsZSI6ZmFsc2V9\">\n\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-9aaaa68 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"9aaaa68\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eb812f4 elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-shortcode\" data-id=\"eb812f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t\t\t\t\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-current=\"page\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\" class=\"wpml-ls-flag lazyload\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" alt=\"German\" loading=\"lazy\" width=\"15\" height=\"9\" data-src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d5c65bb elementor-search-form--skin-minimal elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-search-form\" data-id=\"d5c65bb\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;skin&quot;:&quot;minimal&quot;}\" data-widget_type=\"search-form.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<search role=\"search\">\n\t\t\t<form class=\"elementor-search-form\" action=\"https:\/\/cirosec.de\/en\/\" method=\"get\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__container\">\n\t\t\t\t\t<label class=\"elementor-screen-only\" for=\"elementor-search-form-d5c65bb\">Search<\/label>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-search\"><\/i>\t\t\t\t\t\t\t<span class=\"elementor-screen-only\">Search<\/span>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\n\t\t\t\t\t<input id=\"elementor-search-form-d5c65bb\" placeholder=\"Search...\" class=\"elementor-search-form__input\" type=\"search\" name=\"s\" value=\"\">\n\t\t\t\t\t<input type='hidden' name='lang' value='en' \/>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/form>\n\t\t<\/search>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-071bdb7 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"071bdb7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4d21fed elementor-widget elementor-widget-button\" data-id=\"4d21fed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-9865c47 e-flex e-con-boxed e-con e-parent\" data-id=\"9865c47\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4efe62d elementor-widget elementor-widget-html\" data-id=\"4efe62d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script>\n\ndocument.addEventListener('DOMContentLoaded', function() {\njQuery(function($) {\nvar mywindow = $(window);\nvar mypos = mywindow.scrollTop();\nlet scrolling = false;\nwindow.addEventListener('scroll', function() {\nscrolling = true;\n});\nsetInterval(() => {\nif (scrolling) {\nscrolling = false;\nif (mypos > 40) {\nif (mywindow.scrollTop() > mypos) {\n$('#header--sticky').addClass('headerup');\n} else {\n$('#header--sticky').removeClass('headerup');\n}\n}\nmypos = mywindow.scrollTop();\n}\n}, 300);\n});\n});\n\n<\/script>\n<style>\n#header--sticky{\ntransition : transform 0.34s ease;\n}\n.headerup{\ntransform: translateY(-110px); \/*adjust this value to the height of your header*\/\n}\n<\/style>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/header>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3410902f elementor-reverse-mobile elementor-section-height-min-height elementor-section-items-stretch elementor-section-boxed elementor-section-height-default\" data-id=\"3410902f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-no\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-3f31ba92\" data-id=\"3f31ba92\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-225a62e9 elementor-widget elementor-widget-post-info\" data-id=\"225a62e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-inline-items elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575 elementor-inline-item\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Pentesting<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5f1994cc elementor-widget elementor-widget-heading\" data-id=\"5f1994cc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Fuzzing vhosts with SNI(tch)<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-22327e94 elementor-widget elementor-widget-spacer\" data-id=\"22327e94\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3981fa8e elementor-widget elementor-widget-text-editor\" data-id=\"3981fa8e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>June 10, 2026<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-6bdb1cc5 elementor-hidden-mobile_extra elementor-hidden-mobile\" data-id=\"6bdb1cc5\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-17f4544 elementor-widget elementor-widget-spacer\" data-id=\"17f4544\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-62e1eeb9 elementor-reverse-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"62e1eeb9\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-5275f88a\" data-id=\"5275f88a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4f54775b elementor-widget elementor-widget-menu-anchor\" data-id=\"4f54775b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section1\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7a97c891 elementor-widget elementor-widget-heading\" data-id=\"7a97c891\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Fuzzing Host Headers is Outdated: Fuzzing the SNI Field with SNItch<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-23fa5626 elementor-widget elementor-widget-text-editor\" data-id=\"23fa5626\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>TL;DR<\/h2><p>Traditional host header enumeration is a well-known technique for discovering additional web services hosted on a domain. But it operates entirely at the HTTP layer, after the TLS handshake has already completed. SNItch takes a different approach than established vhost and subdomain enumeration tools by fuzzing the Server Name Indication (SNI) field during TLS handshakes, catching services that reject unknown hostnames before the HTTP layer is even reached. It combines several techniques:<\/p><ul><li><strong>SNI vhost enumeration:<\/strong> Identifies potential web services by injecting candidate hostnames into the TLS ClientHello SNI extension.<\/li><li><strong>Built-in DNS logic:<\/strong> Structures FQDNs and collected certificates just like the DNS system to properly handle wildcard domains.<\/li><li><strong>Certificate-based reconnaissance:<\/strong> Extracts hostnames from CommonName and SubjectAltName (SAN) fields of observed certificates and feeds them back into the scan loop.<\/li><li><strong>Certificate transparency log-based subdomain gathering:<\/strong> Queries certificate transparency logs and PTR records to enrich discovery.<\/li><\/ul><p>From a defensive perspective, SNItch also serves as a hardening validation tool: if it fails to extract any hostnames from a server accessed by IP address alone, the server is properly configured against IP address-based reconnaissance.<\/p><p>Install SNItch and check out the SNItch source code on <a href=\"https:\/\/github.com\/cirosec\/SNItch\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>.<\/p><h2>Status quo: fuzzing host headers<\/h2><h3>How it works<\/h3><p>Typical vhost enumeration tools discover additional web services by iterating over candidate hostnames in the HTTP Host header. The core mechanism is straightforward: send an HTTP request with a candidate hostname and observe the response:<\/p><pre>GET \/ HTTP\/1.1<br \/>Host: %FQDN%<br \/>Accept: *\/*<\/pre><p>The server\u2019s virtual hosting configuration routes the request based on the value of the Host header. If the candidate resolves to a configured virtual host, the server returns a distinct response (different status code, body size or content). If not, it typically returns a default page or a generic error.<\/p><p>Several established tools operate in this space, but they serve different purposes:<\/p><p><a href=\"https:\/\/github.com\/ffuf\/ffuf\" target=\"_blank\" rel=\"noopener\"><strong>ffuf<\/strong><\/a> is a general-purpose web fuzzer written in Go. It can fuzz virtually any part of an HTTP request, including URL paths, query parameters, POST bodies and headers (including Host). It is not a specialized vhost or subdomain enumeration tool, but its flexibility makes it a common choice for host header fuzzing by placing the FUZZ keyword in the Host header: ffuf -u http:\/\/target -H &#8220;Host: FUZZ.example.com&#8221; -w wordlist.txt.