Hey there ladies and gentlemen.
I know my fare share of various domain enumeration tools and such, but i was wondering if anyone could recommend subdomain brute force tools which isnt doing it over dns.
I have seen a few tools which does it by requesting the a subdomain and enumerating the outcome etc etc.
Suggestions would be appriciated.
I developed a tool to enumerate subdomains by using search-engines.
Give it a look on Github at GitHub - mrnfrancesco/yass: YASS (Yet Another Subdomainer Software) is a plugin-powered search engine based subdomainer.
Wfuzz can do that. It is semi-reliable for HTB boxes.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101
Adjust the threads and hide code/word parameters to suit your needs.
hey guys, thats a bunch for the quick responses, thats appriciated. I will have a look at both thins… i am familiar with wfuzz but hadnt spotted the ability to enumerate subdomains in that way. 
@mrnfrancesco said:
I developed a tool to enumerate subdomains by using search-engines.
Give it a look on Github at GitHub - mrnfrancesco/yass: YASS (Yet Another Subdomainer Software) is a plugin-powered search engine based subdomainer.
the domain feature iv seen before, it is a really versatile way of getting interesting results and often a lot of context, is there by any chance support for enumerating via the webserver ?
Sorta like the wfuzz exampe
gobuster vhost
right under my nose. i should do -h more hehe
Type your comment> @Ketil said:
@mrnfrancesco said:
I developed a tool to enumerate subdomains by using search-engines.
Give it a look on Github at GitHub - mrnfrancesco/yass: YASS (Yet Another Subdomainer Software) is a plugin-powered search engine based subdomainer.the domain feature iv seen before, it is a really versatile way of getting interesting results and often a lot of context, is there by any chance support for enumerating via the webserver ?
Sorta like the wfuzz exampe
The tool is not intended to work in that way yet, but it could be an interesting feature for a future release.
By now, if you want to brute-force VHOST it not suite your needs like the other suggested solutions.
@mrnfrancesco , Thanks for the input I appreciate your feedback Have a great day.
Type your comment> @delo said:
Wfuzz can do that. It is semi-reliable for HTB boxes.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101Adjust the threads and hide code/word parameters to suit your needs.
I tried use wfuzz for searching subdomains in forwardslash but without any result.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H “Host: FUZZ.forwardslash.com” --hc 200 --hw 356 -t 100 10.10.10.183
I tried use wordlist with subdomains that exist for this box and I don’t get any result
Where I do mistake?
Type your comment> @fr0ster said:
Type your comment> @delo said:
Wfuzz can do that. It is semi-reliable for HTB boxes.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.host.com" --hc 200 --hw 356 -t 100 10.10.10.101Adjust the threads and hide code/word parameters to suit your needs.
I tried use wfuzz for searching subdomains in forwardslash but without any result.
wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H “Host: FUZZ.forwardslash.com” --hc 200 --hw 356 -t 100 10.10.10.183
I tried use wordlist with subdomains that exist for this box and I don’t get any result
Where I do mistake?
It’s not “.com”, but “.htb”
Type your comment> @mrnfrancesco said:
I developed a tool to enumerate subdomains by using search-engines.
Give it a look on Github at GitHub - mrnfrancesco/yass: YASS (Yet Another Subdomainer Software) is a plugin-powered search engine based subdomainer.
this looks perfect but still not usefull with host.htb sites, or i miss things?
Hey, for subdomain enumeration over HTTP requests, you might want to try https://subdomainfinder.in. I’ve used it before and it worked pretty well for me.