[tool search] subdomain enumeration over http requests

Hey there ladies and gentlemen.
I know my fare share of various domain enumeration tools and such, but i was wondering if anyone could recommend subdomain brute force tools which isnt doing it over dns.

I have seen a few tools which does it by requesting the a subdomain and enumerating the outcome etc etc.
Suggestions would be appriciated.

-All hail the Potato-

Comments

  • I developed a tool to enumerate subdomains by using search-engines.
    Give it a look on Github at https://github.com/mrnfrancesco/yass

  • edited August 2019

    Wfuzz can do that. It is semi-reliable for HTB boxes.

    wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101

    Adjust the threads and hide code/word parameters to suit your needs.

    delosucks

  • hey guys, thats a bunch for the quick responses, thats appriciated. I will have a look at both thins.. i am familiar with wfuzz but hadnt spotted the ability to enumerate subdomains in that way. :)

    -All hail the Potato-

  • edited August 2019

    @mrnfrancesco said:
    I developed a tool to enumerate subdomains by using search-engines.
    Give it a look on Github at https://github.com/mrnfrancesco/yass

    the domain feature iv seen before, it is a really versatile way of getting interesting results and often a lot of context, is there by any chance support for enumerating via the webserver ? :)
    Sorta like the wfuzz exampe :)

    -All hail the Potato-

  • right under my nose. i should do -h more hehe

    -All hail the Potato-

  • Type your comment> @Ketil said:

    @mrnfrancesco said:
    I developed a tool to enumerate subdomains by using search-engines.
    Give it a look on Github at https://github.com/mrnfrancesco/yass

    the domain feature iv seen before, it is a really versatile way of getting interesting results and often a lot of context, is there by any chance support for enumerating via the webserver ? :)
    Sorta like the wfuzz exampe :)

    The tool is not intended to work in that way yet, but it could be an interesting feature for a future release.
    By now, if you want to brute-force VHOST it not suite your needs like the other suggested solutions.

  • @mrnfrancesco , Thanks for the input I appreciate your feedback :) Have a great day.

    -All hail the Potato-

  • Type your comment> @delo said:

    Wfuzz can do that. It is semi-reliable for HTB boxes.

    wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101

    Adjust the threads and hide code/word parameters to suit your needs.

    I tried use wfuzz for searching subdomains in forwardslash but without any result.
    wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.forwardslash.com" --hc 200 --hw 356 -t 100 10.10.10.183
    I tried use wordlist with subdomains that exist for this box and I don't get any result
    Where I do mistake?

  • edited May 22

    Type your comment> @fr0ster said:

    Type your comment> @delo said:

    Wfuzz can do that. It is semi-reliable for HTB boxes.

    wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101

    Adjust the threads and hide code/word parameters to suit your needs.

    I tried use wfuzz for searching subdomains in forwardslash but without any result.
    wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.forwardslash.com" --hc 200 --hw 356 -t 100 10.10.10.183
    I tried use wordlist with subdomains that exist for this box and I don't get any result
    Where I do mistake?

    It's not ".com", but ".htb" :)

    Hack The Box

  • Type your comment> @mrnfrancesco said:

    I developed a tool to enumerate subdomains by using search-engines.
    Give it a look on Github at https://github.com/mrnfrancesco/yass

    this looks perfect but still not usefull with host.htb sites,, or i miss things?

Sign In to comment.