Fuzzing By FFUF
Domain Fuzzing

Domain Fuzzing

JENISH PAGHADAL's photo
JENISH PAGHADAL
·

2 min read

Sub-domain Fuzzing

A sub-domain is a website that is part of another domain. For example, https://photos.google.com is the photos sub-domain of google.com.

Here, we are checking different websites to see if they exist by looking for a public DNS record that points to a working server IP. Let's run a scan to see if we find any. Before starting, we need two things:

  • A wordlist

  • A target

Fortunately, the SecLists repo has a section for sub-domain wordlists with common words used for sub-domains. You can find it in /seclists/Discovery/DNS/. We'll use a shorter wordlist called subdomains-top1million-5000.txt. If we want a more extensive scan, we can choose a larger list.

For our target, we'll use inlanefreight.com and run our scan on it. We'll use ffuf and place the FUZZ keyword where the sub-domains go to see if we find any matches:

 ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/

Vhost Fuzzing

we were able to fuzz public sub-domains using public DNS records. However, when it came to fuzzing sub-domains that do not have a public DNS record or sub-domains under websites that are not public, we could not use the same method. In this section, we will learn how to do that with Vhost Fuzzing.

Vhosts vs. Sub-domains

The main difference between VHosts and sub-domains is that a VHost is like a 'sub-domain' on the same server with the same IP, meaning one IP can host multiple websites.

VHosts might not have public DNS records.

Often, websites have sub-domains that aren't public and don't appear in public DNS records. So, if we try to visit them in a browser, we can't connect because the public DNS doesn't know their IP. Using sub-domain fuzzing, we can only find public sub-domains, not the private ones.

This is where VHosts Fuzzing comes in handy. We use it on an IP we already know. By scanning this IP, we can find both public and private sub-domains and VHosts.

To scan for VHosts, without manually adding the entire wordlist to our /etc/hosts, we will be fuzzing HTTP headers, specifically the Host: header. To do that, we can use the -H flag to specify a header and will use the FUZZ keyword within it, as follows:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://<target_url>/ -H 'Host: FUZZ.<target_url>'
Web Developmentwebsecurity#cybersecurity