← Back to search

Virtual Host Enumeration with ffuf

recontool

Summary

Discovers virtual hosts / subdomains by fuzzing the Host header with ffuf and using auto-calibration to filter default responses.

Walkthrough

Use ffuf to brute-force the HTTP Host header and uncover virtual hosts served by the same web server.

Steps

  • Point -u at the target and place FUZZ inside the Host: header value.
  • Supply a DNS subdomain wordlist with -w.
  • Use -mc all to see every status code and -ac (auto-calibration) to filter out wildcard/default responses; repeat on alternate ports such as 8080.

Commands

bash

ffuf -u http://<TARGET>/ -H "Host: FUZZ.trackbox.scipiosoft.com" -w /home/kali/Desktop/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac

bash

ffuf -u "http://<TARGET>:8080" -H "Host: FUZZ.<TARGET>:8080" -w /home/kali/Desktop/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac