https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/ Recent content in DNS and Subdomains on d3vilsec Hugo en https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/amass/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/amass/ <h1 id="amass-cheatsheet">amass Cheatsheet</h1> <p><strong>Type:</strong> Actively maintained subdomain discovery — extensive data sources &amp; tool integrations</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt install amass </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>go install -v github.com/owasp-amass/amass/v4/...@master </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>snap install amass </span></span></code></pre></div><hr> <h2 id="subcommands">Subcommands</h2> <table> <thead> <tr> <th>Subcommand</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>enum</code></td> <td>Subdomain enumeration (main command)</td> </tr> <tr> <td><code>intel</code></td> <td>Collect intel about an organisation</td> </tr> <tr> <td><code>viz</code></td> <td>Visualise enumeration results</td> </tr> <tr> <td><code>track</code></td> <td>Track differences between enumerations</td> </tr> <tr> <td><code>db</code></td> <td>Interact with the graph database</td> </tr> </tbody> </table> <hr> <h2 id="enum--subdomain-enumeration">enum — Subdomain Enumeration</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic passive enumeration</span> </span></span><span style="display:flex;"><span>amass enum -passive -d example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Active enumeration (DNS resolution + brute force)</span> </span></span><span style="display:flex;"><span>amass enum -active -d example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Active with brute force</span> </span></span><span style="display:flex;"><span>amass enum -brute -d example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Brute force with wordlist</span> </span></span><span style="display:flex;"><span>amass enum -brute -w wordlist.txt -d example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Multiple domains</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -d example.org </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Domains from file</span> </span></span><span style="display:flex;"><span>amass enum -df domains.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Limit data sources</span> </span></span><span style="display:flex;"><span>amass enum -passive -d example.com -src </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output to file</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -o output.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output to JSON</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -json output.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Show data sources in results</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -src </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Verbose</span> </span></span><span style="display:flex;"><span>amass enum -v -d example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Set timeout (minutes)</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -timeout <span style="color:#ae81ff">30</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use specific resolvers</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -r 8.8.8.8,1.1.1.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use resolver list</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -rf resolvers.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Exclude data sources</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -exclude CrtSearch </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Only specific data sources</span> </span></span><span style="display:flex;"><span>amass enum -d example.com -include Wayback,CrtSearch </span></span></code></pre></div><hr> <h2 id="common-flags-enum">Common Flags (enum)</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-d &lt;domain&gt;</code></td> <td>Target domain</td> </tr> <tr> <td><code>-df &lt;file&gt;</code></td> <td>File with list of domains</td> </tr> <tr> <td><code>-passive</code></td> <td>Passive only (no DNS resolution)</td> </tr> <tr> <td><code>-active</code></td> <td>Active DNS (zone transfer, cert grabbing)</td> </tr> <tr> <td><code>-brute</code></td> <td>Enable brute force</td> </tr> <tr> <td><code>-w &lt;wordlist&gt;</code></td> <td>Wordlist for brute force</td> </tr> <tr> <td><code>-o &lt;file&gt;</code></td> <td>Output results to file</td> </tr> <tr> <td><code>-json &lt;file&gt;</code></td> <td>Output as JSON</td> </tr> <tr> <td><code>-src</code></td> <td>Show data source for each result</td> </tr> <tr> <td><code>-ip</code></td> <td>Show IP addresses</td> </tr> <tr> <td><code>-r &lt;resolvers&gt;</code></td> <td>Comma-separated resolver IPs</td> </tr> <tr> <td><code>-rf &lt;file&gt;</code></td> <td>File of resolver IPs</td> </tr> <tr> <td><code>-timeout &lt;n&gt;</code></td> <td>Timeout in minutes</td> </tr> <tr> <td><code>-v</code></td> <td>Verbose</td> </tr> <tr> <td><code>-config &lt;file&gt;</code></td> <td>Config file path</td> </tr> <tr> <td><code>-dir &lt;path&gt;</code></td> <td>Directory for output/database</td> </tr> </tbody> </table> <hr> <h2 id="intel--org-recon">intel — Org Recon</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Find domains by organisation name</span> </span></span><span style="display:flex;"><span>amass intel -org <span style="color:#e6db74">&#34;Target Corp&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Reverse whois</span> </span></span><span style="display:flex;"><span>amass intel -whois -d example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ASN lookup</span> </span></span><span style="display:flex;"><span>amass intel -asn <span style="color:#ae81ff">12345</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Find domains from IP/CIDR</span> </span></span><span style="display:flex;"><span>amass intel -ip 192.168.1.0/24 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Find ASN from domain</span> </span></span><span style="display:flex;"><span>amass intel -d example.com -whois </span></span></code></pre></div><hr> <h2 id="configuration-file">Configuration File</h2> <p>Config file at <code>~/.config/amass/config.ini</code> (or specify with <code>-config</code>):</p> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/assetfinder/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/assetfinder/ <h1 id="assetfinder-cheatsheet">assetfinder Cheatsheet</h1> <p><strong>Type:</strong> Simple, lightweight subdomain finder using multiple passive data sources — ideal for quick recon</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>go install github.com/tomnomnom/assetfinder@latest </span></span><span style="display:flex;"><span><span style="color:#75715e"># Binary ends up in ~/go/bin/assetfinder</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Or download pre-built binary</span> </span></span><span style="display:flex;"><span>wget https://github.com/tomnomnom/assetfinder/releases/latest/download/assetfinder-linux-amd64.tgz </span></span><span style="display:flex;"><span>tar xf assetfinder-linux-amd64.tgz </span></span><span style="display:flex;"><span>mv assetfinder /usr/local/bin/ </span></span></code></pre></div><hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>assetfinder &lt;domain&gt; </span></span><span style="display:flex;"><span>assetfinder example.com </span></span></code></pre></div><hr> <h2 id="flags">Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>--subs-only</code></td> <td>Show only subdomains (filter out related domains / TLD variants)</td> </tr> </tbody> </table> <hr> <h2 id="common-commands">Common Commands</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># All results (subdomains + related domains)</span> </span></span><span style="display:flex;"><span>assetfinder example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Subdomains only (most common usage)</span> </span></span><span style="display:flex;"><span>assetfinder --subs-only example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Save to file</span> </span></span><span style="display:flex;"><span>assetfinder --subs-only example.com &gt; subdomains.