init web: ffuf, dir enum & subdomains enum

Signed-off-by: Hadi <hadi@example.com>
This commit is contained in:
Hadi
2026-06-01 15:31:31 +02:00
parent 25fb5a4bf0
commit 15f2b6c184
3 changed files with 156 additions and 0 deletions
@@ -0,0 +1,38 @@
---
title: "Directory Discovery"
description: "Techniques and tools for discovering hidden directories and files on web servers."
tags: ["web", "enumeration", "discovery", "directory"]
publishDate: 2026-06-01
---
## FFUF
See also [FFUF](/notes/web/ffuf) for fuzzing-based directory discovery.
## Robots.txt
```bash
curl -s $url/robots.txt
```
## Sitemap.xml
```bash
curl -s $url/sitemap.xml
```
## Dirb
```bash
dirb $url
```
## Spider - Katana
A spider is a tool that crawls a website and collects information about its
structure and content. It can be used to find hidden directories, files, and
parameters.
```bash
katana -c 15 -p 15 -u $url > output
```
+33
View File
@@ -0,0 +1,33 @@
---
title: "FFUF"
description: "Reference and usage examples for ffuf, a fast web fuzzer for directories, endpoints and subdomains."
tags:
["web", "enumeration", "discovery", "subdomain", "directory", "bruteforce"]
publishDate: 2026-06-01
---
**Fuff (or ffuf)** is a fast web fuzzer written in Go, mainly used in
cybersecurity to discover hidden directories, files, API endpoints, subdomains,
vhosts and more. Its speed and flexibility make it a must-have for pentesters
and bug bounty hunters.
```bash
# Flags:
# -rate 50 -t 50 # Limit requests to 50 per second with 50 concurrent threads
# -X POST|GET|PUT # Set method
# -e .php,.asp,.bak,.db # Set the extension
# -recursion -recursion-depth 3 # Recursive fuzzing up to 3 levels deep
# -fc 404,500 # Exclude responses with status codes 404 and 500
# Examples:
ffuf -w wordlist.txt -u $url/FUZZ # Basic directory/file fuzzing using a wordlist
ffuf -w subdomains.txt -u https://FUZZ.$url # Subdomain fuzzing
ffuf -w vhosts.txt -u $url -H "Host: https://FUZZ.$url" # Virtual host fuzzing by modifying the Host header
ffuf -w wordlist.txt -u $url/page.php?FUZZ=value # GET parameter fuzzing in the query string
ffuf -w wordlist.txt -u $url/api -X POST -d 'FUZZ=value' # POST body parameter fuzzing
ffuf -w wordlist.txt -u $url/FUZZ -b 'session=abcdef' # Use a session cookie during fuzzing
ffuf -w headers.txt -u $url -H "X-Custom-Header: FUZZ" # HTTP header fuzzing
ffuf -w passwords.txt -X POST -u $url/login -d "username=admin&password=FUZZ" # Password brute-forcing for user "admin"
ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode pitchfork # Pitchfork mode: matches each line from both wordlists (USER[i], PASS[i])
ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode clusterbomb # Clusterbomb mode: tests every user with every password combination
```
@@ -0,0 +1,85 @@
---
title: "Subdomains Discovery"
description: "Methods and tools for enumerating subdomains of a target domain."
tags: ["web", "enumeration", "discovery", "subdomain"]
publishDate: 2026-06-01
---
## FFUF
See also [FFUF](/notes/web/ffuf) for fuzzing-based subdomain discovery.
## Google Dorking
Google dorks can surface subdomains indexed by Google without any active scanning.
```
site:*.$domain
site:*.$domain -www
site:*.$domain inurl:admin
site:*.$domain ext:php | ext:json | ext:xml
```
## Certificate Transparency
CT logs record every TLS certificate ever issued for a domain. Querying them is
passive and reliable.
```bash
curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq '.[].name_value' | sort -u
```
Tools that aggregate CT logs:
- [crt.sh](https://crt.sh)
- [censys.io](https://search.censys.io)
## Passive DNS
Passive DNS databases store historical DNS resolutions collected from resolvers
worldwide; useful for finding subdomains that no longer resolve but once did.
```bash
# Amass (passive mode, no active scanning)
amass enum -passive -d $domain
# subfinder (uses many passive sources)
subfinder -d $domain -silent
```
## DMARC
DMARC can reveal more domains associated with a target.
Go to `dmarc.live/info/$domain`, it allows you to find domains using the
same DMARC record.
## ASN & IP Ranges
Finding the ASN of a target exposes its entire IP range, which may contain
undiscovered subdomains or related infrastructure.
```bash
# Get ASN from an IP
whois $ip | grep -i "asn\|orgname\|origin"
# Get IP ranges from ASN
whois -h whois.radb.net -- '-i origin AS12345' | grep route
```
## Favicon Hash
A unique favicon can be fingerprinted to find other domains hosted by the same
organisation, including subdomains on non-standard ports.
```bash
# Compute the MMH3 hash of the favicon
python3 -c "
import requests, mmh3, base64
r = requests.get('https://$domain/favicon.ico')
h = mmh3.hash(base64.encodebytes(r.content))
print(h)
"
```
Then search the hash on [Shodan](https://shodan.io): `http.favicon.hash:<hash>`