Subdomains, directories and Vhost listing

PreviousWeb Pentesting NextCommand Injection

Last updated 9 months ago

Subdomains, directories and Vhost listing

gobuster is good for VHOST enumeration especially HTTPS, ffuf overall faster and better. For ffuf vhost use ip address

Complete subdomain Enumeration Guide

paid

Online Services

1. Netcraft

Go to the network section and click the domain to get the subdomains.

Subdomains Listing tools Kali

assetfinder [--subs-only] <domain>
(Only if you want to list tesla subdomain. Otherwise it finds related subdomains as well)

amass enum -d tesla.com

Automated Enumeration Scripts

Dirbusting

FFUF

ffuf -u http://MACHINE_IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt

--recursive for recursive search

-Fc - (filter codes)

-Mc - (match code)

for i in {0..255}; do echo $i; done | ffuf -u 'http://10.10.217.116/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33

VHOST Enumeration

ffuf -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm"

ffuf -w ~/wordlists/subdomains.txt -H "Host: FUZZ.ffuf.me" -u http://ffuf.me

Gobuster

gobuster dir -u http://<ip>:3333 -w <word list location>

EXAMPLES
       gobuster dir -u https://mysite.com/path/to/folder -c 'session=123456' -t 50 -w common-files.txt -x .php,.html

       gobuster dns -d mysite.com -t 50 -w common-names.txt

       gobuster s3 -w bucket-names.txt

       gobuster gcs -w bucket-names.txt

       gobuster vhost -u https://mysite.com -w common-vhosts.txt

       gobuster fuzz -u https://example.com?FUZZ=test -w parameter-names.txt

       gobuster tftp -s tftp.example.com B-w common-filenames.txt

vhost

gobuster vhost -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -k --append-domain

--append-domain adds domain to the end

-k ignore cert errors

-x extensions

Useful Global Flags

Flag

Long Flag

Description

-t

--threads

Number of concurrent threads (default 10)

-v

--verbose

Verbose output

-z

--no-progress

Don't display progress

-q

--quiet

Don't print the banner and other noise

-o

--output

Output file to write results to

-x

--extensions

File extension(s) to search for

-H

--headers

Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'

-k

--no-tls-validation

Skip TLS certificate verification

-n

--no-status

Don't print status codes

-P

--password

Password for Basic Auth

-s

--status-codes

Positive status codes

-b

--status-codes-blacklist

Negative status codes

-U

--username

Username for Basic Auth

-p<x>

Proxy to use

-c <http cookies>

Specify a cookie for simulating your auth

-w

Path to your wordlist

-u

The target URL

-e

Print the full URLs in your console

I will typically change the number of threads to 64 to increase the speed of my scans. If you don't change the number of threads, Gobuster can be a little slow.

Using "dns" Mode

To use "dns" mode, you start by typing gobuster dns. Just like "dir" mode, this isn't the full command, but just the start. This tells Gobuster that you want to perform a sub-domain brute-force, instead of one of one of the other methods as previously mentioned. It has to be written like this or else Gobuster will complain. After that, you will need to add the domain and wordlist using the -d and -w options, respectively. Like so:

gobuster dns -d mydomain.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

This tells Gobuster to do a sub-domain scan on the domain "mydomain.thm". If there are any sub-domains available, Gobuster will find them and report them to you in the terminal.

Flag

Long Flag

Description

-c

--show-cname

Show CNAME Records (cannot be used with '-i' option)

-i

--show-ips

Show IP Addresses

-r

--resolver

Use custom DNS server (format server.com or server.com:port)

PreviousWeb Pentesting NextCommand Injection

Last updated 9 months ago