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Multiple domains from stdin</span> </span></span><span style="display:flex;"><span>cat domains.txt | xargs -I<span style="color:#f92672">{}</span> assetfinder --subs-only <span style="color:#f92672">{}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Pipe into other tools</span> </span></span><span style="display:flex;"><span>assetfinder --subs-only example.com | httprobe <span style="color:#75715e"># Check live hosts</span> </span></span><span style="display:flex;"><span>assetfinder --subs-only example.com | sort -u <span style="color:#75715e"># Deduplicate</span> </span></span></code></pre></div><hr> <h2 id="data-sources-used">Data Sources Used</h2> <pre tabindex="0"><code>crt.sh (Certificate transparency logs) certspotter (SSL cert monitoring) hackertarget (Passive DNS) threatcrowd (Threat intelligence) wayback (Wayback Machine / archive.org) dnsdumpster (DNS recon service) facebook CT (Facebook certificate transparency) virustotal (Passive DNS) findsubdomains.com </code></pre><hr> <h2 id="pipeline-examples">Pipeline Examples</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Find subdomains → probe for live web servers → save</span> </span></span><span style="display:flex;"><span>assetfinder --subs-only example.com | httprobe | tee live_hosts.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Find subdomains → resolve to IPs</span> </span></span><span style="display:flex;"><span>assetfinder --subs-only example.com | <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> xargs -I<span style="color:#f92672">{}</span> dig +short <span style="color:#f92672">{}</span> | grep -v <span style="color:#e6db74">&#34;^</span>$<span style="color:#e6db74">&#34;</span> | sort -u </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Find subdomains → run nmap on live ones</span> </span></span><span style="display:flex;"><span>assetfinder --subs-only example.com | <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> httprobe | sed <span style="color:#e6db74">&#39;s/https\?:\/\///&#39;</span> | <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> xargs -I<span style="color:#f92672">{}</span> nmap -p 80,443 <span style="color:#f92672">{}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Combine with other tools for coverage</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">(</span>assetfinder --subs-only example.com; <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> subfinder -d example.com -silent; <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> amass enum -passive -d example.com<span style="color:#f92672">)</span> | sort -u &gt; all_subs.txt </span></span></code></pre></div><hr> <h2 id="notes">Notes</h2> <ul> <li><strong>Passive only</strong> — does not brute force DNS or make queries to the target</li> <li>Fast and lightweight — great first pass before heavier tools</li> <li>No API keys needed for most sources (some may be rate-limited)</li> <li>Output may contain duplicates — always pipe through <code>sort -u</code></li> </ul> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/dnsenum/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/dnsenum/ <h1 id="dnsenum-cheatsheet">dnsenum Cheatsheet</h1> <p><strong>Type:</strong> Comprehensive DNS enumeration — dictionary &amp; brute-force subdomain discovery</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt install dnsenum </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>git clone https://github.com/fwaeytens/dnsenum.git </span></span></code></pre></div><hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>dnsenum &lt;domain&gt; </span></span><span style="display:flex;"><span>dnsenum example.com </span></span></code></pre></div><hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>--dnsserver &lt;ns&gt;</code></td> <td>Use a specific DNS server</td> </tr> <tr> <td><code>-f &lt;wordlist&gt;</code></td> <td>Wordlist for subdomain brute force</td> </tr> <tr> <td><code>-r</code></td> <td>Enable recursive brute force on found subdomains</td> </tr> <tr> <td><code>-p &lt;pages&gt;</code></td> <td>Number of Google scraping pages (default: 5)</td> </tr> <tr> <td><code>-s &lt;results&gt;</code></td> <td>Maximum results from Google scraping</td> </tr> <tr> <td><code>-o &lt;file&gt;</code></td> <td>Output to XML file</td> </tr> <tr> <td><code>--enum</code></td> <td>Shortcut: enables brute force, threads, Google scraping</td> </tr> <tr> <td><code>--threads &lt;n&gt;</code></td> <td>Number of threads for brute forcing</td> </tr> <tr> <td><code>--noreverse</code></td> <td>Skip reverse lookup on found IP ranges</td> </tr> <tr> <td><code>--nocolor</code></td> <td>Disable colored output</td> </tr> <tr> <td><code>-v</code></td> <td>Verbose output</td> </tr> <tr> <td><code>--timeout &lt;s&gt;</code></td> <td>DNS query timeout in seconds</td> </tr> </tbody> </table> <hr> <h2 id="common-commands">Common Commands</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Full enumeration with brute force</span> </span></span><span style="display:flex;"><span>dnsenum --dnsserver &lt;ns&gt; --enum -p <span style="color:#ae81ff">0</span> -s <span style="color:#ae81ff">0</span> -f wordlist.txt &lt;domain&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Brute force with threads, no Google scraping</span> </span></span><span style="display:flex;"><span>dnsenum -f wordlist.txt --threads <span style="color:#ae81ff">20</span> --noreverse &lt;domain&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output to XML</span> </span></span><span style="display:flex;"><span>dnsenum -f wordlist.txt -o output.xml &lt;domain&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Recursive brute force (enumerate found subdomains too)</span> </span></span><span style="display:flex;"><span>dnsenum -f wordlist.txt -r &lt;domain&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Suppress Google scraping (clean/offline)</span> </span></span><span style="display:flex;"><span>dnsenum -p <span style="color:#ae81ff">0</span> -s <span style="color:#ae81ff">0</span> -f wordlist.txt &lt;domain&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use specific nameserver</span> </span></span><span style="display:flex;"><span>dnsenum --dnsserver 8.8.8.8 -f wordlist.txt &lt;domain&gt; </span></span></code></pre></div><hr> <h2 id="what-dnsenum-does-automatically">What dnsenum Does Automatically</h2> <pre tabindex="0"><code>1. Queries A, NS, MX records 2. Attempts zone transfer (AXFR) on each nameserver 3. Google scraping for subdomains (unless -p 0 -s 0) 4. Reverse lookups on found IP ranges 5. Brute forces subdomains from wordlist (if -f