This is a great post on techniques to performing virtual host and DNS enumerations for reconnaissance in penetration testing.
Here's the summary:
- DNS enumeration
- Banner grabbing
- SSL/TLS enumeration
- HTTP Protocol enumeration
- Active/Passive Web enumeration
Check out this site from
Lonerunners.
It does mention about Hostmap too.