<\/p><p><a href=\"https:\/\/github.com\/OJ\/gobuster\" target=\"_blank\" rel=\"noopener\"><strong>gobuster<\/strong><\/a> is a Go-based brute-forcing tool with a dedicated vhost mode specifically designed for virtual host enumeration. Unlike ffuf, gobuster\u2019s vhost mode is purpose-built: it takes a domain, a wordlist and iterates candidate subdomains against the target, comparing response characteristics to identify valid virtual hosts.<\/p><p>In practice, a penetration tester uses a wordlist with candidate hostnames and sends an HTTP request for each hostname to the server. Depending on the response, the tool decides whether the response is noteworthy (e.g., a valid virtual host with a distinct response) and displays that information:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-834f33c elementor-widget elementor-widget-image\" data-id=\"834f33c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/gobuster.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"gobuster\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjY1NjIsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNFwvZ29idXN0ZXIucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"640\" height=\"249\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-26562 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/gobuster-768x299.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/gobuster-768x299.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/gobuster-300x117.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/gobuster.png 910w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 1: Screenshot of gobuster with some example domains from cirosec<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-24ccaadb\" data-id=\"24ccaadb\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9368534 elementor-position-top elementor-widget elementor-widget-image-box\" data-id=\"9368534\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><figure class=\"elementor-image-box-img\"><a href=\"https:\/\/cirosec.de\/en\/news\/author\/felix-friedberger\/\" tabindex=\"-1\"><img decoding=\"async\" width=\"640\" height=\"640\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-full size-full wp-image-24607 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/11\/Felix-Friedberger_Teams_PB.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/11\/Felix-Friedberger_Teams_PB.jpg 640w, https:\/\/cirosec.de\/wp-content\/uploads\/2025\/11\/Felix-Friedberger_Teams_PB-300x300.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2025\/11\/Felix-Friedberger_Teams_PB-150x150.jpg 150w\"><\/a><\/figure><div class=\"elementor-image-box-content\"><div class=\"elementor-image-box-title\"><a href=\"https:\/\/cirosec.de\/en\/news\/author\/felix-friedberger\/\">Felix Friedberger<\/a><\/div><p class=\"elementor-image-box-description\">Consultant<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7580ee6 elementor-widget elementor-widget-heading\" data-id=\"7580ee6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Category<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-28a3bdc9 elementor-widget elementor-widget-post-info\" data-id=\"28a3bdc9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Pentesting<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7fbafd1 elementor-widget elementor-widget-heading\" data-id=\"7fbafd1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Date<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2f04f812 elementor-widget elementor-widget-post-info\" data-id=\"2f04f812\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t\t\t\t<time>2026-06-10<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-22eeee55 elementor-widget elementor-widget-heading\" data-id=\"22eeee55\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Navigation<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-41d7802 elementor-widget elementor-widget-table-of-contents\" data-id=\"41d7802\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;marker_view&quot;:&quot;bullets&quot;,&quot;icon&quot;:{&quot;value&quot;:&quot;fas fa-chevron-right&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-toc__41d7802\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1c30184b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1c30184b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-4bf1b6b6\" data-id=\"4bf1b6b6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3d91874 elementor-widget elementor-widget-menu-anchor\" data-id=\"3d91874\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"info-event\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-780e2563 elementor-widget elementor-widget-menu-anchor\" data-id=\"780e2563\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section2\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-769f92 elementor-widget elementor-widget-text-editor\" data-id=\"769f92\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>The blind spot<\/h3><p>This approach works well for HTTP, and it mostly works for HTTPS as well, but it has a fundamental blind spot. All of these tools operate at the HTTP layer, <em>after<\/em> the TLS handshake has already completed. They have no visibility into what happens during connection establishment.<\/p><p>Some servers are specifically configured to reject unknown or unset hostnames by terminating the TLS connection at a very early stage, before an HTTP request is ever processed:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-70fcedcc elementor-widget elementor-widget-menu-anchor\" data-id=\"70fcedcc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section3\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-218243da elementor-widget elementor-widget-image\" data-id=\"218243da\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/connection_reset.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"connection_reset\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjY1NjAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNFwvY29ubmVjdGlvbl9yZXNldC5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"125\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-26560 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/connection_reset-768x150.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/connection_reset-768x150.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/connection_reset-300x59.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/connection_reset.png 960w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 2: Screenshot of connection reset due to an unset hostname<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5c0e8ba elementor-widget elementor-widget-text-editor\" data-id=\"5c0e8ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>In such cases curl will show a connection reset or TLS error depending on the server\u2019s connection abort method. The connection reset occurs because the server inspects the SNI field in the client\u2019s TLS ClientHello message, which does not exist, if you try to access the service by its IP address instead of by its DNS hostname.<\/p><h3>Connection pooling and domain fronting<\/h3><p>There is a second, more subtle problem. Tools like ffuf and gobuster use HTTP connection pooling for performance reasons: they establish a TLS connection once and then reuse it for many subsequent HTTP requests. This is standard behavior (HTTP keep-alive, HTTP\/2 multiplexing) and can also speed up enumerations.<\/p><p>However, the SNI value is set once during the TLS handshake and remains fixed for the lifetime of that connection. When the tool iterates over candidate hostnames, it changes the Host header on each request, but the SNI field remains unchanged (typically still set to the original target domain). The result is a mismatch: the TLS layer identifies the connection as target.example.com (via SNI), while the HTTP layer claims to be requesting candidate.example.com (via Host header).