provided) </code></pre><hr> <h2 id="recommended-wordlists">Recommended Wordlists</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt </span></span><span style="display:flex;"><span>/usr/share/wordlists/dnsmap.txt </span></span></code></pre></div><hr> <h2 id="example-full-run">Example Full Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>dnsenum --dnsserver 8.8.8.8 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --enum <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -p <span style="color:#ae81ff">0</span> -s <span style="color:#ae81ff">0</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --threads <span style="color:#ae81ff">20</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -o results.xml <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> example.com </span></span></code></pre></div> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/dnsrecon/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/dnsrecon/ <h1 id="dnsrecon-cheatsheet">dnsrecon Cheatsheet</h1> <p><strong>Type:</strong> Versatile DNS reconnaissance — multiple techniques, customisable output formats</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt install dnsrecon </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>git clone https://github.com/darkoperator/dnsrecon.git </span></span><span style="display:flex;"><span>pip3 install -r requirements.txt </span></span></code></pre></div><hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>dnsrecon -d &lt;domain&gt; </span></span><span style="display:flex;"><span>dnsrecon -d example.com </span></span></code></pre></div><hr> <h2 id="scan-types--t">Scan Types (<code>-t</code>)</h2> <table> <thead> <tr> <th>Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>std</code></td> <td>Standard — A, AAAA, NS, SOA, MX, TXT records</td> </tr> <tr> <td><code>axfr</code></td> <td>Zone transfer attempt on all nameservers</td> </tr> <tr> <td><code>brt</code></td> <td>Brute force subdomains from wordlist</td> </tr> <tr> <td><code>rvl</code></td> <td>Reverse lookup on IP range</td> </tr> <tr> <td><code>goo</code></td> <td>Google scraping for subdomains</td> </tr> <tr> <td><code>snoop</code></td> <td>Cache snooping on nameservers</td> </tr> <tr> <td><code>tld</code></td> <td>Check all TLD variations of domain</td> </tr> <tr> <td><code>zonewalk</code></td> <td>DNSSEC zone walking (NSEC enumeration)</td> </tr> <tr> <td><code>srv</code></td> <td>SRV record enumeration</td> </tr> <tr> <td><code>bing</code></td> <td>Bing scraping for subdomains</td> </tr> <tr> <td><code>crt</code></td> <td>Certificate transparency logs</td> </tr> </tbody> </table> <hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-d &lt;domain&gt;</code></td> <td>Target domain</td> </tr> <tr> <td><code>-t &lt;type&gt;</code></td> <td>Scan type (see table above)</td> </tr> <tr> <td><code>-D &lt;wordlist&gt;</code></td> <td>Wordlist for brute force (<code>brt</code>)</td> </tr> <tr> <td><code>-n &lt;nameserver&gt;</code></td> <td>Use specific nameserver</td> </tr> <tr> <td><code>-r &lt;cidr&gt;</code></td> <td>IP range for reverse lookups</td> </tr> <tr> <td><code>-c &lt;file&gt;</code></td> <td>Save output to CSV</td> </tr> <tr> <td><code>-j &lt;file&gt;</code></td> <td>Save output to JSON</td> </tr> <tr> <td><code>-x &lt;file&gt;</code></td> <td>Save output to XML</td> </tr> <tr> <td><code>--db &lt;file&gt;</code></td> <td>Save output to SQLite DB</td> </tr> <tr> <td><code>-f</code></td> <td>Filter wildcard results</td> </tr> <tr> <td><code>-a</code></td> <td>Perform AXFR on all nameservers</td> </tr> <tr> <td><code>--iw</code></td> <td>Continue brute force even if wildcard detected</td> </tr> <tr> <td><code>-v</code></td> <td>Verbose output</td> </tr> <tr> <td><code>--lifetime &lt;s&gt;</code></td> <td>Query lifetime in seconds</td> </tr> <tr> <td><code>--tcp</code></td> <td>Use TCP for queries</td> </tr> <tr> <td><code>-t std,brt</code></td> <td>Combine multiple scan types</td> </tr> </tbody> </table> <hr> <h2 id="common-commands">Common Commands</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Standard enumeration (all record types)</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t std </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Zone transfer attempt</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t axfr </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Brute force subdomains</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t brt -D wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Reverse lookup on a range</span> </span></span><span style="display:flex;"><span>dnsrecon -r 192.168.1.0/24 -t rvl </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Cache snooping</span> </span></span><span style="display:flex;"><span>dnsrecon -t snoop -n &lt;nameserver&gt; -D wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># DNSSEC zone walking</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t zonewalk </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Certificate transparency</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t crt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Multiple scan types at once</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t std,axfr,brt -D wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use specific nameserver</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -n 8.8.8.8 -t std </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output to JSON</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t std -j output.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output to CSV</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t brt -D wordlist.txt -c output.csv </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Filter wildcards during brute force</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t brt -D wordlist.txt -f </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Force brute force through wildcard</span> </span></span><span style="display:flex;"><span>dnsrecon -d example.com -t brt -D wordlist.txt --iw </span></span></code></pre></div><hr> <h2 id="recommended-wordlists">Recommended Wordlists</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt </span></span></code></pre></div><hr> <h2 id="example-full-run">Example Full Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>dnsrecon -d example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -t std,axfr,brt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -n 8.8.8.8 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -f <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -j dnsrecon_results.json </span></span></code></pre></div> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/feroxbuster/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/feroxbuster/ <h1 id="feroxbuster-cheatsheet">feroxbuster Cheatsheet</h1> <p><strong>Type:</strong> Fast Rust-based web fuzzer — recursive directory brute forcing, wildcard detection, rich filtering</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt install feroxbuster </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>cargo install feroxbuster </span></span></code></pre></div><hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt </span></span></code></pre></div><hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-u &lt;url&gt;</code></td> <td>Target URL</td> </tr> <tr> <td><code>-w &lt;wordlist&gt;</code></td> <td>Wordlist (default: built-in if not specified)</td> </tr> <tr> <td><code>-t &lt;n&gt;</code></td> <td>Threads (default: 50)</td> </tr> <tr> <td><code>-x &lt;ext&gt;</code></td> <td>File extensions to append</td> </tr> <tr> <td><code>-d &lt;n&gt;</code></td> <td>Recursion depth (default: 4, 0 = unlimited)</td> </tr> <tr> <td><code>-r</code></td> <td>Follow redirects</td> </tr> <tr> <td><code>-k</code></td> <td>Disable TLS certificate verification</td> </tr> <tr> <td><code>-n</code></td> <td>Disable recursion</td> </tr> <tr> <td><code>-C &lt;codes&gt;</code></td> <td>Filter out status codes</td> </tr> <tr> <td><code>-s &lt;codes&gt;</code></td> <td>Only show these status codes</td> </tr> <tr> <td><code>-S &lt;size&gt;</code></td> <td>Filter by response size (bytes)</td> </tr> <tr> <td><code>-W &lt;words&gt;</code></td> <td>Filter by word count in response</td> </tr> <tr> <td><code>-L &lt;lines&gt;</code></td> <td>Filter by line count in response</td> </tr> <tr> <td><code>-X &lt;regex&gt;</code></td> <td>Filter by response body regex</td> </tr> <tr> <td><code>-H &lt;header&gt;</code></td> <td>Add custom header (repeatable)</td> </tr> <tr> <td><code>-b &lt;cookie&gt;</code></td> <td>Add cookie</td> </tr> <tr> <td><code>-m &lt;methods&gt;</code></td> <td>HTTP methods (default: GET)</td> </tr> <tr> <td><code>-o &lt;file&gt;</code></td> <td>Output to file</td> </tr> <tr> <td><code>-q</code></td> <td>Quiet — no banner or progress</td> </tr> <tr> <td><code>--json</code></td> <td>Output as JSON</td> </tr> <tr> <td><code>-v</code></td> <td>Verbose</td> </tr> <tr> <td><code>-T &lt;seconds&gt;</code></td> <td>Request timeout</td> </tr> <tr> <td><code>--rate-limit &lt;n&gt;</code></td> <td>Max requests per second</td> </tr> <tr> <td><code>-p &lt;proxy&gt;</code></td> <td>Use proxy (http/socks5)</td> </tr> <tr> <td><code>-U &lt;user&gt; -P &lt;pass&gt;</code></td> <td>HTTP Basic auth</td> </tr> <tr> <td><code>-a &lt;agent&gt;</code></td> <td>User-Agent string</td> </tr> <tr> <td><code>--dont-filter</code></td> <td>Disable wildcard filtering</td> </tr> <tr> <td><code>--auto-tune</code></td> <td>Automatically slow down on errors</td> </tr> <tr> <td><code>--collect-extensions</code></td> <td>Collect and scan discovered extensions</td> </tr> <tr> <td><code>--collect-words</code></td> <td>Build wordlist from responses</td> </tr> <tr> <td><code>--resume-from &lt;file&gt;</code></td> <td>Resume from a saved state file</td> </tr> </tbody> </table> <hr> <h2 id="common-commands">Common Commands</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic scan with extensions</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -x php,html,txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># No recursion (flat scan)</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -n </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Limit recursion depth</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -d <span style="color:#ae81ff">2</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Filter out 404s and 403s</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -C 404,403 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Only show 200 and 301</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -s 200,301 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Filter responses by size (remove default page noise)</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -S <span style="color:#ae81ff">1234</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Filter by word count</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -W <span style="color:#ae81ff">25</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HTTPS with TLS skip</span> </span></span><span style="display:flex;"><span>feroxbuster -u https://&lt;ip&gt; -w wordlist.txt -k </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Custom headers (e.g. API auth)</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer &lt;token&gt;&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;X-Custom: value&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use proxy (Burp Suite)</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -p http://127.0.0.1:8080 -k </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># POST requests</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -m POST </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Multiple HTTP methods</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -m GET,POST,PUT </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output to file (also saves state for resume)</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt -o results.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># JSON output</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt --json -o results.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Resume interrupted scan</span> </span></span><span style="display:flex;"><span>feroxbuster --resume-from ferox-&lt;ip&gt;.state </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Rate limit (be polite / evade detection)</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt --rate-limit <span style="color:#ae81ff">100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Collect extensions seen in responses and scan them too</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt --collect-extensions </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Build a wordlist from page content, then use it</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt --collect-words </span></span></code></pre></div><hr> <h2 id="virtual-host-discovery">Virtual Host Discovery</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># feroxbuster doesn&#39;t natively fuzz Host headers</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use with -H to manually set a specific host header,</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># or use ffuf/gobuster for vhost fuzzing</span> </span></span><span style="display:flex;"><span>feroxbuster -u http://&lt;ip&gt; -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Host: staging.example.com&#34;</span> </span></span></code></pre></div><hr> <h2 id="interactive-pause-menu">Interactive Pause Menu</h2> <p>While feroxbuster is running, press <code>ENTER</code> to open the interactive menu:</p> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/ffuf/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/ffuf/ <h1 id="ffuf-cheatsheet">ffuf Cheatsheet</h1> <p><strong>Type:</strong> Fast web fuzzer — directory busting, virtual host discovery, parameter fuzzing, Host header fuzzing</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt install ffuf </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>go install github.com/ffuf/ffuf/v2@latest </span></span></code></pre></div><hr> <h2 id="core-concept">Core Concept</h2> <p><code>FUZZ</code> is the keyword replaced by each wordlist entry. It can go anywhere in the request — URL path, headers, parameters, body.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt </span></span></code></pre></div><p>Multiple keywords are supported by naming them with <code>-w wordlist:KEYWORD</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist1.txt -w params.txt:PARAM </span></span></code></pre></div><hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-u &lt;url&gt;</code></td> <td>Target URL (include FUZZ)</td> </tr> <tr> <td><code>-w &lt;wordlist&gt;</code></td> <td>Wordlist (use <code>wordlist:KEYWORD</code> for named)</td> </tr> <tr> <td><code>-H &lt;header&gt;</code></td> <td>Add/fuzz header (repeatable)</td> </tr> <tr> <td><code>-X &lt;method&gt;</code></td> <td>HTTP method (default: GET)</td> </tr> <tr> <td><code>-d &lt;data&gt;</code></td> <td>POST data body</td> </tr> <tr> <td><code>-b &lt;cookie&gt;</code></td> <td>Cookie string</td> </tr> <tr> <td><code>-r</code></td> <td>Follow redirects</td> </tr> <tr> <td><code>-k</code></td> <td>Skip TLS verification</td> </tr> <tr> <td><code>-t &lt;n&gt;</code></td> <td>Threads (default: 40)</td> </tr> <tr> <td><code>-p &lt;delay&gt;</code></td> <td>Delay between requests (e.g. <code>0.1</code>, <code>0.5-1.5</code>)</td> </tr> <tr> <td><code>-rate &lt;n&gt;</code></td> <td>Max requests per second</td> </tr> <tr> <td><code>-timeout &lt;n&gt;</code></td> <td>Request timeout in seconds</td> </tr> <tr> <td><code>-mc &lt;codes&gt;</code></td> <td>Match status codes (default: 200-299,301,302,307,401,403,405,500)</td> </tr> <tr> <td><code>-ms &lt;size&gt;</code></td> <td>Match response size</td> </tr> <tr> <td><code>-mw &lt;words&gt;</code></td> <td>Match word count</td> </tr> <tr> <td><code>-ml &lt;lines&gt;</code></td> <td>Match line count</td> </tr> <tr> <td><code>-mr &lt;regex&gt;</code></td> <td>Match regex in response body</td> </tr> <tr> <td><code>-fc &lt;codes&gt;</code></td> <td>Filter status codes</td> </tr> <tr> <td><code>-fs &lt;size&gt;</code></td> <td>Filter response size</td> </tr> <tr> <td><code>-fw &lt;words&gt;</code></td> <td>Filter word count</td> </tr> <tr> <td><code>-fl &lt;lines&gt;</code></td> <td>Filter line count</td> </tr> <tr> <td><code>-fr &lt;regex&gt;</code></td> <td>Filter regex in response body</td> </tr> <tr> <td><code>-ac</code></td> <td>Auto-calibrate filters (detects and removes false positives)</td> </tr> <tr> <td><code>-o &lt;file&gt;</code></td> <td>Output file</td> </tr> <tr> <td><code>-of &lt;fmt&gt;</code></td> <td>Output format: <code>json</code>, <code>ejson</code>, <code>html</code>, <code>md</code>, <code>csv</code>, <code>all</code></td> </tr> <tr> <td><code>-v</code></td> <td>Verbose (show redirects, full URL)</td> </tr> <tr> <td><code>-s</code></td> <td>Silent — only results</td> </tr> <tr> <td><code>-c</code></td> <td>Colorize output</td> </tr> <tr> <td><code>-recursion</code></td> <td>Enable recursive fuzzing</td> </tr> <tr> <td><code>-recursion-depth &lt;n&gt;</code></td> <td>Recursion depth</td> </tr> <tr> <td><code>-e &lt;exts&gt;</code></td> <td>File extensions (e.g. <code>php,html,txt</code>)</td> </tr> <tr> <td><code>-ic</code></td> <td>Ignore wordlist comments</td> </tr> <tr> <td><code>-input-cmd &lt;cmd&gt;</code></td> <td>Use command output as input instead of wordlist</td> </tr> </tbody> </table> <hr> <h2 id="directory--file-fuzzing">Directory &amp; File Fuzzing</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic directory scan</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># With file extensions</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Filter 404s</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -fc <span style="color:#ae81ff">404</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Match only 200</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -mc <span style="color:#ae81ff">200</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Auto-calibrate (removes false positives automatically)</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -ac </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Recursive scanning</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -recursion -recursion-depth <span style="color:#ae81ff">3</span> -e .php </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Filter by response size (remove noise)</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -fs <span style="color:#ae81ff">4242</span> </span></span></code></pre></div><hr> <h2 id="virtual-host-discovery-host-header-fuzzing">Virtual Host Discovery (Host Header Fuzzing)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic vhost fuzzing</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt; -H <span style="color:#e6db74">&#34;Host: FUZZ.example.com&#34;</span> -w wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Filter default response size</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt; -H <span style="color:#e6db74">&#34;Host: FUZZ.example.com&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -fs &lt;default_size&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Auto-calibrate to remove default response</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt; -H <span style="color:#e6db74">&#34;Host: FUZZ.example.com&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -ac </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HTTPS</span> </span></span><span style="display:flex;"><span>ffuf -u https://&lt;ip&gt; -H <span style="color:#e6db74">&#34;Host: FUZZ.example.com&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -k -fs &lt;default_size&gt; </span></span></code></pre></div><hr> <h2 id="parameter-fuzzing">Parameter Fuzzing</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># GET parameter discovery</span> </span></span><span style="display:flex;"><span>ffuf -u <span style="color:#e6db74">&#34;http://&lt;ip&gt;/page?FUZZ=value&#34;</span> -w wordlist.txt -fc <span style="color:#ae81ff">404</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># GET parameter value fuzzing</span> </span></span><span style="display:flex;"><span>ffuf -u <span style="color:#e6db74">&#34;http://&lt;ip&gt;/page?id=FUZZ&#34;</span> -w numbers.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># POST parameter fuzzing</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/login <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -X POST <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;username=admin&amp;password=FUZZ&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -fc <span style="color:#ae81ff">401</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># POST body with JSON</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/api/login <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -X POST <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;username&#34;:&#34;admin&#34;,&#34;password&#34;:&#34;FUZZ&#34;}&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w wordlist.txt </span></span></code></pre></div><hr> <h2 id="multiple-wordlists-clusterbomb--pitchfork">Multiple Wordlists (Clusterbomb / Pitchfork)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Two keywords — try all combinations (clusterbomb)</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ/W2 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w wordlist.txt:FUZZ <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w extensions.txt:W2 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Username + password combinations</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/login <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -X POST <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;user=USER&amp;pass=PASS&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w users.txt:USER <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w passwords.txt:PASS <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -fc <span style="color:#ae81ff">401</span> </span></span></code></pre></div><hr> <h2 id="fuzzing-with-proxy-burp-suite">Fuzzing with Proxy (Burp Suite)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -x http://127.0.0.1:8080 -k </span></span></code></pre></div><hr> <h2 id="output">Output</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Save to file (markdown)</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -o results.md -of md </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Save as JSON</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -o results.json -of json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Save all formats</span> </span></span><span style="display:flex;"><span>ffuf -u http://&lt;ip&gt;/FUZZ -w wordlist.txt -o results -of all </span></span></code></pre></div><hr> <h2 id="recommended-wordlists">Recommended Wordlists</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Directories</span> </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/Web-Content/common.