Subdomains, directories and Vhost listing

gobuster is good for VHOST enumeration especially HTTPS, ffuf overall faster and better. For ffuf vhost use ip address

Complete subdomain Enumeration Guide

Home 🏠Subdomain Enumeration Guide

Automation 🤖Subdomain Enumeration Guide

paid

TryHackMe | Cyber Security TrainingTryHackMe

TryHackMe | Cyber Security TrainingTryHackMe

TryHackMe | Cyber Security TrainingTryHackMe

Online Services

1. Netcraft

What's that site running?What's that site running? | Netcraft

Go to the network section and click the domain to get the subdomains.

Subdomain Findersecgron

Free subdomain finder online 🛡️ find subdomains of domainPentest-Tools.com

Welcome!

Subdomains Listing tools Kali

GitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domainGitHub

assetfinder [--subs-only] <domain>
(Only if you want to list tesla subdomain. Otherwise it finds related subdomains as well)

GitHub - owasp-amass/amass: In-depth Attack Surface Mapping and Asset DiscoveryGitHub

amass enum -d tesla.com

Automated Enumeration Scripts

Dirbusting

FFUF

ffuf -u http://MACHINE_IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt

--recursive for recursive search

-Fc - (filter codes)

-Mc - (match code)

for i in {0..255}; do echo $i; done | ffuf -u 'http://10.10.217.116/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33

-replay-proxy http://127.0.0.1:8080 (to send results to burp)

VHOST Enumeration

ffuf -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm"

ffuf -w ~/wordlists/subdomains.txt -H "Host: FUZZ.ffuf.me" -u http://ffuf.me

Gobuster

gobuster dir -u http://<ip>:3333 -w <word list location>

EXAMPLES
       gobuster dir -u https://mysite.com/path/to/folder -c 'session=123456' -t 50 -w common-files.txt -x .php,.html

       gobuster dns -d mysite.com -t 50 -w common-names.txt

       gobuster s3 -w bucket-names.txt

       gobuster gcs -w bucket-names.txt

       gobuster vhost -u https://mysite.com -w common-vhosts.txt

       gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt

       gobuster tftp -s tftp.example.com B-w common-filenames.txt

vhost

gobuster vhost -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -k --append-domain 

--append-domain adds domain to the end

-k ignore cert errors

-x extensions

Useful Global Flags

There are some useful Global flags that can be used as well. I've included them in the table below. You can review these in the main documentation as well - here.

I will typically change the number of threads to 64 to increase the speed of my scans. If you don't change the number of threads, Gobuster can be a little slow.

Using "dns" Mode

To use "dns" mode, you start by typing gobuster dns. Just like "dir" mode, this isn't the full command, but just the start. This tells Gobuster that you want to perform a sub-domain brute-force, instead of one of one of the other methods as previously mentioned. It has to be written like this or else Gobuster will complain. After that, you will need to add the domain and wordlist using the -d and -w options, respectively. Like so:

gobuster dns -d mydomain.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

This tells Gobuster to do a sub-domain scan on the domain "mydomain.thm". If there are any sub-domains available, Gobuster will find them and report them to you in the terminal.