Fuzzing Subdomains and Virtual hosts
What is a Subdomain?
is a domain that is part of a larger domain, it's the portion that appears before the main domain in a URL. example "http://
school
.flight.htb"Subdomains are often used to organize and structure different sections or services within a website. They usually contain separate content, functionality or they could even point to different servers
What is a Virtual Host?
A virtual host allows a single web server to host multiple domains (or subdomains) on the same physical machine or IP address
With virtual hosting, the web server can differentiate between incoming requests based on the domain (or IP address) and serve the appropriate content
The Two main mechanisms can be used to access a website on a virtual host
HTTP
: With the use of theHOST
request header.

The client (us) uses the Host
header to direct our request to the specified domain on the server.
HTTPS
: The Server Name Indication (SNI) extension within TLS, the client (us) when we establish a connection to the server our request would include the SNI within the handshake to specify the intended hostname, example requestClientHello
ClientHello:
Random: 0x2b3ac5f7a7cf862d9f6548e13d4e9e5a
Session ID: (empty)
Cipher Suites: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, ...]
Compression Methods: [null]
Extensions:
- Server Name Indication Extension:
server_name: www.example.com
- Supported Elliptic Curves Extension: [secp256r1, secp384r1, secp521r1, ...]
- Signature Algorithms Extension: [rsa_pkcs1_sha256, rsa_pkcs1_sha384, ...]
we can see within the SNI, the client (us) specifies the intended hostname we want to connect to being www.example.com
The main difference lies in their scope and purpose
Subdomains
: It is a way to structure and organize different sections or services under a domain nameVirtual Hosts
: It is a configuration on a web server that enables hosting mutiple domains or subdomains on the same server
WFUZZ
wfuzz (subdomain)
wfuzz -c -f sub-fighter -Z -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --sc 200,202,204,301,302,307,403 "http://FUZZ.flight.htb"
-c
: is used to colorize the output-f
: specifying a output name-Z
: Option to disable SSL certificate warnings-w
: wordlist being used--sc 200,202,204,301,302,307,403
: Specifies the list of HTTP status codes to consider as valid responses. In this case, it's considering 200, 202, 204, 301, 302, 307, and 403 as valid."http://FUZZ.flight.htb"
: We specify the target URL whereFUZZ
will be replaced by elements from our wordlist

wfuzz (Virtual Hosts)
wfuzz -c -f sub-fighter -u 'http://flight.htb' -H 'Host:FUZZ.flight.htb' -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 200
The main difference from fuzzing subdomains is we are actually fuzzing the Host
request header, specifying different subdomains to sent to the web server
-c
: This option tellswfuzz
to colorize the output for better readability.-f sub-fighter
: This specifies the format for the output file, and it uses the format named "sub-fighter."-u 'http://flight.htb'
: This specifies the target URL, which is the websitehttp://flight.htb
.-H 'Host:FUZZ.flight.htb'
: This is setting a custom HTTP header (Host
) with the value 'FUZZ.flight.htb'. The keyword 'FUZZ' is a placeholder thatwfuzz
will replace with entries from the wordlist.-w
: specifies the wordlist to be used--hc
: This sets the HTTP response code to ignore
Last updated