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Virtual hosts / subdomains</span> </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Parameters</span> </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Passwords</span> </span></span><span style="display:flex;"><span>/usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt </span></span></code></pre></div><hr> <h2 id="example-full-runs">Example Full Runs</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Directory + extension scan</span> </span></span><span style="display:flex;"><span>ffuf -u http://example.com/FUZZ <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -e .php,.html,.txt,.bak <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -ac -c -v <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -t <span style="color:#ae81ff">50</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -o ffuf_dir.json -of json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Virtual host discovery</span> </span></span><span style="display:flex;"><span>ffuf -u http://example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Host: FUZZ.example.com&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -ac -c <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -t <span style="color:#ae81ff">50</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -o ffuf_vhost.json -of json </span></span></code></pre></div> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/fierce/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/fierce/ <h1 id="fierce-cheatsheet">fierce Cheatsheet</h1> <p><strong>Type:</strong> User-friendly recursive subdomain discovery with wildcard detection</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt install fierce </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>pip3 install fierce </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>git clone https://github.com/mschwager/fierce.git </span></span></code></pre></div><hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>fierce --domain &lt;domain&gt; </span></span><span style="display:flex;"><span>fierce --domain example.com </span></span></code></pre></div><hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>--domain &lt;domain&gt;</code></td> <td>Target domain</td> </tr> <tr> <td><code>--wordlist &lt;file&gt;</code></td> <td>Custom wordlist for brute forcing</td> </tr> <tr> <td><code>--dns-servers &lt;ns&gt;</code></td> <td>Use specific DNS servers (space-separated)</td> </tr> <tr> <td><code>--delay &lt;seconds&gt;</code></td> <td>Delay between requests</td> </tr> <tr> <td><code>--subdomains &lt;list&gt;</code></td> <td>Manually specify subdomains to check</td> </tr> <tr> <td><code>--wide</code></td> <td>Scan entire Class C of discovered hosts</td> </tr> <tr> <td><code>--traverse &lt;n&gt;</code></td> <td>Scan IPs n away from discovered hosts</td> </tr> <tr> <td><code>--search &lt;domains&gt;</code></td> <td>Filter results by domain pattern</td> </tr> <tr> <td><code>--range &lt;cidr&gt;</code></td> <td>Scan an IP range for PTR records</td> </tr> <tr> <td><code>--connect</code></td> <td>Attempt HTTP/HTTPS connections to found hosts</td> </tr> <tr> <td><code>--output &lt;file&gt;</code></td> <td>Save results to JSON file</td> </tr> </tbody> </table> <hr> <h2 id="common-commands">Common Commands</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic scan (uses built-in wordlist)</span> </span></span><span style="display:flex;"><span>fierce --domain example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Custom wordlist</span> </span></span><span style="display:flex;"><span>fierce --domain example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use specific DNS server</span> </span></span><span style="display:flex;"><span>fierce --domain example.com --dns-servers 8.8.8.8 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Wide scan (scan Class C of discovered IPs)</span> </span></span><span style="display:flex;"><span>fierce --domain example.com --wide </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Add delay to evade detection</span> </span></span><span style="display:flex;"><span>fierce --domain example.com --delay <span style="color:#ae81ff">3</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Traverse IPs near discovered hosts</span> </span></span><span style="display:flex;"><span>fierce --domain example.com --traverse <span style="color:#ae81ff">5</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check HTTP/HTTPS on found hosts</span> </span></span><span style="display:flex;"><span>fierce --domain example.com --connect </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Save to JSON</span> </span></span><span style="display:flex;"><span>fierce --domain example.com --output results.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan IP range for reverse DNS</span> </span></span><span style="display:flex;"><span>fierce --range 192.168.1.0/24 </span></span></code></pre></div><hr> <h2 id="key-features">Key Features</h2> <pre tabindex="0"><code>- Wildcard detection (avoids false positives from wildcard DNS) - Recursive: checks subdomains of subdomains - Identifies adjacent IPs in same IP space - Clean, readable output format - Built-in default wordlist </code></pre><hr> <h2 id="wildcard-detection">Wildcard Detection</h2> <p>Fierce automatically detects wildcard DNS entries. If a domain resolves all queries (e.g., <code>*.example.com</code> → same IP), fierce identifies this and handles it gracefully instead of reporting false positives.