Virtual Host Enumeration with ffuf
recontool
Summary
Discovers virtual hosts / subdomains by fuzzing the Host header with ffuf and using auto-calibration to filter default responses.
Walkthrough
Use ffuf to brute-force the HTTP Host header and uncover virtual hosts served by the same web server.
Steps
- Point
-uat the target and placeFUZZinside theHost:header value. - Supply a DNS subdomain wordlist with
-w. - Use
-mc allto see every status code and-ac(auto-calibration) to filter out wildcard/default responses; repeat on alternate ports such as 8080.
Commands
bash
ffuf -u http://<TARGET>/ -H "Host: FUZZ.trackbox.scipiosoft.com" -w /home/kali/Desktop/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac
bash
ffuf -u "http://<TARGET>:8080" -H "Host: FUZZ.<TARGET>:8080" -w /home/kali/Desktop/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac