Which one did you end up using? i have used so many any I get about 50 subdomains that mean nothing!
A common one 
You can use seclist
Im using gobuster, none of the wordlists are working or giving me random subdomains - unless the right one is in the loooong list provided aha
As @0xbughunter said try out the DNS wordlists from SecLists
1 Like
You should also try filtering based on parameters the random subdomains have in common
There are different ways to find out subdomains via gobuster itself and yes SECLIST DNS WORDLIST is sufficient
1 Like
What dictionary? because I used all. Do I have to fuzz vhost?
hmm I must be doing something awfully wrong.
The steps I have taken: 1 configured /etc/hosts file with inlanefreight.htb
2 Used reconspider to see if any email/links but nothing appears in output file. Then tried Finalrecon - does a full scan but cannot find api key (claimed to have found one subdomain - however the output file is empty)
3 tried manually finding the subdomain using Gobuster in vhost mode with seclist wordlists no output - sometimes will load up random subdomains such ■■■ Files and Programs., www., root. and about 100 more.
4 tried dnsenum - but again no output at all
maybe i’m scanning the wrong ip, I know for the first question you have to target inlanefreight.com rather than inlanefreight.htb - just very stuck rigght now…
I also found it… but it doesn’t serve as an answer.
I have found the answer its pretty simple and straight forward after thinking about it for the api key.
- make sure you added the ip and vhost name correctly in the /etc/hosts.
- brute force sub domains, its in the seclist dns section. remember be patient and let it run. dont forget to crawl at every new subdomain found.
- repeat
remember subdomains can have another sub domain ontop of it.
1 Like
The issue im having is that when I brute force inlanefreight.htb it does not find the subdomains even with the subdomain seclists it does not find anything
dm me on how you are brute forcing
Na you will have to configure/etc/hosts the right way and you can verify it once you access the configured host in browser. Secondly you will need to enumerate subdomain twice.
1 Like
am I having the same problem as azizif- totally stuck on the question:
’ ’ ’
Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names.
’ ’ ’
ive tried everything i can think of and then some. the recursive brute forcing takes way too long for it to be feasible in pwnbox for me. ive tried all the wordlists in all the enumeration tools in the section. any hints?
Hi, so i’ve managed to fnish the module.
The issue for me may have been with my /etc/resolv.conf file
deleted my nameserver which included my ip and used 1.1.1.1 or 8.8.8., once setting that up the subdomain I needed revealed was coming up.
give that a try but it seemed to have worked for me.
hope this helps!
2 Likes
I can’t get any subdomains to return from gobuster. I moved over to ffuf and used the sec list and I get 100 results after I filter the size. Still none of these subdomains returned are of any use. Is there something I am missing with gobuster that will lead me to this answer that ffuf can’t?
hi sir, could you help or give some hints, i found vhosts but i dont know wich one its, thanks lot
do i have to do vhost or subdomains fuzzing? thanks
hi sir, do i have to do vhost or subdomain fuzzing, thanks a lot!!