Subdomains, directories and Vhost listing

gobuster is good for VHOST enumeration especially HTTPS, ffuf overall faster and better. For ffuf vhost use ip address

Complete subdomain Enumeration Guide

Online Services

1. Netcraft

Go to the network section and click the domain to get the subdomains.

FFUF

ffuf -u http://MACHINE_IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt

--recursive for recursive search

-Fc - (filter codes)

-Mc - (match code)

for i in {0..255}; do echo $i; done | ffuf -u 'http://10.10.217.116/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33

-replay-proxy http://127.0.0.1:8080 (to send results to burp)

VHOST Enumeration

ffuf -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm"

ffuf -w ~/wordlists/subdomains.txt -H "Host: FUZZ.ffuf.me" -u http://ffuf.me

Gobuster

gobuster dir -u http://<ip>:3333 -w <word list location>
EXAMPLES
       gobuster dir -u https://mysite.com/path/to/folder -c 'session=123456' -t 50 -w common-files.txt -x .php,.html

       gobuster dns -d mysite.com -t 50 -w common-names.txt

       gobuster s3 -w bucket-names.txt

       gobuster gcs -w bucket-names.txt

       gobuster vhost -u https://mysite.com -w common-vhosts.txt

       gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt

       gobuster tftp -s tftp.example.com B-w common-filenames.txt

vhost

gobuster vhost -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -k --append-domain

--append-domain adds domain to the end

-k ignore cert errors

-x extensions

Useful Global Flags

There are some useful Global flags that can be used as well. I've included them in the table below. You can review these in the main documentation as well - here.

FlagLong FlagDescription

-t

--threads

Number of concurrent threads (default 10)

-v

--verbose

Verbose output

-z

--no-progress

Don't display progress

-q

--quiet

Don't print the banner and other noise

-o

--output

Output file to write results to

-x

--extensions

File extension(s) to search for

-H

--headers

Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'

-k

--no-tls-validation

Skip TLS certificate verification

-n

--no-status

Don't print status codes

-P

--password

Password for Basic Auth

-s

--status-codes

Positive status codes

-b

--status-codes-blacklist

Negative status codes

-U

--username

Username for Basic Auth

-p<x>

Proxy to use

-c <http cookies>

Specify a cookie for simulating your auth

-w

Path to your wordlist

-u

The target URL

-e

Print the full URLs in your console

I will typically change the number of threads to 64 to increase the speed of my scans. If you don't change the number of threads, Gobuster can be a little slow.

Using "dns" Mode

To use "dns" mode, you start by typing gobuster dns. Just like "dir" mode, this isn't the full command, but just the start. This tells Gobuster that you want to perform a sub-domain brute-force, instead of one of one of the other methods as previously mentioned. It has to be written like this or else Gobuster will complain. After that, you will need to add the domain and wordlist using the -d and -w options, respectively. Like so:

gobuster dns -d mydomain.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

This tells Gobuster to do a sub-domain scan on the domain "mydomain.thm". If there are any sub-domains available, Gobuster will find them and report them to you in the terminal.

FlagLong FlagDescription

-c

--show-cname

Show CNAME Records (cannot be used with '-i' option)

-i

--show-ips

Show IP Addresses

-r

--resolver

Use custom DNS server (format server.com or server.com:port)

PreviousWeb PentestingNextSQL Injection

Last updated