diff --git a/src/content/notes/web/directory-discovery.md b/src/content/notes/web/directory-discovery.md new file mode 100644 index 0000000..0b1dfb1 --- /dev/null +++ b/src/content/notes/web/directory-discovery.md @@ -0,0 +1,38 @@ +--- +title: "Directory Discovery" +description: "Techniques and tools for discovering hidden directories and files on web servers." +tags: ["web", "enumeration", "discovery", "directory"] +publishDate: 2026-06-01 +--- + +## FFUF + +See also [FFUF](/notes/web/ffuf) for fuzzing-based directory discovery. + +## Robots.txt + +```bash +curl -s $url/robots.txt +``` + +## Sitemap.xml + +```bash +curl -s $url/sitemap.xml +``` + +## Dirb + +```bash +dirb $url +``` + +## Spider - Katana + +A spider is a tool that crawls a website and collects information about its +structure and content. It can be used to find hidden directories, files, and +parameters. + +```bash +katana -c 15 -p 15 -u $url > output +``` diff --git a/src/content/notes/web/ffuf.md b/src/content/notes/web/ffuf.md new file mode 100644 index 0000000..3e92b96 --- /dev/null +++ b/src/content/notes/web/ffuf.md @@ -0,0 +1,33 @@ +--- +title: "FFUF" +description: "Reference and usage examples for ffuf, a fast web fuzzer for directories, endpoints and subdomains." +tags: + ["web", "enumeration", "discovery", "subdomain", "directory", "bruteforce"] +publishDate: 2026-06-01 +--- + +**Fuff (or ffuf)** is a fast web fuzzer written in Go, mainly used in +cybersecurity to discover hidden directories, files, API endpoints, subdomains, +vhosts and more. Its speed and flexibility make it a must-have for pentesters +and bug bounty hunters. + +```bash +# Flags: +# -rate 50 -t 50 # Limit requests to 50 per second with 50 concurrent threads +# -X POST|GET|PUT # Set method +# -e .php,.asp,.bak,.db # Set the extension +# -recursion -recursion-depth 3 # Recursive fuzzing up to 3 levels deep +# -fc 404,500 # Exclude responses with status codes 404 and 500 + +# Examples: +ffuf -w wordlist.txt -u $url/FUZZ # Basic directory/file fuzzing using a wordlist +ffuf -w subdomains.txt -u https://FUZZ.$url # Subdomain fuzzing +ffuf -w vhosts.txt -u $url -H "Host: https://FUZZ.$url" # Virtual host fuzzing by modifying the Host header +ffuf -w wordlist.txt -u $url/page.php?FUZZ=value # GET parameter fuzzing in the query string +ffuf -w wordlist.txt -u $url/api -X POST -d 'FUZZ=value' # POST body parameter fuzzing +ffuf -w wordlist.txt -u $url/FUZZ -b 'session=abcdef' # Use a session cookie during fuzzing +ffuf -w headers.txt -u $url -H "X-Custom-Header: FUZZ" # HTTP header fuzzing +ffuf -w passwords.txt -X POST -u $url/login -d "username=admin&password=FUZZ" # Password brute-forcing for user "admin" +ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode pitchfork # Pitchfork mode: matches each line from both wordlists (USER[i], PASS[i]) +ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode clusterbomb # Clusterbomb mode: tests every user with every password combination +``` diff --git a/src/content/notes/web/subdomains-discovery.md b/src/content/notes/web/subdomains-discovery.md new file mode 100644 index 0000000..abf972e --- /dev/null +++ b/src/content/notes/web/subdomains-discovery.md @@ -0,0 +1,85 @@ +--- +title: "Subdomains Discovery" +description: "Methods and tools for enumerating subdomains of a target domain." +tags: ["web", "enumeration", "discovery", "subdomain"] +publishDate: 2026-06-01 +--- + +## FFUF + +See also [FFUF](/notes/web/ffuf) for fuzzing-based subdomain discovery. + +## Google Dorking + +Google dorks can surface subdomains indexed by Google without any active scanning. + +``` +site:*.$domain +site:*.$domain -www +site:*.$domain inurl:admin +site:*.$domain ext:php | ext:json | ext:xml +``` + +## Certificate Transparency + +CT logs record every TLS certificate ever issued for a domain. Querying them is +passive and reliable. + +```bash +curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq '.[].name_value' | sort -u +``` + +Tools that aggregate CT logs: + +- [crt.sh](https://crt.sh) +- [censys.io](https://search.censys.io) + +## Passive DNS + +Passive DNS databases store historical DNS resolutions collected from resolvers +worldwide; useful for finding subdomains that no longer resolve but once did. + +```bash +# Amass (passive mode, no active scanning) +amass enum -passive -d $domain + +# subfinder (uses many passive sources) +subfinder -d $domain -silent +``` + +## DMARC + +DMARC can reveal more domains associated with a target. + +Go to `dmarc.live/info/$domain`, it allows you to find domains using the +same DMARC record. + +## ASN & IP Ranges + +Finding the ASN of a target exposes its entire IP range, which may contain +undiscovered subdomains or related infrastructure. + +```bash +# Get ASN from an IP +whois $ip | grep -i "asn\|orgname\|origin" + +# Get IP ranges from ASN +whois -h whois.radb.net -- '-i origin AS12345' | grep route +``` + +## Favicon Hash + +A unique favicon can be fingerprinted to find other domains hosted by the same +organisation, including subdomains on non-standard ports. + +```bash +# Compute the MMH3 hash of the favicon +python3 -c " +import requests, mmh3, base64 +r = requests.get('https://$domain/favicon.ico') +h = mmh3.hash(base64.encodebytes(r.content)) +print(h) +" +``` + +Then search the hash on [Shodan](https://shodan.io): `http.favicon.hash:`