mirror of
https://github.com/anotherhadi/blog.git
synced 2026-07-06 16:52:33 +02:00
init web: ffuf, dir enum & subdomains enum
Signed-off-by: Hadi <hadi@example.com>
This commit is contained in:
@@ -0,0 +1,38 @@
|
||||
---
|
||||
title: "Directory Discovery"
|
||||
description: "Techniques and tools for discovering hidden directories and files on web servers."
|
||||
tags: ["web", "enumeration", "discovery", "directory"]
|
||||
publishDate: 2026-06-01
|
||||
---
|
||||
|
||||
## FFUF
|
||||
|
||||
See also [FFUF](/notes/web/ffuf) for fuzzing-based directory discovery.
|
||||
|
||||
## Robots.txt
|
||||
|
||||
```bash
|
||||
curl -s $url/robots.txt
|
||||
```
|
||||
|
||||
## Sitemap.xml
|
||||
|
||||
```bash
|
||||
curl -s $url/sitemap.xml
|
||||
```
|
||||
|
||||
## Dirb
|
||||
|
||||
```bash
|
||||
dirb $url
|
||||
```
|
||||
|
||||
## Spider - Katana
|
||||
|
||||
A spider is a tool that crawls a website and collects information about its
|
||||
structure and content. It can be used to find hidden directories, files, and
|
||||
parameters.
|
||||
|
||||
```bash
|
||||
katana -c 15 -p 15 -u $url > output
|
||||
```
|
||||
@@ -0,0 +1,33 @@
|
||||
---
|
||||
title: "FFUF"
|
||||
description: "Reference and usage examples for ffuf, a fast web fuzzer for directories, endpoints and subdomains."
|
||||
tags:
|
||||
["web", "enumeration", "discovery", "subdomain", "directory", "bruteforce"]
|
||||
publishDate: 2026-06-01
|
||||
---
|
||||
|
||||
**Fuff (or ffuf)** is a fast web fuzzer written in Go, mainly used in
|
||||
cybersecurity to discover hidden directories, files, API endpoints, subdomains,
|
||||
vhosts and more. Its speed and flexibility make it a must-have for pentesters
|
||||
and bug bounty hunters.
|
||||
|
||||
```bash
|
||||
# Flags:
|
||||
# -rate 50 -t 50 # Limit requests to 50 per second with 50 concurrent threads
|
||||
# -X POST|GET|PUT # Set method
|
||||
# -e .php,.asp,.bak,.db # Set the extension
|
||||
# -recursion -recursion-depth 3 # Recursive fuzzing up to 3 levels deep
|
||||
# -fc 404,500 # Exclude responses with status codes 404 and 500
|
||||
|
||||
# Examples:
|
||||
ffuf -w wordlist.txt -u $url/FUZZ # Basic directory/file fuzzing using a wordlist
|
||||
ffuf -w subdomains.txt -u https://FUZZ.$url # Subdomain fuzzing
|
||||
ffuf -w vhosts.txt -u $url -H "Host: https://FUZZ.$url" # Virtual host fuzzing by modifying the Host header
|
||||
ffuf -w wordlist.txt -u $url/page.php?FUZZ=value # GET parameter fuzzing in the query string
|
||||
ffuf -w wordlist.txt -u $url/api -X POST -d 'FUZZ=value' # POST body parameter fuzzing
|
||||
ffuf -w wordlist.txt -u $url/FUZZ -b 'session=abcdef' # Use a session cookie during fuzzing
|
||||
ffuf -w headers.txt -u $url -H "X-Custom-Header: FUZZ" # HTTP header fuzzing
|
||||
ffuf -w passwords.txt -X POST -u $url/login -d "username=admin&password=FUZZ" # Password brute-forcing for user "admin"
|
||||
ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode pitchfork # Pitchfork mode: matches each line from both wordlists (USER[i], PASS[i])
|
||||
ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode clusterbomb # Clusterbomb mode: tests every user with every password combination
|
||||
```
|
||||
@@ -0,0 +1,85 @@
|
||||
---
|
||||
title: "Subdomains Discovery"
|
||||
description: "Methods and tools for enumerating subdomains of a target domain."
|
||||
tags: ["web", "enumeration", "discovery", "subdomain"]
|
||||
publishDate: 2026-06-01
|
||||
---
|
||||
|
||||
## FFUF
|
||||
|
||||
See also [FFUF](/notes/web/ffuf) for fuzzing-based subdomain discovery.
|
||||
|
||||
## Google Dorking
|
||||
|
||||
Google dorks can surface subdomains indexed by Google without any active scanning.
|
||||
|
||||
```
|
||||
site:*.$domain
|
||||
site:*.$domain -www
|
||||
site:*.$domain inurl:admin
|
||||
site:*.$domain ext:php | ext:json | ext:xml
|
||||
```
|
||||
|
||||
## Certificate Transparency
|
||||
|
||||
CT logs record every TLS certificate ever issued for a domain. Querying them is
|
||||
passive and reliable.
|
||||
|
||||
```bash
|
||||
curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq '.[].name_value' | sort -u
|
||||
```
|
||||
|
||||
Tools that aggregate CT logs:
|
||||
|
||||
- [crt.sh](https://crt.sh)
|
||||
- [censys.io](https://search.censys.io)
|
||||
|
||||
## Passive DNS
|
||||
|
||||
Passive DNS databases store historical DNS resolutions collected from resolvers
|
||||
worldwide; useful for finding subdomains that no longer resolve but once did.
|
||||
|
||||
```bash
|
||||
# Amass (passive mode, no active scanning)
|
||||
amass enum -passive -d $domain
|
||||
|
||||
# subfinder (uses many passive sources)
|
||||
subfinder -d $domain -silent
|
||||
```
|
||||
|
||||
## DMARC
|
||||
|
||||
DMARC can reveal more domains associated with a target.
|
||||
|
||||
Go to `dmarc.live/info/$domain`, it allows you to find domains using the
|
||||
same DMARC record.
|
||||
|
||||
## ASN & IP Ranges
|
||||
|
||||
Finding the ASN of a target exposes its entire IP range, which may contain
|
||||
undiscovered subdomains or related infrastructure.
|
||||
|
||||
```bash
|
||||
# Get ASN from an IP
|
||||
whois $ip | grep -i "asn\|orgname\|origin"
|
||||
|
||||
# Get IP ranges from ASN
|
||||
whois -h whois.radb.net -- '-i origin AS12345' | grep route
|
||||
```
|
||||
|
||||
## Favicon Hash
|
||||
|
||||
A unique favicon can be fingerprinted to find other domains hosted by the same
|
||||
organisation, including subdomains on non-standard ports.
|
||||
|
||||
```bash
|
||||
# Compute the MMH3 hash of the favicon
|
||||
python3 -c "
|
||||
import requests, mmh3, base64
|
||||
r = requests.get('https://$domain/favicon.ico')
|
||||
h = mmh3.hash(base64.encodebytes(r.content))
|
||||
print(h)
|
||||
"
|
||||
```
|
||||
|
||||
Then search the hash on [Shodan](https://shodan.io): `http.favicon.hash:<hash>`
|
||||
Reference in New Issue
Block a user