# Subdomains, directories and Vhost listing gobuster is good for VHOST enumeration especially HTTPS, ffuf overall faster and better. For ffuf vhost use ip address ## Complete subdomain Enumeration Guide {% embed url="" %} {% embed url="" %} subdomain enumeration complete guide {% endembed %} ### paid {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Online Services ### 1. Netcraft {% embed url="" %} Go to the network section and click the domain to get the subdomains. {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Subdomains Listing tools Kali {% embed url="" %} ``` assetfinder [--subs-only] (Only if you want to list tesla subdomain. Otherwise it finds related subdomains as well) ``` {% embed url="" %} Amass {% endembed %} ``` amass enum -d tesla.com ``` {% embed url="" %} To check whether URL is alive. Check the output from above tools {% endembed %} {% embed url="" %} Taking screenshots of pages from Command line {% endembed %} ### Automated Enumeration Scripts {% embed url="" %} {% embed url="" %} ## Dirbusting ### FFUF ```shell ffuf -u http://MACHINE_IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt ``` \--recursive for recursive search -Fc - (filter codes) -Mc - (match code) for i in {0..255}; do echo $i; done | ffuf -u '' -c -w - -fw 33 -replay-proxy (to send results to burp) #### VHOST Enumeration ```sh ffuf -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm" ``` ffuf -w \~/wordlists/subdomains.txt -H "Host: FUZZ.ffuf.me" -u ### Gobuster ``` gobuster dir -u http://:3333 -w ``` ``` EXAMPLES gobuster dir -u https://mysite.com/path/to/folder -c 'session=123456' -t 50 -w common-files.txt -x .php,.html gobuster dns -d mysite.com -t 50 -w common-names.txt gobuster s3 -w bucket-names.txt gobuster gcs -w bucket-names.txt gobuster vhost -u https://mysite.com -w common-vhosts.txt gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt gobuster tftp -s tftp.example.com B-w common-filenames.txt ``` #### vhost ``` gobuster vhost -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -k --append-domain ``` \--append-domain adds domain to the end -k ignore cert errors -x extensions ## Useful Global Flags There are some useful Global flags that can be used as well. I've included them in the table below. You can review these in the main documentation as well - [here](https://github.com/OJ/gobuster). | Flag | Long Flag | Description | | ---- | ------------- | ----------------------------------------- | | -t | --threads | Number of concurrent threads (default 10) | | -v | --verbose | Verbose output | | -z | --no-progress | Don't display progress | | -q | --quiet | Don't print the banner and other noise | | -o | --output | Output file to write results to | | -x | --extensions | File extension(s) to search for | | ---------------------------------- | --------------------------------------------------- | ----------------------------------------------------------------- | | -H | --headers | Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2' | | -k | --no-tls-validation | Skip TLS certificate verification | | -n | --no-status | Don't print status codes | | -P | --password | Password for Basic Auth | | -s | --status-codes | Positive status codes | | -b | --status-codes-blacklist | Negative status codes | | -U | --username | Username for Basic Auth | | -p\ | | Proxy to use | | -c \ | | Specify a cookie for simulating your auth | | -w | | Path to your wordlist | | -u | | The target URL | | -e | | Print the full URLs in your console | I will typically change the number of threads to 64 to increase the speed of my scans. If you don't change the number of threads, Gobuster can be a little slow. ### Using "dns" Mode To use "dns" mode, you start by typing `gobuster dns`. Just like "dir" mode, this isn't the full command, but just the start. This tells Gobuster that you want to perform a sub-domain brute-force, instead of one of one of the other methods as previously mentioned. It has to be written like this or else Gobuster will complain. After that, you will need to add the domain and wordlist using the -d and -w options, respectively. Like so: ``` gobuster dns -d mydomain.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt ``` This tells Gobuster to do a sub-domain scan on the domain "mydomain.thm". If there are any sub-domains available, Gobuster will find them and report them to you in the terminal. | Flag | Long Flag | Description | | ---- | ------------ | ------------------------------------------------------------ | | -c | --show-cname | Show CNAME Records (cannot be used with '-i' option) | | -i | --show-ips | Show IP Addresses | | -r | --resolver | Use custom DNS server (format server.com or server.com:port) |
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/web-pentesting/subdomains-directories-and-vhost-listing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.