Subdomains, directories and Vhost listing
Last updated
Last updated
gobuster is good for VHOST enumeration especially HTTPS, ffuf overall faster and better. For ffuf vhost use ip address
Go to the network section and click the domain to get the subdomains.
--recursive for recursive search
-Fc - (filter codes)
-Mc - (match code)
for i in {0..255}; do echo $i; done | ffuf -u 'http://10.10.217.116/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
-replay-proxy http://127.0.0.1:8080 (to send results to burp)
ffuf -w ~/wordlists/subdomains.txt -H "Host: FUZZ.ffuf.me" -u http://ffuf.me
--append-domain adds domain to the end
-k ignore cert errors
-x extensions
There are some useful Global flags that can be used as well. I've included them in the table below. You can review these in the main documentation as well - here.
I will typically change the number of threads to 64 to increase the speed of my scans. If you don't change the number of threads, Gobuster can be a little slow.
To use "dns" mode, you start by typing gobuster dns
. Just like "dir" mode, this isn't the full command, but just the start. This tells Gobuster that you want to perform a sub-domain brute-force, instead of one of one of the other methods as previously mentioned. It has to be written like this or else Gobuster will complain. After that, you will need to add the domain and wordlist using the -d and -w options, respectively. Like so:
This tells Gobuster to do a sub-domain scan on the domain "mydomain.thm". If there are any sub-domains available, Gobuster will find them and report them to you in the terminal.
Flag | Long Flag | Description |
---|---|---|
Flag | Long Flag | Description |
---|---|---|
-t
--threads
Number of concurrent threads (default 10)
-v
--verbose
Verbose output
-z
--no-progress
Don't display progress
-q
--quiet
Don't print the banner and other noise
-o
--output
Output file to write results to
-x
--extensions
File extension(s) to search for
-H
--headers
Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-k
--no-tls-validation
Skip TLS certificate verification
-n
--no-status
Don't print status codes
-P
--password
Password for Basic Auth
-s
--status-codes
Positive status codes
-b
--status-codes-blacklist
Negative status codes
-U
--username
Username for Basic Auth
-p<x>
Proxy to use
-c <http cookies>
Specify a cookie for simulating your auth
-w
Path to your wordlist
-u
The target URL
-e
Print the full URLs in your console
-c
--show-cname
Show CNAME Records (cannot be used with '-i' option)
-i
--show-ips
Show IP Addresses
-r
--resolver
Use custom DNS server (format server.com or server.com:port)