Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Cheat sheets and Notes

Fuzzing Subdomains and Virtual hosts

PreviousDirectory brute-forcing (Fuzzing web directories)NextPivoting, Tunneling, and Port Forwarding

Last updated 1 year ago

What is a Subdomain?

  • is a domain that is part of a larger domain, it's the portion that appears before the main domain in a URL. example "http://school.flight.htb"

  • Subdomains are often used to organize and structure different sections or services within a website. They usually contain separate content, functionality or they could even point to different servers

What is a Virtual Host?

  • A virtual host allows a single web server to host multiple domains (or subdomains) on the same physical machine or IP address

  • With virtual hosting, the web server can differentiate between incoming requests based on the domain (or IP address) and serve the appropriate content

  • The Two main mechanisms can be used to access a website on a virtual host

  1. HTTP: With the use of the HOST request header.

The client (us) uses the Host header to direct our request to the specified domain on the server.

  1. HTTPS: The Server Name Indication (SNI) extension within TLS, the client (us) when we establish a connection to the server our request would include the SNI within the handshake to specify the intended hostname, example request ClientHello

ClientHello:
  Random: 0x2b3ac5f7a7cf862d9f6548e13d4e9e5a
  Session ID: (empty)
  Cipher Suites: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, ...]
  Compression Methods: [null]
  Extensions:
    - Server Name Indication Extension:
        server_name: www.example.com
    - Supported Elliptic Curves Extension: [secp256r1, secp384r1, secp521r1, ...]
    - Signature Algorithms Extension: [rsa_pkcs1_sha256, rsa_pkcs1_sha384, ...]

we can see within the SNI, the client (us) specifies the intended hostname we want to connect to being www.example.com

The main difference lies in their scope and purpose

  • Subdomains: It is a way to structure and organize different sections or services under a domain name

  • Virtual Hosts: It is a configuration on a web server that enables hosting mutiple domains or subdomains on the same server

WFUZZ

wfuzz (subdomain)

wfuzz -c -f sub-fighter -Z -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --sc 200,202,204,301,302,307,403 "http://FUZZ.flight.htb"

  • -c: is used to colorize the output

  • -f: specifying a output name

  • -Z: Option to disable SSL certificate warnings

  • -w: wordlist being used

  • --sc 200,202,204,301,302,307,403: Specifies the list of HTTP status codes to consider as valid responses. In this case, it's considering 200, 202, 204, 301, 302, 307, and 403 as valid.

  • "http://FUZZ.flight.htb": We specify the target URL where FUZZ will be replaced by elements from our wordlist

wfuzz (Virtual Hosts)

wfuzz -c -f sub-fighter -u 'http://flight.htb' -H 'Host:FUZZ.flight.htb' -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 200

The main difference from fuzzing subdomains is we are actually fuzzing the Host request header, specifying different subdomains to sent to the web server

  • -c: This option tells wfuzz to colorize the output for better readability.

  • -f sub-fighter: This specifies the format for the output file, and it uses the format named "sub-fighter."

  • -u 'http://flight.htb': This specifies the target URL, which is the website http://flight.htb.

  • -H 'Host:FUZZ.flight.htb': This is setting a custom HTTP header (Host) with the value 'FUZZ.flight.htb'. The keyword 'FUZZ' is a placeholder that wfuzz will replace with entries from the wordlist.

  • -w: specifies the wordlist to be used

  • --hc: This sets the HTTP response code to ignore