</p> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/gobuster/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/gobuster/ <h1 id="gobuster-cheatsheet">gobuster Cheatsheet</h1> <p><strong>Type:</strong> Multi-purpose brute-forcing tool — directories, files, DNS subdomains, virtual hosts, S3 buckets</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo apt install gobuster </span></span><span style="display:flex;"><span><span style="color:#75715e"># or</span> </span></span><span style="display:flex;"><span>go install github.com/OJ/gobuster/v3@latest </span></span></code></pre></div><hr> <h2 id="modes">Modes</h2> <table> <thead> <tr> <th>Mode</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>dir</code></td> <td>Directory and file brute forcing</td> </tr> <tr> <td><code>dns</code></td> <td>DNS subdomain brute forcing</td> </tr> <tr> <td><code>vhost</code></td> <td>Virtual host discovery</td> </tr> <tr> <td><code>fuzz</code></td> <td>Fuzzing (replace FUZZ keyword anywhere in URL)</td> </tr> <tr> <td><code>s3</code></td> <td>AWS S3 bucket enumeration</td> </tr> <tr> <td><code>gcs</code></td> <td>Google Cloud Storage bucket enumeration</td> </tr> </tbody> </table> <hr> <h2 id="global-flags">Global Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-w &lt;wordlist&gt;</code></td> <td>Wordlist path</td> </tr> <tr> <td><code>-t &lt;n&gt;</code></td> <td>Threads (default: 10)</td> </tr> <tr> <td><code>-o &lt;file&gt;</code></td> <td>Output to file</td> </tr> <tr> <td><code>-q</code></td> <td>Quiet — only print results</td> </tr> <tr> <td><code>-v</code></td> <td>Verbose</td> </tr> <tr> <td><code>--no-error</code></td> <td>Suppress errors</td> </tr> <tr> <td><code>-z</code></td> <td>No progress bar</td> </tr> <tr> <td><code>--delay &lt;ms&gt;</code></td> <td>Delay between requests</td> </tr> </tbody> </table> <hr> <h2 id="dir--directory--file-brute-force">dir — Directory &amp; File Brute Force</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic scan</span> </span></span><span style="display:flex;"><span>gobuster dir -u http://&lt;ip&gt; -w wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Common flags</span> </span></span><span style="display:flex;"><span>gobuster dir -u http://&lt;ip&gt; -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -t <span style="color:#ae81ff">50</span> <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># 50 threads</span> </span></span><span style="display:flex;"><span> -x php,html,txt,bak <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># File extensions</span> </span></span><span style="display:flex;"><span> -s 200,204,301,302,307 <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># Status codes to show</span> </span></span><span style="display:flex;"><span> -b 404,403 <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># Status codes to exclude</span> </span></span><span style="display:flex;"><span> --timeout 10s <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># Request timeout</span> </span></span><span style="display:flex;"><span> -k <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># Skip TLS verification</span> </span></span><span style="display:flex;"><span> -c <span style="color:#e6db74">&#34;PHPSESSID=abc123&#34;</span> <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># Cookie</span> </span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer tok&#34;</span> <span style="color:#ae81ff">\ </span><span style="color:#75715e"># Custom header</span> </span></span><span style="display:flex;"><span> -U &lt;user&gt; -P &lt;pass&gt; <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># HTTP Basic auth</span> </span></span><span style="display:flex;"><span> -r <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># Follow redirects</span> </span></span><span style="display:flex;"><span> -e <span style="color:#ae81ff">\ </span> <span style="color:#75715e"># Print full URL</span> </span></span><span style="display:flex;"><span> -o results.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HTTPS target</span> </span></span><span style="display:flex;"><span>gobuster dir -u https://&lt;ip&gt; -w wordlist.txt -k </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Custom User-Agent</span> </span></span><span style="display:flex;"><span>gobuster dir -u http://&lt;ip&gt; -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -a <span style="color:#e6db74">&#34;Mozilla/5.0&#34;</span> </span></span></code></pre></div><h3 id="dir-flags">dir Flags</h3> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-u &lt;url&gt;</code></td> <td>Target URL</td> </tr> <tr> <td><code>-x &lt;ext&gt;</code></td> <td>File extensions (comma-separated)</td> </tr> <tr> <td><code>-s &lt;codes&gt;</code></td> <td>Allowed status codes</td> </tr> <tr> <td><code>-b &lt;codes&gt;</code></td> <td>Blacklisted status codes</td> </tr> <tr> <td><code>-r</code></td> <td>Follow redirects</td> </tr> <tr> <td><code>-k</code></td> <td>Skip TLS certificate verification</td> </tr> <tr> <td><code>-c &lt;cookie&gt;</code></td> <td>Cookie string</td> </tr> <tr> <td><code>-H &lt;header&gt;</code></td> <td>Extra header (repeatable)</td> </tr> <tr> <td><code>-U / -P</code></td> <td>HTTP Basic auth username/password</td> </tr> <tr> <td><code>-e</code></td> <td>Print full URL in output</td> </tr> <tr> <td><code>-l</code></td> <td>Print response length</td> </tr> <tr> <td><code>--timeout &lt;dur&gt;</code></td> <td>Request timeout</td> </tr> <tr> <td><code>--wildcard</code></td> <td>Force continue if wildcard found</td> </tr> <tr> <td><code>--exclude-length &lt;n&gt;</code></td> <td>Exclude responses of this length</td> </tr> </tbody> </table> <hr> <h2 id="dns--subdomain-brute-force">dns — Subdomain Brute Force</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic DNS brute force</span> </span></span><span style="display:flex;"><span>gobuster dns -d &lt;domain&gt; -w wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># With specific resolver</span> </span></span><span style="display:flex;"><span>gobuster dns -d example.com -w wordlist.txt -r 8.8.8.8 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Show IP addresses</span> </span></span><span style="display:flex;"><span>gobuster dns -d example.com -w wordlist.txt -i </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Wildcard override</span> </span></span><span style="display:flex;"><span>gobuster dns -d example.com -w wordlist.txt --wildcard </span></span></code></pre></div><h3 id="dns-flags">dns Flags</h3> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-d &lt;domain&gt;</code></td> <td>Target domain</td> </tr> <tr> <td><code>-r &lt;resolver&gt;</code></td> <td>Custom DNS resolver</td> </tr> <tr> <td><code>-i</code></td> <td>Show IP addresses of found subdomains</td> </tr> <tr> <td><code>--wildcard</code></td> <td>Force scan even if wildcard DNS detected</td> </tr> </tbody> </table> <hr> <h2 id="vhost--virtual-host-discovery">vhost — Virtual Host Discovery</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic vhost scan</span> </span></span><span style="display:flex;"><span>gobuster vhost -u http://&lt;ip&gt; -w wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Append domain to wordlist entries</span> </span></span><span style="display:flex;"><span>gobuster vhost -u http://&lt;ip&gt; -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --append-domain <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --domain example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Filter out specific response length (removes default/fallback page)</span> </span></span><span style="display:flex;"><span>gobuster vhost -u http://&lt;ip&gt; -w wordlist.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --append-domain <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --exclude-length <span style="color:#ae81ff">290</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HTTPS</span> </span></span><span style="display:flex;"><span>gobuster vhost -u https://&lt;ip&gt; -w wordlist.txt -k --append-domain </span></span></code></pre></div><h3 id="vhost-flags">vhost Flags</h3> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-u &lt;url&gt;</code></td> <td>Target URL</td> </tr> <tr> <td><code>--append-domain</code></td> <td>Append base domain to each word</td> </tr> <tr> <td><code>--domain &lt;domain&gt;</code></td> <td>Base domain to append</td> </tr> <tr> <td><code>--exclude-length &lt;n&gt;</code></td> <td>Exclude responses of this content length</td> </tr> </tbody> </table> <hr> <h2 id="fuzz--generic-fuzzing">fuzz — Generic Fuzzing</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Fuzz a parameter value</span> </span></span><span style="display:flex;"><span>gobuster fuzz -u <span style="color:#e6db74">&#34;http://&lt;ip&gt;/page.php?id=FUZZ&#34;</span> -w wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Fuzz with status filter</span> </span></span><span style="display:flex;"><span>gobuster fuzz -u <span style="color:#e6db74">&#34;http://&lt;ip&gt;/FUZZ.php&#34;</span> -w wordlist.txt -b <span style="color:#ae81ff">404</span> </span></span></code></pre></div><hr> <h2 id="recommended-wordlists">Recommended Wordlists</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Directories</span> </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/Web-Content/common.