Nmap NSE net: http-vhosts

Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. Each HEAD request provides a different 'Host' header. The hostnames come from a built-in default list. Shows the names that return a document. Also shows the location of redirections. The domain can be given as the 'http-vhosts.domain' argument or deduced from the target's name. For example when scanning www.example.com, various names of the form <name>.example.com are tried. SYNTAX: http.pipeline: If set, it represents the number of HTTP requests that'll be pipelined (ie, sent in a single request). This can be set low to make debugging easier, or it can be set high to test how a server reacts (its chosen max is ignored). http-max-cache-size: The maximum memory size (in bytes) of the cache.