mirror of
https://github.com/anotherhadi/blog.git
synced 2026-07-06 16:52:33 +02:00
init web: ffuf, dir enum & subdomains enum
Signed-off-by: Hadi <hadi@example.com>
This commit is contained in:
@@ -0,0 +1,38 @@
|
|||||||
|
---
|
||||||
|
title: "Directory Discovery"
|
||||||
|
description: "Techniques and tools for discovering hidden directories and files on web servers."
|
||||||
|
tags: ["web", "enumeration", "discovery", "directory"]
|
||||||
|
publishDate: 2026-06-01
|
||||||
|
---
|
||||||
|
|
||||||
|
## FFUF
|
||||||
|
|
||||||
|
See also [FFUF](/notes/web/ffuf) for fuzzing-based directory discovery.
|
||||||
|
|
||||||
|
## Robots.txt
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -s $url/robots.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
## Sitemap.xml
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -s $url/sitemap.xml
|
||||||
|
```
|
||||||
|
|
||||||
|
## Dirb
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dirb $url
|
||||||
|
```
|
||||||
|
|
||||||
|
## Spider - Katana
|
||||||
|
|
||||||
|
A spider is a tool that crawls a website and collects information about its
|
||||||
|
structure and content. It can be used to find hidden directories, files, and
|
||||||
|
parameters.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
katana -c 15 -p 15 -u $url > output
|
||||||
|
```
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
title: "FFUF"
|
||||||
|
description: "Reference and usage examples for ffuf, a fast web fuzzer for directories, endpoints and subdomains."
|
||||||
|
tags:
|
||||||
|
["web", "enumeration", "discovery", "subdomain", "directory", "bruteforce"]
|
||||||
|
publishDate: 2026-06-01
|
||||||
|
---
|
||||||
|
|
||||||
|
**Fuff (or ffuf)** is a fast web fuzzer written in Go, mainly used in
|
||||||
|
cybersecurity to discover hidden directories, files, API endpoints, subdomains,
|
||||||
|
vhosts and more. Its speed and flexibility make it a must-have for pentesters
|
||||||
|
and bug bounty hunters.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Flags:
|
||||||
|
# -rate 50 -t 50 # Limit requests to 50 per second with 50 concurrent threads
|
||||||
|
# -X POST|GET|PUT # Set method
|
||||||
|
# -e .php,.asp,.bak,.db # Set the extension
|
||||||
|
# -recursion -recursion-depth 3 # Recursive fuzzing up to 3 levels deep
|
||||||
|
# -fc 404,500 # Exclude responses with status codes 404 and 500
|
||||||
|
|
||||||
|
# Examples:
|
||||||
|
ffuf -w wordlist.txt -u $url/FUZZ # Basic directory/file fuzzing using a wordlist
|
||||||
|
ffuf -w subdomains.txt -u https://FUZZ.$url # Subdomain fuzzing
|
||||||
|
ffuf -w vhosts.txt -u $url -H "Host: https://FUZZ.$url" # Virtual host fuzzing by modifying the Host header
|
||||||
|
ffuf -w wordlist.txt -u $url/page.php?FUZZ=value # GET parameter fuzzing in the query string
|
||||||
|
ffuf -w wordlist.txt -u $url/api -X POST -d 'FUZZ=value' # POST body parameter fuzzing
|
||||||
|
ffuf -w wordlist.txt -u $url/FUZZ -b 'session=abcdef' # Use a session cookie during fuzzing
|
||||||
|
ffuf -w headers.txt -u $url -H "X-Custom-Header: FUZZ" # HTTP header fuzzing
|
||||||
|
ffuf -w passwords.txt -X POST -u $url/login -d "username=admin&password=FUZZ" # Password brute-forcing for user "admin"
|
||||||
|
ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode pitchfork # Pitchfork mode: matches each line from both wordlists (USER[i], PASS[i])
|
||||||
|
ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode clusterbomb # Clusterbomb mode: tests every user with every password combination
|
||||||
|
```
|
||||||
@@ -0,0 +1,85 @@
|
|||||||
|
---
|
||||||
|
title: "Subdomains Discovery"
|
||||||
|
description: "Methods and tools for enumerating subdomains of a target domain."
|
||||||
|
tags: ["web", "enumeration", "discovery", "subdomain"]
|
||||||
|
publishDate: 2026-06-01
|
||||||
|
---
|
||||||
|
|
||||||
|
## FFUF
|
||||||
|
|
||||||
|
See also [FFUF](/notes/web/ffuf) for fuzzing-based subdomain discovery.
|
||||||
|
|
||||||
|
## Google Dorking
|
||||||
|
|
||||||
|
Google dorks can surface subdomains indexed by Google without any active scanning.
|
||||||
|
|
||||||
|
```
|
||||||
|
site:*.$domain
|
||||||
|
site:*.$domain -www
|
||||||
|
site:*.$domain inurl:admin
|
||||||
|
site:*.$domain ext:php | ext:json | ext:xml
|
||||||
|
```
|
||||||
|
|
||||||
|
## Certificate Transparency
|
||||||
|
|
||||||
|
CT logs record every TLS certificate ever issued for a domain. Querying them is
|
||||||
|
passive and reliable.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq '.[].name_value' | sort -u
|
||||||
|
```
|
||||||
|
|
||||||
|
Tools that aggregate CT logs:
|
||||||
|
|
||||||
|
- [crt.sh](https://crt.sh)
|
||||||
|
- [censys.io](https://search.censys.io)
|
||||||
|
|
||||||
|
## Passive DNS
|
||||||
|
|
||||||
|
Passive DNS databases store historical DNS resolutions collected from resolvers
|
||||||
|
worldwide; useful for finding subdomains that no longer resolve but once did.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Amass (passive mode, no active scanning)
|
||||||
|
amass enum -passive -d $domain
|
||||||
|
|
||||||
|
# subfinder (uses many passive sources)
|
||||||
|
subfinder -d $domain -silent
|
||||||
|
```
|
||||||
|
|
||||||
|
## DMARC
|
||||||
|
|
||||||
|
DMARC can reveal more domains associated with a target.
|
||||||
|
|
||||||
|
Go to `dmarc.live/info/$domain`, it allows you to find domains using the
|
||||||
|
same DMARC record.
|
||||||
|
|
||||||
|
## ASN & IP Ranges
|
||||||
|
|
||||||
|
Finding the ASN of a target exposes its entire IP range, which may contain
|
||||||
|
undiscovered subdomains or related infrastructure.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Get ASN from an IP
|
||||||
|
whois $ip | grep -i "asn\|orgname\|origin"
|
||||||
|
|
||||||
|
# Get IP ranges from ASN
|
||||||
|
whois -h whois.radb.net -- '-i origin AS12345' | grep route
|
||||||
|
```
|
||||||
|
|
||||||
|
## Favicon Hash
|
||||||
|
|
||||||
|
A unique favicon can be fingerprinted to find other domains hosted by the same
|
||||||
|
organisation, including subdomains on non-standard ports.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Compute the MMH3 hash of the favicon
|
||||||
|
python3 -c "
|
||||||
|
import requests, mmh3, base64
|
||||||
|
r = requests.get('https://$domain/favicon.ico')
|
||||||
|
h = mmh3.hash(base64.encodebytes(r.content))
|
||||||
|
print(h)
|
||||||
|
"
|
||||||
|
```
|
||||||
|
|
||||||
|
Then search the hash on [Shodan](https://shodan.io): `http.favicon.hash:<hash>`
|
||||||
Reference in New Issue
Block a user