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Files (with extensions)</span> </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Virtual hosts / subdomains</span> </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt </span></span><span style="display:flex;"><span>/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt </span></span></code></pre></div><hr> <h2 id="example-full-runs">Example Full Runs</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Directory + file scan</span> </span></span><span style="display:flex;"><span>gobuster dir <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -u http://example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -x php,html,txt,bak,zip <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -t <span style="color:#ae81ff">50</span> -e -l <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -o gobuster_dir.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Virtual host discovery</span> </span></span><span style="display:flex;"><span>gobuster vhost <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -u http://example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --append-domain <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --exclude-length <span style="color:#ae81ff">290</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -t <span style="color:#ae81ff">50</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -o gobuster_vhost.txt </span></span></code></pre></div> https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/puredns/ Mon, 01 Jan 0001 00:00:00 +0000 https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/puredns/ <h1 id="puredns-cheatsheet">puredns Cheatsheet</h1> <p><strong>Type:</strong> Powerful DNS brute-forcing and resolution tool — filters wildcard results effectively at scale</p> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>go install github.com/d3mondev/puredns/v2@latest </span></span><span style="display:flex;"><span><span style="color:#75715e"># Binary ends up in ~/go/bin/puredns</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Also requires massdns (dependency for fast resolution)</span> </span></span><span style="display:flex;"><span>git clone https://github.com/blechschmidt/massdns.git </span></span><span style="display:flex;"><span>cd massdns <span style="color:#f92672">&amp;&amp;</span> make </span></span><span style="display:flex;"><span>sudo cp bin/massdns /usr/local/bin/ </span></span></code></pre></div><hr> <h2 id="modes">Modes</h2> <table> <thead> <tr> <th>Mode</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>bruteforce</code></td> <td>Brute force subdomains using a wordlist</td> </tr> <tr> <td><code>resolve</code></td> <td>Resolve a list of domains/subdomains</td> </tr> </tbody> </table> <hr> <h2 id="basic-usage">Basic Usage</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Brute force</span> </span></span><span style="display:flex;"><span>puredns bruteforce wordlist.txt example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Resolve a list of subdomains</span> </span></span><span style="display:flex;"><span>puredns resolve subdomains.txt </span></span></code></pre></div><hr> <h2 id="common-flags">Common Flags</h2> <table> <thead> <tr> <th>Flag</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>-r &lt;file&gt;</code></td> <td>Resolver list file (required for speed)</td> </tr> <tr> <td><code>--resolvers-trusted &lt;file&gt;</code></td> <td>Trusted resolvers for wildcard detection</td> </tr> <tr> <td><code>-l &lt;n&gt;</code></td> <td>Rate limit (queries per second)</td> </tr> <tr> <td><code>--bin &lt;path&gt;</code></td> <td>Path to massdns binary</td> </tr> <tr> <td><code>-w &lt;file&gt;</code></td> <td>Write valid results to file</td> </tr> <tr> <td><code>--wildcard-tests &lt;n&gt;</code></td> <td>Number of wildcard tests per domain (default: 10)</td> </tr> <tr> <td><code>--wildcard-batch &lt;n&gt;</code></td> <td>Subdomains to test per batch</td> </tr> <tr> <td><code>--skip-wildcard-filter</code></td> <td>Skip wildcard filtering</td> </tr> <tr> <td><code>--skip-validation</code></td> <td>Skip validation step</td> </tr> <tr> <td><code>-t &lt;n&gt;</code></td> <td>Massdns threads</td> </tr> <tr> <td><code>-q</code></td> <td>Quiet mode</td> </tr> <tr> <td><code>-v</code></td> <td>Verbose</td> </tr> </tbody> </table> <hr> <h2 id="common-commands">Common Commands</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic brute force with resolver list</span> </span></span><span style="display:flex;"><span>puredns bruteforce wordlist.txt example.com -r resolvers.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Brute force with rate limiting</span> </span></span><span style="display:flex;"><span>puredns bruteforce wordlist.txt example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -r resolvers.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -l <span style="color:#ae81ff">1000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Brute force with trusted resolvers for wildcard detection</span> </span></span><span style="display:flex;"><span>puredns bruteforce wordlist.txt example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -r resolvers.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --resolvers-trusted trusted.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Save results to file</span> </span></span><span style="display:flex;"><span>puredns bruteforce wordlist.txt example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -r resolvers.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w results.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Resolve a list of subdomains</span> </span></span><span style="display:flex;"><span>puredns resolve subdomains.txt -r resolvers.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Resolve and save valid results</span> </span></span><span style="display:flex;"><span>puredns resolve subdomains.txt -r resolvers.txt -w resolved.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Skip wildcard filter (if you want all results)</span> </span></span><span style="display:flex;"><span>puredns bruteforce wordlist.txt example.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -r resolvers.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> --skip-wildcard-filter </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Quiet output (subdomains only to stdout)</span> </span></span><span style="display:flex;"><span>puredns bruteforce wordlist.txt example.com -r resolvers.txt -q </span></span></code></pre></div><hr> <h2 id="resolver-lists">Resolver Lists</h2> <p>Public resolver lists are essential for speed and accuracy:</p>