<\/p><p>Successfully abusing this mismatch is known as <strong>domain fronting<\/strong>. Domain fronting was <a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_fronting\" target=\"_blank\" rel=\"noopener\">originally used<\/a> as a censorship circumvention technique: a client would set the SNI to a permissible domain (e.g., allowed.cdn.com) to pass TLS inspection, then send an HTTP Host header for the actual blocked destination. Major CDN providers like Google and Amazon have since <a href=\"https:\/\/aws.amazon.com\/blogs\/security\/enhanced-domain-protections-for-amazon-cloudfront-requests\/\" target=\"_blank\" rel=\"noopener\">mitigated domain fronting<\/a> on their infrastructure.<\/p><p>For vhost enumeration, this matters because servers that enforce SNI-Host consistency will reject or misroute requests where the two values diverge. A reverse proxy configured to verify that the HTTP Host header matches the SNI from the handshake will return errors or default responses for every candidate, regardless of whether the hostname is actually valid. The tool sees uniform responses and concludes nothing was found, when in reality the server simply refused to serve content over a domain-fronted connection.<\/p><p>Beyond connection pooling, existing tools simply do not support fuzzing the SNI field at all. From ffuf\u2019s own <a href=\"https:\/\/github.com\/ffuf\/ffuf\/blob\/master\/README.md\" target=\"_blank\" rel=\"noopener\">README<\/a>:<\/p><pre>-sni\u00a0\u00a0\u00a0 Target TLS SNI, does not support FUZZ keyword<\/pre><p>ffuf explicitly acknowledges the SNI field but does not allow fuzzing it. gobuster\u2019s vhost mode operates purely at the HTTP layer <a href=\"https:\/\/github.com\/OJ\/gobuster\/issues\/398\" target=\"_blank\" rel=\"noopener\">(related GitHub issue)<\/a>. Neither tool can discover services that are hardened at the TLS level.<\/p><p>SNItch avoids these problems entirely by (painfully) establishing a new TLS connection for each candidate hostname, setting the SNI field to match the hostname, effectively bypassing the connection pooling issues.<\/p><h2>SNI on the TLS layer<\/h2><h3>What exactly is SNI?<\/h3><p>SNI is an extension to TLS defined in <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc6066\" target=\"_blank\" rel=\"noopener\">RFC 6066<\/a>. It allows the client to indicate which hostname it is trying to reach in the initial ClientHello message, before the TLS handshake completes. This enables a single IP address and port to serve multiple TLS-protected websites, each with its own certificate.<\/p><p>Without SNI, a server receiving a TLS connection on a shared IP address would have no way to know which certificate to present until after the encrypted channel was established (at which point the HTTP Host header would reveal the target). SNI solves this by transmitting the hostname in cleartext during the handshake.<\/p><p>By intercepting the TLS handshake in Wireshark, the SNI field may reveal the hostname, in this case cirosec.de:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53761e42 elementor-widget elementor-widget-image\" data-id=\"53761e42\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/tls_client_hello_sni.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"tls_client_hello_sni\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjY1NjQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNFwvdGxzX2NsaWVudF9oZWxsb19zbmkucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"289\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-26564 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/tls_client_hello_sni-768x347.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/tls_client_hello_sni-768x347.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/tls_client_hello_sni-300x135.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/tls_client_hello_sni-1024x462.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/tls_client_hello_sni-1536x693.png 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/tls_client_hello_sni.png 1564w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 3: Wireshark screenshot of TLS SNI header<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3a4e7b9 elementor-widget elementor-widget-text-editor\" data-id=\"3a4e7b9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Testing SNI manually<\/h3><p>Before reaching for specialized tools, it is useful to understand how to probe SNI behavior with standard command-line utilities.<\/p><p>The openssl s_client command lets you set the SNI field explicitly with -servername:<\/p><pre># Connect without sending any SNI extension<br \/>openssl s_client -connect X.X.X.X:443 -noservername<br \/><br \/># Test with a different hostname to see if the server response changes<br \/>openssl s_client -connect X.X.X.X:443 -servername other.example.com<\/pre><p>Comparing the TLS certificates returned (or whether the connection is accepted at all) reveals how the server handles SNI routing.<\/p><p>Similarly, curl sets the SNI field automatically based on the URL hostname. To decouple the SNI-Host value from the actual IP address you connect to, use &#8211;resolve:<\/p><pre># Force resolution: connect to a specific IP address but send SNI for candidate.example.com<br \/>curl -v --resolve candidate.example.com:443:X.X.X.X https:\/\/candidate.example.com\/<\/pre><p>This is essentially manual vhost enumeration at the TLS and HTTP layer, which is exactly what SNItch automates at scale.<\/p><h2>SNItch<\/h2><h3>Fuzzing the TLS handshake<\/h3><p>SNItch addresses this gap by operating directly at the TLS layer. It uses the <a href=\"https:\/\/github.com\/refraction-networking\/utls\" target=\"_blank\" rel=\"noopener\">uTLS<\/a> library to craft custom TLS ClientHello messages with full control over the SNI extension.<\/p><p>In the background a tree of the DNS layers is constructed which helps keep track of wildcard domains, test results to later filter out false positive results and already scanned domains.<\/p><p>SNItch\u2019s scan loop is iterative. Each scan epoch is as follows:<\/p><ol><li>Probe all unscanned hostnames via SNI and HTTP.<ul><li>Check for new potential branches or leafs in the DNS layer tree and test them.<\/li><\/ul><\/li><li>Lookup PTR records<\/li><li>Discover new hostnames:<ul><li>Extract from certificate CN\/SAN fields.<\/li><li>Query crt.sh and PTR records (optional).<\/li><li>Extract from response headers (optional).<\/li><\/ul><\/li><li>Add all new hostnames to the DNS label tree for the next epoch.<\/li><\/ol><p>This feedback loop means a single initial target can expand into a comprehensive map of related services, without relying solely on wordlists.<\/p><h3>Hostname validation across IP address ranges<\/h3><p>The real power of SNItch emerges when scanning multiple IP addresses that belong together, for example an entire ASN (Autonomous System Number) of a company or a cloud provider\u2019s IP address range allocated to a single product. SNItch validates every discovered hostname against every target IP address. If one server in the range leaks a hostname through a certificate or a fallback response, SNItch will probe that hostname against all other IP addresses in the scan. This means, a single misconfigured server can reveal hostnames that are then confirmed on otherwise hardened machines across the same range.<\/p><h2>Getting started with SNItch<\/h2><h3>Installation<\/h3><p>SNItch is written in Go and builds as a single static binary:<\/p><pre>git clone https:\/\/github.com\/cirosec\/SNItch.git<br \/>cd SNItch<br \/>go build -o SNItch .<\/pre><h3>Basic usage<\/h3><p>The simplest invocation takes a domain name. SNItch resolves its DNS records automatically and scans port 443:<\/p><pre>SNItch example.com<\/pre><p>This single command already triggers the full iterative discovery loop: SNItch connects to the resolved IP addresses, extracts hostnames from returned certificates, queries crt.sh for additional subdomains, performs PTR lookups and feeds everything back into the scan queue for subsequent epochs.