Subdomains, directories and Vhost listing

gobuster is good for VHOST enumeration especially HTTPS, ffuf overall faster and better. For ffuf vhost use ip address

Complete subdomain Enumeration Guide

Online Services

1. Netcraft

Go to the network section and click the domain to get the subdomains.


ffuf -u http://MACHINE_IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt

--recursive for recursive search

-Fc - (filter codes)

-Mc - (match code)

for i in {0..255}; do echo $i; done | ffuf -u '' -c -w - -fw 33

-replay-proxy (to send results to burp)

VHOST Enumeration

ffuf -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm"

ffuf -w ~/wordlists/subdomains.txt -H "Host:" -u


gobuster dir -u http://<ip>:3333 -w <word list location>
       gobuster dir -u -c 'session=123456' -t 50 -w common-files.txt -x .php,.html

       gobuster dns -d -t 50 -w common-names.txt

       gobuster s3 -w bucket-names.txt

       gobuster gcs -w bucket-names.txt

       gobuster vhost -u -w common-vhosts.txt

       gobuster fuzz -u -w parameter-names.txt

       gobuster tftp -s B-w common-filenames.txt


gobuster vhost -u https://futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -k --append-domain 

--append-domain adds domain to the end

-k ignore cert errors

-x extensions

Useful Global Flags

There are some useful Global flags that can be used as well. I've included them in the table below. You can review these in the main documentation as well - here.

FlagLong FlagDescription



Number of concurrent threads (default 10)



Verbose output



Don't display progress



Don't print the banner and other noise



Output file to write results to



File extension(s) to search for



Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'



Skip TLS certificate verification



Don't print status codes



Password for Basic Auth



Positive status codes



Negative status codes



Username for Basic Auth


Proxy to use

-c <http cookies>

Specify a cookie for simulating your auth


Path to your wordlist


The target URL


Print the full URLs in your console

I will typically change the number of threads to 64 to increase the speed of my scans. If you don't change the number of threads, Gobuster can be a little slow.

Using "dns" Mode

To use "dns" mode, you start by typing gobuster dns. Just like "dir" mode, this isn't the full command, but just the start. This tells Gobuster that you want to perform a sub-domain brute-force, instead of one of one of the other methods as previously mentioned. It has to be written like this or else Gobuster will complain. After that, you will need to add the domain and wordlist using the -d and -w options, respectively. Like so:

gobuster dns -d mydomain.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

This tells Gobuster to do a sub-domain scan on the domain "mydomain.thm". If there are any sub-domains available, Gobuster will find them and report them to you in the terminal.

FlagLong FlagDescription



Show CNAME Records (cannot be used with '-i' option)



Show IP Addresses



Use custom DNS server (format or

Last updated