Subdomains, directories and Vhost listing

gobuster is good for VHOST enumeration especially HTTPS, ffuf overall faster and better. For ffuf vhost use ip address

Complete subdomain Enumeration Guide

Home 🏠 | Subdomain Enumeration Guidesidxparab.gitbook.io

paid

Web EnumerationTryHackMe

Subdomain EnumerationTryHackMe

ToolsRusTryHackMe

Online Services

1. Netcraft

What's that site running?What's that site running? | Netcraft

Go to the network section and click the domain to get the subdomains.

Subdomain Findersecgron

Free subdomain finder online 🛡️ find subdomains of domainPentest-Tools.com

SecurityTrails | SecurityTrails: Data Security, Threat Hunting, and Attack Surface Management Solutions for Security Teamssecuritytrails

Welcome!suip.biz

Subdomains Listing tools Kali

GitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domainGitHub

assetfinder [--subs-only] <domain>
(Only if you want to list tesla subdomain. Otherwise it finds related subdomains as well)

amass enum -d tesla.com

Automated Enumeration Scripts

GitHub - Gr1mmie/sumrecon: Web recon script. No need to fear, sumrecon is here!GitHub

Dirbusting

FFUF

ffuf -u http://MACHINE_IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt

--recursive for recursive search

-Fc - (filter codes)

-Mc - (match code)

for i in {0..255}; do echo $i; done | ffuf -u 'http://10.10.217.116/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33

-replay-proxy http://127.0.0.1:8080 (to send results to burp)

VHOST Enumeration

ffuf -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm"

ffuf -w ~/wordlists/subdomains.txt -H "Host: FUZZ.ffuf.me" -u http://ffuf.me

Gobuster

gobuster dir -u http://<ip>:3333 -w <word list location>

EXAMPLES
       gobuster dir -u https://mysite.com/path/to/folder -c 'session=123456' -t 50 -w common-files.txt -x .php,.html

       gobuster dns -d mysite.com -t 50 -w common-names.txt

       gobuster s3 -w bucket-names.txt

       gobuster gcs -w bucket-names.txt

       gobuster vhost -u https://mysite.com -w common-vhosts.txt

       gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt

       gobuster tftp -s tftp.example.com B-w common-filenames.txt

vhost

gobuster vhost -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -k --append-domain

--append-domain adds domain to the end

-k ignore cert errors

-x extensions

Useful Global Flags

There are some useful Global flags that can be used as well. I've included them in the table below. You can review these in the main documentation as well - here.

Flag

Long Flag

Description

-t

--threads

Number of concurrent threads (default 10)

-v

--verbose

Verbose output

-z

--no-progress

Don't display progress

-q

--quiet

Don't print the banner and other noise

-o

--output

Output file to write results to

-x

--extensions

File extension(s) to search for

-H

--headers

Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'

-k

--no-tls-validation

Skip TLS certificate verification

-n

--no-status

Don't print status codes

-P

--password

Password for Basic Auth

-s

--status-codes

Positive status codes

-b

--status-codes-blacklist

Negative status codes

-U

--username

Username for Basic Auth

-p<x>

Proxy to use

-c <http cookies>

Specify a cookie for simulating your auth

-w

Path to your wordlist

-u

The target URL

-e

Print the full URLs in your console

I will typically change the number of threads to 64 to increase the speed of my scans. If you don't change the number of threads, Gobuster can be a little slow.

Using "dns" Mode

To use "dns" mode, you start by typing gobuster dns. Just like "dir" mode, this isn't the full command, but just the start. This tells Gobuster that you want to perform a sub-domain brute-force, instead of one of one of the other methods as previously mentioned. It has to be written like this or else Gobuster will complain. After that, you will need to add the domain and wordlist using the -d and -w options, respectively. Like so:

gobuster dns -d mydomain.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

This tells Gobuster to do a sub-domain scan on the domain "mydomain.thm". If there are any sub-domains available, Gobuster will find them and report them to you in the terminal.

Flag

Long Flag

Description

-c

--show-cname

Show CNAME Records (cannot be used with '-i' option)

-i

--show-ips

Show IP Addresses

-r

--resolver

Use custom DNS server (format server.com or server.com:port)

PreviousWeb Pentesting NextCommand Injection

Last updated 1 year ago

hashtagComplete subdomain Enumeration Guide

hashtagpaid

hashtagOnline Services

hashtag1. Netcraft

hashtagSubdomains Listing tools Kali

hashtagAutomated Enumeration Scripts

hashtagDirbusting

hashtagFFUF

hashtagVHOST Enumeration

hashtagGobuster

hashtagvhost

hashtagUseful Global Flags

hashtagUsing "dns" Mode