<\/p><p>To scan specific IP addresses or CIDR ranges against a set of known hostnames, use the -t (<strong>t<\/strong>arget) and -d (<strong>d<\/strong>omains\/hosts) flags:<\/p><pre># Scan a \/24 range with two candidate hostnames<br \/>SNItch -t 10.11.10.0\/24:443 -d api.example.com,mail.example.com<\/pre><p>For larger engagements, load targets and hostnames from files:<\/p><pre>SNItch --target-list targets.txt --host-list hostnames.txt<\/pre><h3>Controlling the discovery loop<\/h3><p>By default, SNItch runs two scan epochs (-e 2), meaning it performs one initial scan and then one follow-up round with any newly discovered hostnames. For a deep crawl of a large range, increase the epoch count:<\/p><pre>SNItch -t 10.0.0.0\/24:443 -d example.com -e 5<\/pre><p>Conversely, to skip all automated reconnaissance (crt.sh, PTR, certificate extraction) and only test the hostnames you supply, use &#8211;no-recon:<\/p><pre>SNItch -t 10.0.0.1:443 -d admin.example.com,staging.example.com --no-recon<\/pre><p>This is useful when you already have a target list and want a fast, focused scan without any external queries.<\/p><h3>Filtering and scoping<\/h3><p>In practice, certificate SANs and CT (certificate transparency) logs often return hostnames outside the scope of an engagement. SNItch provides two mechanisms to keep the scan narrow:<\/p><ul><li><strong>-i<\/strong><strong> (ignore)<\/strong>: Exclude specific FQDNs or wildcard patterns from scanning. For example, -i cdn.example.com prevents SNItch from probing CDN endpoints that would clutter results. Ignoring example.com will cause SNItch to also ignore all subdomains of example.com.<\/li><li><strong>-r<\/strong><strong> (require)<\/strong>: Only scan hostnames matching a regex. For instance, -r &#8220;.*\\.example\\.com$&#8221; restricts the scan to subdomains of example.com, even if certificates or CT logs reveal hostnames on unrelated domains.<\/li><\/ul><p>The following example allows all and only subdomains of example.com (including the domain) to be scanned excluding the subdomain cdn.example.com:<\/p><pre>SNItch -t 10.0.0.0\/24:443 -d example.com -i cdn.example.com -r \".*\\.example\\.com$\"<\/pre><h3>Tuning for the environment<\/h3><p>For rate-limited or sensitive environments, concurrency and timeouts can be adjusted:<\/p><pre># Reduce to 10 threads, increase timeout to 30 seconds<br \/>SNItch -t 10.0.0.0\/24:443 -d example.com -p 10 --timeout 30<\/pre><p>Some targets behind Cloudflare or similar CDNs will temporarily block IP addresses when a source repeatedly sends the IP address as SNI value (which violates RFC 6066). Disable this probe type with &#8211;no-ip-sni:<\/p><pre>SNItch example.com --no-ip-sni<\/pre><h3>Hardening validation<\/h3><p>To use SNItch as a defensive tool, you can scan your own infrastructure by IP addresses alone, without supplying any hostnames or enabling reconnaissance:<\/p><pre>SNItch -t 203.0.113.42:443 --no-recon<\/pre><p>If SNItch fails to extract any hostnames, certificates or meaningful HTTP responses, the target is properly hardened against IP address-based reconnaissance. Any discovered hostname indicates information leakage.<\/p><h2>Defending against SNItch<\/h2><h3>Server hardening<\/h3><p>A common reconnaissance approach for attackers is to scan IP address ranges and access servers directly by IP address, without supplying any hostname. If the server responds with a certificate or default page, the attacker learns the hostnames from the certificate\u2019s CommonName or SubjectAltName fields and can potentially use them to map out the infrastructure.<\/p><p>A well-configured server should reveal nothing in this scenario. Specifically:<\/p><ul><li><strong>No SNI, no handshake<\/strong>: The server should reject TLS connections that omit the SNI extension or provide an unknown hostname, without returning a certificate.<\/li><li><strong>No fallback certificate<\/strong>: A default or wildcard certificate served to unknown SNI values leaks domain information to anyone probing the IP address or random hostnames.<\/li><li><strong>Port 80 hardened<\/strong>: Hardening HTTPS on port 443 is not sufficient. The HTTP port (80) must also be configured to reject or redirect requests with unknown or missing Host A server that strictly validates SNI on 443 but serves a default page on port 80 still leaks its hostname to anyone who connects over plaintext HTTP.<\/li><\/ul><p>It is worth noting that this type of hardening is a defence against mass scans and automated web crawlers that enumerate IP address ranges without prior knowledge of hostnames. A determined attacker who resolves all known forward DNS entries pointing to the server\u2019s IP address will still discover its hostnames. The goal is to avoid volunteering that information to unauthenticated, opportunistic probes. Furthermore, as described above, SNItch can circumvent per-server hardening by scanning correlated IP address ranges: if any single server in the range leaks a hostname, SNItch will test it against all other targets, potentially confirming services on otherwise hardened machines.<\/p><p>When SNItch is run against a properly hardened target and fails to extract any hostnames, certificates or meaningful HTTP responses, that is a positive result. It confirms that an attacker who only knows the IP address has no foothold to begin hostname enumeration. Conversely, if SNItch discovers hostnames from a cold start on an IP address alone, it exposes exactly the information leakage that the server configuration should prevent.<\/p><p>An unhardened HTTPS server in censys clearly shows at least the supported domain and certificate:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-22d7df6e elementor-widget elementor-widget-image\" data-id=\"22d7df6e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_nonhardened.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"censys_screenshot_nonhardened\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjY1NTgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNFwvY2Vuc3lzX3NjcmVlbnNob3Rfbm9uaGFyZGVuZWQucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"398\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-26558 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_nonhardened-768x477.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_nonhardened-768x477.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_nonhardened-300x186.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_nonhardened-1024x636.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_nonhardened.png 1061w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 4: The (former) setup of the cirosec.de website as example of a unhardened host.<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2684a641 elementor-widget elementor-widget-text-editor\" data-id=\"2684a641\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>While a server with proper hardening will just reject the connection or serve an HTTP \u201cBad Request\u201d response:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-60cc47d4 elementor-widget elementor-widget-image\" data-id=\"60cc47d4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_hardened.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"censys_screenshot_hardened\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjY1NTYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNFwvY2Vuc3lzX3NjcmVlbnNob3RfaGFyZGVuZWQucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"539\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-26556 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_hardened-768x647.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_hardened-768x647.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_hardened-300x253.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/04\/censys_screenshot_hardened.png 993w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 5: Censys.io screenshot from a hardened host<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-427432d8 elementor-widget elementor-widget-text-editor\" data-id=\"427432d8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Logging and detection<\/h3><p>From a defensive perspective, SNI-based enumeration is harder to detect than HTTP-level vhost fuzzing:<\/p><ul><li><strong>No HTTP logs<\/strong>: If the server rejects the TLS handshake (unknown SNI), no HTTP request is generated. In some cases, this is recorded in the error log of the web server.<\/li><li><strong>TLS-level logging required<\/strong>: Detection requires TLS handshake logging, which is not enabled by default on most web servers.