Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
APIs
JS
ASP.NET
JWT
GitHub
GitLab
WAFs
Firebird
Wordpress
WebDav
Joomla
Jenkins
IIS
VHosts
Firebase
OWA
OAuth
Flask
Symfony && Twig
Drupal
NoSQL (MongoDB, CouchDB)
PHP
RoR (Ruby on Rails)
JBoss - Java Deserialization
OneLogin - SAML Login
Flash SWF
Nginx
Python
Tomcat
Adobe AEM
Magento
SAP
MFA
GWT
Jira
OIDC (Open ID Connect)
ELK
Sharepoint
Others
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
VHosts

Tools

# https://github.com/jobertabma/virtual-host-discovery
ruby scan.rb --ip=192.168.1.101 --host=domain.tld
​
# https://github.com/dariusztytko/vhosts-sieve
python3 vhosts-sieve.py -d domains.txt -o vhosts.txt
​
# Enum vhosts
fierce -dns example.com
​
# https://github.com/codingo/VHostScan
VHostScan -t example.com

Techniques

# ffuf
badresponse=$(curl -s -H "host: totallynotexistsforsure.bugcrowd.com" https://bugcrowd.com | wc -c)
ffuf -u https://TARGET.com -H "Host: FUZZ.TARGET.com" -w werdlists/dns-hostnames/nmap-vhosts-all.txt -fs $badresponse
​
# Manual with subdomains list
for sub in $(cat subdomains.txt); do
echo "$sub $(dig +short a $sub | tail -n1)" | anew -q subdomains_ips.txt
done
​
Previous
IIS
Next
Firebase
Last modified 1yr ago
Export as PDF
Copy link
Edit on GitHub
Outline
Tools
Techniques