# Subdominios y Virtual Host (VHost)

## Subdominios

### DNSRecon <a href="#subdominios-dnsrecon" id="subdominios-dnsrecon"></a>

* <https://github.com/darkoperator/dnsrecon>

```shell
./dnsrecon.py -d <target> -D <path-wordlist> -t brt
```

* -d = nombre de dominio.
  * \<target> = objetivo.
* -D = lectura de subdominios a realizar fuerza bruta.
  * \<path-wordlist> = ruta de wordlist de subdominios ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)).
* -t = tipo de enumeración (brt = brute force).

```shell
./dnsrecon.py -d <target> -D <path-wordlist> -c CVS -t brt
./dnsrecon.py -d <target> -D <path-wordlist> -x XML -t brt 
./dnsrecon.py -d <target> -D <path-wordlist> -j JSON -t brt
```

* -d = nombre de dominio.
  * \<target> = objetivo.
* -D = lectura de subdominios a realizar fuerza bruta.
  * \<path-wordlist> = ruta de wordlist de subdominios ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)).
* -c = guarda resultado en CVS.
* -x = guarda resultado en XML.
* -j = guarda resultado en JSON.
* -t = tipo de enumeración (brt = brute force).

### dnsx <a href="#subdominios-dnsx" id="subdominios-dnsx"></a>

```sh
dnsx -d <target> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -silent -o dnsx-subdomains.txt
```

### Gobuster <a href="#subdominios-gobuster" id="subdominios-gobuster"></a>

```sh
gobuster dns -d <domain-name> -w <subdomains-list.txt> -i -o gobuster-dns-subdomains.txt
```

* -d = nombre de dominio.
  * \<domain-name> = nombre de dominio.
* -w = lectura de subdominios a descubrir desde archivo.
  * \<subdomains-list.txt> = archivo con listado de subdominios ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)).
* -i = muestra direcciones IP.
* -o = guarda resultado en archivo `gobuster-dns-subdomains.txt`.

### FFuF <a href="#subdominios-ffuf" id="subdominios-ffuf"></a>

```shell
ffuf -u http://FUZZ.<target>/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -c -o ffuf-subdomains.html -of html
```

* -u = URL.
  * \<target> = objetivo.
  * FUZZ = la palabra `FUZZ` será reemplazada con los valores de la wordlist.
* -w = wordlist.
  * \<path-wordlist> = ruta de wordlist de subdominios ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)).

### subfinder <a href="#subdominios-subfinder" id="subdominios-subfinder"></a>

```sh
subfinder -d <target> -recursive -all -silent -o subfinder-subdomains.txt
```

### Wfuzz <a href="#subdominios-wfuzz" id="subdominios-wfuzz"></a>

```sh
wfuzz -c -Z -z file,<path-wordlist> --hh <chars> http://FUZZ.<target.tld>
```

## Virtual Host (VHost)

### cURL <a href="#virtual-host-vhost-curl" id="virtual-host-vhost-curl"></a>

```bash
cat <path-wordlist> | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl http://<target> -H "HOST: ${vhost}.{target}" ;done
```

* \<path-wordlist> = ruta de wordlist de subdominios y virtual host ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)).
* \<target> = objetivo.

### Gobuster

```sh
gobuster vhost -u http://<target>/ -w <path-wordlist> --append-domain --exclude-length <size>
```

### FFuF <a href="#virtual-host-vhost-ffuf" id="virtual-host-vhost-ffuf"></a>

```shell
ffuf -u http://<target>/ -w <path-wordlist>:FUZZ -H 'Host: FUZZ.<target>' -fs <size>
```

* -u = URL.
  * \<target> = objetivo.
* -w = wordlist.
  * \<path-wordlist> = ruta de wordlist de subdominios y virtual host ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)).
* -H = HTTP headers.
  * FUZZ = la palabra `FUZZ` será reemplazada con los valores de la wordlist.
* -fs = filtra el tamaño de la respuesta HTTP.
  * \<size> = tamaño de respuesta HTTP.

### Wfuzz <a href="#virtual-host-vhost-wfuzz" id="virtual-host-vhost-wfuzz"></a>

```sh
wfuzz -c -z file,<path-wordlist> -H "Host: FUZZ.<target>" --hh <chars> http://<target>/
```