<\/li><li><strong>Volume-based detection<\/strong>: A burst of TLS (potentially anomalous) handshakes from a single source with rapidly changing SNI values is anomalous and detectable through connection metadata, even without inspecting the SNI content.<\/li><\/ul><p>So, if your monitoring stack only looks at HTTP logs, SNI-based enumeration is nearly invisible to you.<\/p><h3>Recommended configurations (nginx, Caddy)<\/h3><p>The following minimal configurations for the nginx and Caddy webservers demonstrate proper SNI hardening. Both follow the same principle: serve the real site only for the exact matching hostname, and for everything else (unknown SNI, direct IP access), use a self-signed certificate and immediately terminate the connection.<\/p><p><strong>nginx:<\/strong><\/p><pre># Real site: only served for the exact hostname<br \/>server {<br \/>\u00a0\u00a0\u00a0 listen 443 ssl;<br \/>\u00a0\u00a0\u00a0 server_name example.com;<br \/><br \/>\u00a0\u00a0\u00a0 ssl_certificate\u00a0\u00a0\u00a0\u00a0 \/etc\/nginx\/certs\/fullchain.pem;<br \/>\u00a0\u00a0\u00a0 ssl_certificate_key \/etc\/nginx\/certs\/privkey.pem;<br \/><br \/>\u00a0\u00a0\u00a0 root \/usr\/share\/nginx\/html;<br \/>\u00a0\u00a0\u00a0 index index.html;<br \/>}<br \/><br \/># [...] Other real sites<br \/><br \/># Catch-all: reject unknown SNI with a self-signed cert. Always the final block<br \/>server {<br \/>\u00a0\u00a0\u00a0 listen 443 ssl default_server;<br \/>\u00a0\u00a0\u00a0 server_name _;<br \/><br \/>\u00a0\u00a0\u00a0 ssl_certificate\u00a0\u00a0\u00a0\u00a0 \/etc\/nginx\/self-signed\/selfsigned.crt;<br \/>\u00a0\u00a0\u00a0 ssl_certificate_key \/etc\/nginx\/self-signed\/selfsigned.key;<br \/><br \/>\u00a0\u00a0\u00a0 return 444;<br \/>}<\/pre><p>The default_server block catches all requests where the SNI does not match any configured server_name. The return 444 directive is nginx-specific: it closes the TCP connection without sending any HTTP response.<\/p><p><strong>Caddy:<\/strong><\/p><pre># Real site: only served for the exact hostname<br \/>example.com:443 {<br \/>\u00a0\u00a0\u00a0 tls \/etc\/caddy\/certs\/fullchain.pem \/etc\/caddy\/certs\/privkey.pem<br \/>\u00a0\u00a0\u00a0 root * \/srv<br \/>\u00a0\u00a0\u00a0 file_server<br \/>}<br \/><br \/># Catch-all: reject everything else<br \/>:443 {<br \/>\u00a0\u00a0\u00a0 tls \/etc\/caddy\/self-signed\/selfsigned.crt \/etc\/caddy\/self-signed\/selfsigned.key<br \/>\u00a0\u00a0\u00a0 abort<br \/>}<\/pre><p>Caddy\u2019s abort directive immediately closes the connection. The catch-all :443 block without a hostname matches any request that does not match a more specific site block.<\/p><p>Note that in both configurations, the TLS handshake with the self-signed certificate still completes before the connection is terminated. Standard web servers cannot reject the connection before presenting <em>some<\/em> certificate, since SNI is evaluated during the handshake. The critical point is that the self-signed certificate does not contain any real domain names, so an attacker learns nothing from it.<\/p><h2>Summary and conclusion<\/h2><p>Host header fuzzing remains useful, but it is incomplete. Tools like ffuf and gobuster operate exclusively at the HTTP layer and cannot discover services that gate access at the TLS handshake via SNI validation. Their reliance on connection pooling further compounds the problem, producing domain-fronted requests that SNI-enforcing servers will reject. SNItch fills this gap by fuzzing the SNI extension directly, establishing a fresh TLS handshake per candidate and combining TLS-level probing with certificate analysis and DNS reconnaissance in an iterative discovery loop.<\/p><p>On the defensive side, SNItch doubles as a hardening validation tool. Running it against your own infrastructure from a starting point based on IP addresses only reveals exactly the information an opportunistic scanner would obtain: leaked certificates, fallback pages and unprotected plaintext endpoints. A clean SNItch run, one that extracts no hostnames, confirms that the server is properly configured against IP address-based reconnaissance.<\/p><p>Defenders should also be aware that SNI-based enumeration leaves minimal traces in HTTP access logs when the handshake is rejected. Detecting it requires TLS-level logging or connection-metadata analysis, capabilities that most monitoring stacks do not enable by default.<\/p><p>Check out the SNItch source code on <a href=\"https:\/\/github.com\/cirosec\/SNItch\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>.<\/p><h2>References<\/h2><ul><li><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc6066\" target=\"_blank\" rel=\"noopener\">RFC 6066 &#8211; TLS Extensions: SNI<\/a><\/li><li><a href=\"https:\/\/www.ietf.org\/archive\/id\/draft-nygren-tls-ip-in-sni-00.html\" target=\"_blank\" rel=\"noopener\">IETF Draft &#8211; IP Addresses in TLS SNI<\/a><\/li><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_fronting\" target=\"_blank\" rel=\"noopener\">Wikipedia &#8211; Domain Fronting<\/a><\/li><li><a href=\"https:\/\/aws.amazon.com\/blogs\/security\/enhanced-domain-protections-for-amazon-cloudfront-requests\/\" target=\"_blank\" rel=\"noopener\">AWS &#8211; Enhanced Domain Protections for CloudFront<\/a><\/li><li><a href=\"https:\/\/www.thehacker.recipes\/web\/recon\/virtual-host-fuzzing\" target=\"_blank\" rel=\"noopener\">The Hacker Recipes &#8211; Virtual Host Fuzzing<\/a><\/li><li><a href=\"https:\/\/github.com\/openssl\/openssl\/issues\/8083\" target=\"_blank\" rel=\"noopener\">OpenSSL Issue #8083 &#8211; Non-compliant SNI hostname<\/a><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-3926730\" data-id=\"3926730\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-40e20410 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"40e20410\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-698ead04\" data-id=\"698ead04\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-53bf21d1 elementor-widget__width-initial elementor-widget elementor-widget-heading\" data-id=\"53bf21d1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Further blog articles<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-4fdcc002\" data-id=\"4fdcc002\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-274e512f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"274e512f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7587147f\" data-id=\"7587147f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-383bc88 elementor-grid-3 elementor-grid-tablet-2 elementor-grid-mobile-1 elementor-posts--thumbnail-top elementor-card-shadow-yes elementor-posts__hover-gradient load-more-align-center elementor-widget elementor-widget-posts\" data-id=\"383bc88\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;pagination_type&quot;:&quot;load_more_on_click&quot;,&quot;cards_columns&quot;:&quot;3&quot;,&quot;cards_columns_tablet&quot;:&quot;2&quot;,&quot;cards_columns_mobile&quot;:&quot;1&quot;,&quot;cards_row_gap&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:35,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;load_more_spinner&quot;:{&quot;value&quot;:&quot;fas fa-spinner&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"posts.cards\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-posts-container elementor-posts elementor-posts--skin-cards elementor-grid\" role=\"list\">\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-26550 post type-post status-publish format-standard has-post-thumbnail hentry category-pentesting tag-pentesting\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18530 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-2048x1365.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Pentesting<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/\" >\n\t\t\t\tFuzzing vhosts with SNI(tch)\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>June 10, 2026 &#8211; Host header fuzzing stops at the HTTP layer and can&#8217;t find services hardened at the TLS handshake via SNI validation. SNItch fills that gap by fuzzing the SNI field directly &#8211; and doubles as a tool to verify your own servers don&#8217;t leak hostnames to IP-based reconnaissance.