Hello All
I hope you all are good this is my 4th blog on advance bug bounty tips and tricks. Today’s our topic is Advance Directory Fuzzing And Subdomain Takeover So let’s start.
Subdomain takeover
We will use a tool to find subdomain takeover vulnerability tool: HostileSubBruteforcer
This app will bruteforce for exisiting subdomains and provide the following information:
- IP address
- Host
- if the 3rd party host has been properly setup. (for example if site.example.com is poiting to a nonexisiting Heroku subdomain, it’ll alert you) -> Currently only works with AWS, Github, Heroku, shopify, tumblr and squarespace.
There may be some false positives depending on the host configurations. (Tried to take them out as much as possible) Also works recursively at the end to get the subdomains under the ones that it has already found and dumps all your data into an output.txt file just in case (fresh one gets created at the beginning of each process).
Tool link :- https://github.com/nahamsec/HostileSubBruteforcer
How to install It
- git clone https://github.com/nahamsec/HostileSubBruteforcer
- cd HostileSubBruteforcer
- ruby sub_brute.rb –fast
Directory Fuzzing Using FFUF
Install :-
-
Download a prebuilt binary from releases page, unpack and run!
or
-
If you have recent go compiler installed:
go get -u github.com/ffuf/ffuf(the same command works for updating)or
-
git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build
Ffuf depends on Go 1.13 or greater.
usage : ffuf -w /path/to/wordlist -u https://target/FUZZ
Now let’s scan all subdomain in one single command
findomain -t exmple.com | sed 's#*.# #g' | httpx -silent -threads 10 | xargs [email protected] sh -c 'ffuf -w path.txt -u @/FUZZ -mc 200'
see....
This will automate Directory Fuzzing process..
Thanks For Reading
