Fuzzing Subdomains and Virtual hosts

What is a Subdomain?

  • is a domain that is part of a larger domain, it's the portion that appears before the main domain in a URL. example "http://school.flight.htb"

  • Subdomains are often used to organize and structure different sections or services within a website. They usually contain separate content, functionality or they could even point to different servers

What is a Virtual Host?

  • A virtual host allows a single web server to host multiple domains (or subdomains) on the same physical machine or IP address

  • With virtual hosting, the web server can differentiate between incoming requests based on the domain (or IP address) and serve the appropriate content

  • The Two main mechanisms can be used to access a website on a virtual host

  1. HTTP: With the use of the HOST request header.

The client (us) uses the Host header to direct our request to the specified domain on the server.

  1. HTTPS: The Server Name Indication (SNI) extension within TLS, the client (us) when we establish a connection to the server our request would include the SNI within the handshake to specify the intended hostname, example request ClientHello

ClientHello:
  Random: 0x2b3ac5f7a7cf862d9f6548e13d4e9e5a
  Session ID: (empty)
  Cipher Suites: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, ...]
  Compression Methods: [null]
  Extensions:
    - Server Name Indication Extension:
        server_name: www.example.com
    - Supported Elliptic Curves Extension: [secp256r1, secp384r1, secp521r1, ...]
    - Signature Algorithms Extension: [rsa_pkcs1_sha256, rsa_pkcs1_sha384, ...]

we can see within the SNI, the client (us) specifies the intended hostname we want to connect to being www.example.com

The main difference lies in their scope and purpose

  • Subdomains: It is a way to structure and organize different sections or services under a domain name

  • Virtual Hosts: It is a configuration on a web server that enables hosting mutiple domains or subdomains on the same server

WFUZZ

wfuzz (subdomain)

wfuzz -c -f sub-fighter -Z -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --sc 200,202,204,301,302,307,403 "http://FUZZ.flight.htb"
  • -c: is used to colorize the output

  • -f: specifying a output name

  • -Z: Option to disable SSL certificate warnings

  • -w: wordlist being used

  • --sc 200,202,204,301,302,307,403: Specifies the list of HTTP status codes to consider as valid responses. In this case, it's considering 200, 202, 204, 301, 302, 307, and 403 as valid.

  • "http://FUZZ.flight.htb": We specify the target URL where FUZZ will be replaced by elements from our wordlist

wfuzz (Virtual Hosts)

wfuzz -c -f sub-fighter -u 'http://flight.htb' -H 'Host:FUZZ.flight.htb' -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 200

The main difference from fuzzing subdomains is we are actually fuzzing the Host request header, specifying different subdomains to sent to the web server

  • -c: This option tells wfuzz to colorize the output for better readability.

  • -f sub-fighter: This specifies the format for the output file, and it uses the format named "sub-fighter."

  • -u 'http://flight.htb': This specifies the target URL, which is the website http://flight.htb.

  • -H 'Host:FUZZ.flight.htb': This is setting a custom HTTP header (Host) with the value 'FUZZ.flight.htb'. The keyword 'FUZZ' is a placeholder that wfuzz will replace with entries from the wordlist.

  • -w: specifies the wordlist to be used

  • --hc: This sets the HTTP response code to ignore

Last updated