[tool search] subdomain enumeration over http requests

Hey there ladies and gentlemen.
I know my fare share of various domain enumeration tools and such, but i was wondering if anyone could recommend subdomain brute force tools which isnt doing it over dns.

I have seen a few tools which does it by requesting the a subdomain and enumerating the outcome etc etc.
Suggestions would be appriciated.

I developed a tool to enumerate subdomains by using search-engines.
Give it a look on Github at GitHub - mrnfrancesco/yass: YASS (Yet Another Subdomainer Software) is a plugin-powered search engine based subdomainer.

Wfuzz can do that. It is semi-reliable for HTB boxes.

wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101

Adjust the threads and hide code/word parameters to suit your needs.

hey guys, thats a bunch for the quick responses, thats appriciated. I will have a look at both thins… i am familiar with wfuzz but hadnt spotted the ability to enumerate subdomains in that way. :slight_smile:

@mrnfrancesco said:
I developed a tool to enumerate subdomains by using search-engines.
Give it a look on Github at GitHub - mrnfrancesco/yass: YASS (Yet Another Subdomainer Software) is a plugin-powered search engine based subdomainer.

the domain feature iv seen before, it is a really versatile way of getting interesting results and often a lot of context, is there by any chance support for enumerating via the webserver ? :slight_smile:
Sorta like the wfuzz exampe :slight_smile:

gobuster vhost

right under my nose. i should do -h more hehe

Type your comment> @Ketil said:

@mrnfrancesco said:
I developed a tool to enumerate subdomains by using search-engines.
Give it a look on Github at GitHub - mrnfrancesco/yass: YASS (Yet Another Subdomainer Software) is a plugin-powered search engine based subdomainer.

the domain feature iv seen before, it is a really versatile way of getting interesting results and often a lot of context, is there by any chance support for enumerating via the webserver ? :slight_smile:
Sorta like the wfuzz exampe :slight_smile:

The tool is not intended to work in that way yet, but it could be an interesting feature for a future release.
By now, if you want to brute-force VHOST it not suite your needs like the other suggested solutions.

@mrnfrancesco , Thanks for the input I appreciate your feedback :slight_smile: Have a great day.

Type your comment> @delo said:

Wfuzz can do that. It is semi-reliable for HTB boxes.

wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101

Adjust the threads and hide code/word parameters to suit your needs.

I tried use wfuzz for searching subdomains in forwardslash but without any result.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H “Host: FUZZ.forwardslash.com” --hc 200 --hw 356 -t 100 10.10.10.183
I tried use wordlist with subdomains that exist for this box and I don’t get any result
Where I do mistake?

Type your comment> @fr0ster said:

Type your comment> @delo said:

Wfuzz can do that. It is semi-reliable for HTB boxes.

wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101

Adjust the threads and hide code/word parameters to suit your needs.

I tried use wfuzz for searching subdomains in forwardslash but without any result.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H “Host: FUZZ.forwardslash.com” --hc 200 --hw 356 -t 100 10.10.10.183
I tried use wordlist with subdomains that exist for this box and I don’t get any result
Where I do mistake?

It’s not “.com”, but “.htb” :slight_smile:

Type your comment> @mrnfrancesco said:

I developed a tool to enumerate subdomains by using search-engines.
Give it a look on Github at GitHub - mrnfrancesco/yass: YASS (Yet Another Subdomainer Software) is a plugin-powered search engine based subdomainer.

this looks perfect but still not usefull with host.htb sites, or i miss things?