<br \/>\n<br \/>\nAuthor: Felix Friedberger <\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/\" aria-label=\"Read more about Fuzzing vhosts with SNI(tch)\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-27015 post type-post status-publish format-standard has-post-thumbnail hentry category-pentesting category-red-teaming-en tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/reifegrad-fur-sicherheitsuberprufungen\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18542 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-2048x1365.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Pentesting<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/reifegrad-fur-sicherheitsuberprufungen\/\" >\n\t\t\t\tReife\u00adgrad f\u00fcr Sicherheits\u00ad\u00fcber\u00adpr\u00fcfungen\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>11. Mai 2026 &#8211; Eine kurze Zusammenfassung unseres Vortrags bei den cirosec-TrendTagen zu Pentesting, Assumed Breach, Red Teaming, TLPT &#038; Co.<br \/>\n<br \/>\nAuthor: Michael Br\u00fcgge<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/reifegrad-fur-sicherheitsuberprufungen\/\" aria-label=\"Read more about Reife\u00adgrad f\u00fcr Sicherheits\u00ad\u00fcber\u00adpr\u00fcfungen\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-26438 post type-post status-publish format-standard has-post-thumbnail hentry category-pentesting tag-pentesting\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/penetration-testing-llm-web-apps-common-pitfalls\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18542 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-2048x1365.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Pentesting<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/penetration-testing-llm-web-apps-common-pitfalls\/\" >\n\t\t\t\tPenet\u00adration Test\u00ading LLM Web Apps: Com\u00admon Pit\u00adfalls\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>April 14, 2026 &#8211; This article focuses exclusively on penetration testing applications that use off-the-shelf LLM models through inference APIs.<br \/>\n<br \/>\nAuthor: Felix Friedberger <\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/penetration-testing-llm-web-apps-common-pitfalls\/\" aria-label=\"Read more about Penet\u00adration Test\u00ading LLM Web Apps: Com\u00admon Pit\u00adfalls\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-25513 post type-post status-publish format-standard has-post-thumbnail hentry category-red-teaming category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18585 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-2048x1365.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Red Teaming<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Call\u00adbacks \u2013 Part 4\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>February 10, 2026 &#8211; In this blog post we will cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set. Spoiler: this is not entirely possible.<br \/>\n<br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Call\u00adbacks \u2013 Part 4\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-25507 post type-post status-publish format-standard has-post-thumbnail hentry category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-injections\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"199\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18526 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-300x199.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-300x199.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-1024x678.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-768x509.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-1536x1018.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-2048x1357.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Reverse Engineering<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-injections\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Call\u00adbacks \u2013 Part 3\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>January 28, 2026 &#8211; In this third part of the blog series, you will learn how to inject shellcode into processes with ICs as an execution mechanism without creating any new threads for your payload and without installing a vectored exception handler.<br \/>\n<br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-injections\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Call\u00adbacks \u2013 Part 3\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24504 post type-post status-publish format-standard has-post-thumbnail hentry category-command-and-control tag-command-control tag-compromise tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-3\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"169\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18536 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-300x169.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-300x169.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-1024x576.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-768x432.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-1536x864.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-2048x1152.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Command-and-Control<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-3\/\" >\n\t\t\t\tBeacon Object Files for Mythic &#8211; Part 3\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>December 4, 2025 &#8211; This is the third post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this final post, we will provide insights into the development of our BOF loader as implemented in our Mythic beacon. We will demonstrate how we used the experimental Mythic Forge to circumvent the dependency on Aggressor Script \u2013 a challenge that other C2 frameworks were unable to resolve this easily.<br \/>\n<br \/>\nAuthor: Leon Schmidt<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-3\/\" aria-label=\"Read more about Beacon Object Files for Mythic &#8211; Part 3\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24479 post type-post status-publish format-standard has-post-thumbnail hentry category-command-and-control tag-command-control tag-compromise tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-2\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"169\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18538 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-300x169.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-300x169.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-1024x576.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-768x432.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-1536x864.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-2048x1152.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Command-and-Control<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-2\/\" >\n\t\t\t\tBeacon Object Files for Mythic &#8211; Part 2\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>November 27, 2025 &#8211; This is the second post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this second post, we will present some concrete BOF implementations to show how they are used in the wild and how powerful they can be.<br \/>\n<br \/>\nAuthor: Leon Schmidt<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-2\/\" aria-label=\"Read more about Beacon Object Files for Mythic &#8211; Part 2\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24367 post type-post status-publish format-standard has-post-thumbnail hentry category-command-and-control tag-command-control tag-compromise tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-1\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18569 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-300x300.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-300x300.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-1024x1024.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-150x150.jpg 150w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-768x768.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-1536x1536.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-2048x2048.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Command-and-Control<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-1\/\" >\n\t\t\t\tBeacon Object Files for Mythic &#8211; Part 1\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>November 19, 2025 &#8211; This is the first post in a series of blog posts on how we implemented support for Beacon Object Files into our own command and control (C2) beacon using the Mythic framework. In this first post, we will take a look at what Beacon Object Files are, how they work and why they are valuable to us.<br \/>\n<br \/>\nAuthor: Leon Schmidt<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-1\/\" aria-label=\"Read more about Beacon Object Files for Mythic &#8211; Part 1\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24234 post type-post status-publish format-standard has-post-thumbnail hentry category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-hooks\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"200\" height=\"300\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18581 lazyload\" alt=\"\" sizes=\"(max-width: 200px) 100vw, 200px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-200x300.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-200x300.jpg 200w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-683x1024.jpg 683w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-768x1152.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-1024x1536.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-1365x2048.jpg 1365w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-scaled.jpg 1707w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Reverse Engineering<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-hooks\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Callbacks \u2013 Part 2\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>November 12, 2025 &#8211; In this blog post you will learn how to do patchless hooking using ICs without registering or executing any user mode exception handlers.<br \/>\n<br \/> <br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-hooks\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Callbacks \u2013 Part 2\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24165 post type-post status-publish format-standard has-post-thumbnail hentry category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"169\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18579 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-300x169.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-300x169.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-1024x576.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-768x432.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-1536x864.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-2048x1152.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Reverse Engineering<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Callbacks &#8211; Part 1\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>November 5, 2025 &#8211; This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs).<br \/>\n<br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Callbacks &#8211; Part 1\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<\/div>\n\t\t\t\t\t<span class=\"e-load-more-spinner\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-spinner\"><\/i>\t\t\t<\/span>\n\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-344f41c5 e-con-full e-flex e-con e-parent\" data-id=\"344f41c5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6bb6ea0f elementor-widget elementor-widget-template\" data-id=\"6bb6ea0f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<div data-elementor-type=\"section\" data-elementor-id=\"6023\" class=\"elementor elementor-6023 elementor-2968 elementor-2968\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3920b242 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3920b242\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-61cde52c\" data-id=\"61cde52c\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7eba007 elementor-widget elementor-widget-spacer\" data-id=\"7eba007\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7346d88 elementor-widget elementor-widget-heading\" data-id=\"7346d88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Do you want to protect your systems? Feel free to get in touch with us.<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1b0432b elementor-widget elementor-widget-spacer\" data-id=\"1b0432b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-5cdf3c58 elementor-section-content-middle elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5cdf3c58\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-40c99187\" data-id=\"40c99187\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4a1d7b6a elementor-align-right elementor-widget elementor-widget-button\" data-id=\"4a1d7b6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send Enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-3b9d9ea6\" data-id=\"3b9d9ea6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7e7c4d9b elementor-widget elementor-widget-button\" data-id=\"7e7c4d9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/contact-us\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Contact Details<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5c7c3ca2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5c7c3ca2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-47f35196\" data-id=\"47f35196\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-58fb7246 elementor-widget elementor-widget-template\" data-id=\"58fb7246\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<footer data-elementor-type=\"footer\" data-elementor-id=\"6025\" class=\"elementor elementor-6025 elementor-945 elementor-945\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e44cc2 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"1e44cc2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e9b41ce\" data-id=\"e9b41ce\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-51c0c74 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"51c0c74\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-8ac5cc6\" data-id=\"8ac5cc6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-af371ae elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"af371ae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-full size-full wp-image-5868 lazyload\" alt=\"\" sizes=\"(max-width: 626px) 100vw, 626px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\">\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-85f2a11 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"85f2a11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Competent IT security consulting, pentests, incident response and training<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5731ee0 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"5731ee0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>cirosec GmbH<br \/>Ferdinand-Braun-Stra\u00dfe 4<br \/>74074 Heilbronn, Germany<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-c7c447f\" data-id=\"c7c447f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4826023 elementor-widget elementor-widget-heading\" data-id=\"4826023\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Quicklinks<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f26d479 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"f26d479\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\" tabindex=\"-1\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\" tabindex=\"-1\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\" tabindex=\"-1\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-29e8304\" data-id=\"29e8304\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14232af elementor-widget elementor-widget-heading\" data-id=\"14232af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Social Media<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c23ea92 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"c23ea92\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\" tabindex=\"-1\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\" tabindex=\"-1\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\" tabindex=\"-1\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-871a164\" data-id=\"871a164\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a46aa52 elementor-widget elementor-widget-heading\" data-id=\"a46aa52\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Legal<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-50e6031 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"50e6031\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\" tabindex=\"-1\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\" tabindex=\"-1\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/footer>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>June 10, 2026 &#8211; Host header fuzzing stops at the HTTP layer and can&#8217;t find services hardened at the TLS handshake via SNI validation. SNItch fills that gap by fuzzing the SNI field directly &#8211; and doubles as a tool to verify your own servers don&#8217;t leak hostnames to IP-based reconnaissance.<br \/>\n<br \/>\nAuthor: Felix Friedberger <\/p>\n","protected":false},"author":59,"featured_media":18530,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_canvas","format":"standard","meta":{"footnotes":""},"categories":[75],"tags":[76],"class_list":["post-26550","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pentesting","tag-pentesting"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Fuzzing vhosts with SNI(tch) - cirosec<\/title>\n<meta name=\"description\" content=\"Discover hidden virtual hosts by fuzzing the TLS SNI field with SNItch, catching SNI-validating services that ffuf and gobuster miss at the HTTP layer.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fuzzing vhosts with SNI(tch) - cirosec\" \/>\n<meta property=\"og:description\" content=\"Discover hidden virtual hosts by fuzzing the TLS SNI field with SNItch, catching SNI-validating services that ffuf and gobuster miss at the HTTP layer.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/\" \/>\n<meta property=\"og:site_name\" content=\"cirosec\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-10T07:04:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-10T09:53:40+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1707\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Felix Friedberger\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Felix Friedberger\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"25 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/\"},\"author\":{\"name\":\"Felix Friedberger\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/e8db3dfd4faa224420de7ac49aa5e975\"},\"headline\":\"Fuzzing vhosts with SNI(tch)\",\"datePublished\":\"2026-06-10T07:04:00+00:00\",\"dateModified\":\"2026-06-10T09:53:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/\"},\"wordCount\":2844,\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg\",\"keywords\":[\"pentesting\"],\"articleSection\":[\"Pentesting\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/\",\"name\":\"Fuzzing vhosts with SNI(tch) - cirosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg\",\"datePublished\":\"2026-06-10T07:04:00+00:00\",\"dateModified\":\"2026-06-10T09:53:40+00:00\",\"description\":\"Discover hidden virtual hosts by fuzzing the TLS SNI field with SNItch, catching SNI-validating services that ffuf and gobuster miss at the HTTP layer.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg\",\"width\":2560,\"height\":1707},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/fuzzing-vhosts-with-snitch\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/cirosec.de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Fuzzing vhosts with SNI(tch)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"name\":\"cirosec\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cirosec.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\",\"name\":\"cirosec\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"width\":626,\"height\":188,\"caption\":\"cirosec\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/e8db3dfd4faa224420de7ac49aa5e975\",\"name\":\"Felix Friedberger\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/author\\\/felix-friedberger\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fuzzing vhosts with SNI(tch) - cirosec","description":"Discover hidden virtual hosts by fuzzing the TLS SNI field with SNItch, catching SNI-validating services that ffuf and gobuster miss at the HTTP layer.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/","og_locale":"en_US","og_type":"article","og_title":"Fuzzing vhosts with SNI(tch) - cirosec","og_description":"Discover hidden virtual hosts by fuzzing the TLS SNI field with SNItch, catching SNI-validating services that ffuf and gobuster miss at the HTTP layer.","og_url":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/","og_site_name":"cirosec","article_published_time":"2026-06-10T07:04:00+00:00","article_modified_time":"2026-06-10T09:53:40+00:00","og_image":[{"width":2560,"height":1707,"url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg","type":"image\/jpeg"}],"author":"Felix Friedberger","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Felix Friedberger","Est. reading time":"25 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/#article","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/"},"author":{"name":"Felix Friedberger","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/e8db3dfd4faa224420de7ac49aa5e975"},"headline":"Fuzzing vhosts with SNI(tch)","datePublished":"2026-06-10T07:04:00+00:00","dateModified":"2026-06-10T09:53:40+00:00","mainEntityOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/"},"wordCount":2844,"publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg","keywords":["pentesting"],"articleSection":["Pentesting"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/","url":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/","name":"Fuzzing vhosts with SNI(tch) - cirosec","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/#primaryimage"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg","datePublished":"2026-06-10T07:04:00+00:00","dateModified":"2026-06-10T09:53:40+00:00","description":"Discover hidden virtual hosts by fuzzing the TLS SNI field with SNItch, catching SNI-validating services that ffuf and gobuster miss at the HTTP layer.","breadcrumb":{"@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/#primaryimage","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/luca-bravo-XJXWbfSo2f0-unsplash-scaled.jpg","width":2560,"height":1707},{"@type":"BreadcrumbList","@id":"https:\/\/cirosec.de\/en\/news\/fuzzing-vhosts-with-snitch\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/cirosec.de\/"},{"@type":"ListItem","position":2,"name":"Fuzzing vhosts with SNI(tch)"}]},{"@type":"WebSite","@id":"https:\/\/cirosec.de\/en\/#website","url":"https:\/\/cirosec.de\/en\/","name":"cirosec","description":"","publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cirosec.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cirosec.de\/en\/#organization","name":"cirosec","url":"https:\/\/cirosec.de\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","width":626,"height":188,"caption":"cirosec"},"image":{"@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/e8db3dfd4faa224420de7ac49aa5e975","name":"Felix Friedberger","url":"https:\/\/cirosec.de\/en\/news\/author\/felix-friedberger\/"}]}},"_links":{"self":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/26550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/users\/59"}],"replies":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/comments?post=26550"}],"version-history":[{"count":28,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/26550\/revisions"}],"predecessor-version":[{"id":27408,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/26550\/revisions\/27408"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media\/18530"}],"wp:attachment":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media?parent=26550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/categories?post=26550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/tags?post=26550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}