# Subdominios y Virtual Host (VHost) ## Subdominios ### DNSRecon * ```shell ./dnsrecon.py -d -D -t brt ``` * -d = nombre de dominio. * \ = objetivo. * -D = lectura de subdominios a realizar fuerza bruta. * \ = ruta de wordlist de subdominios ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)). * -t = tipo de enumeración (brt = brute force). ```shell ./dnsrecon.py -d -D -c CVS -t brt ./dnsrecon.py -d -D -x XML -t brt ./dnsrecon.py -d -D -j JSON -t brt ``` * -d = nombre de dominio. * \ = objetivo. * -D = lectura de subdominios a realizar fuerza bruta. * \ = ruta de wordlist de subdominios ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)). * -c = guarda resultado en CVS. * -x = guarda resultado en XML. * -j = guarda resultado en JSON. * -t = tipo de enumeración (brt = brute force). ### dnsx ```sh dnsx -d -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -silent -o dnsx-subdomains.txt ``` ### Gobuster ```sh gobuster dns -d -w -i -o gobuster-dns-subdomains.txt ``` * -d = nombre de dominio. * \ = nombre de dominio. * -w = lectura de subdominios a descubrir desde archivo. * \ = archivo con listado de subdominios ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)). * -i = muestra direcciones IP. * -o = guarda resultado en archivo `gobuster-dns-subdomains.txt`. ### FFuF ```shell ffuf -u http://FUZZ./ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -c -o ffuf-subdomains.html -of html ``` * -u = URL. * \ = objetivo. * FUZZ = la palabra `FUZZ` será reemplazada con los valores de la wordlist. * -w = wordlist. * \ = ruta de wordlist de subdominios ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)). ### subfinder ```sh subfinder -d -recursive -all -silent -o subfinder-subdomains.txt ``` ### Wfuzz ```sh wfuzz -c -Z -z file, --hh http://FUZZ. ``` ## Virtual Host (VHost) ### cURL ```bash cat | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl http:// -H "HOST: ${vhost}.{target}" ;done ``` * \ = ruta de wordlist de subdominios y virtual host ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)). * \ = objetivo. ### Gobuster ```sh gobuster vhost -u http:/// -w --append-domain --exclude-length ``` ### FFuF ```shell ffuf -u http:/// -w :FUZZ -H 'Host: FUZZ.' -fs ``` * -u = URL. * \ = objetivo. * -w = wordlist. * \ = ruta de wordlist de subdominios y virtual host ([SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt)). * -H = HTTP headers. * FUZZ = la palabra `FUZZ` será reemplazada con los valores de la wordlist. * -fs = filtra el tamaño de la respuesta HTTP. * \ = tamaño de respuesta HTTP. ### Wfuzz ```sh wfuzz -c -z file, -H "Host: FUZZ." --hh http:/// ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://web.mrw0l05zyn.cl/reconocimiento-y-recoleccion-de-informacion/subdominios-y-virtual-host-vhost.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.