Virtual Host and Subdomain Fuzzing

The role of Virtual Hosting and Subdomains

Vhosts

• Virtual hosting enables multiple websites or domains to be served from a single server or IP address.
• Each vhost is associated with a unique domain name or hostname. When a client sends an HTTP request, the web server examines the Host header to determine which vhost's content to deliver. This facilitates efficient resource utilization and cost reduction, as multiple websites can share the same server infrastructure.

Subdomains

• Subdomains, on the other hand, are extensions of a primary domain name, creating a hierarchical structure within the domain.
• They are used to organize different sections or services within a website.
  • For example, blog.example.com and shop.example.com are subdomains of the main domain example.com.
• Unlike vhosts, subdomains are resolved to specific IP addresses through DNS (Domain Name System) records.

Gobuster VHost Fuzzing

While gobuster is primarily known for directory and file enumeration, its capabilities extend to virtual host (vhost) discovery, making it a valuable tool in assessing the security posture of a web server.

First add the specified vhost to your hosts file using the command below:

m4cc18@htb[/htb]$ echo "IP inlanefreight.htb" | sudo tee -a /etc/hosts

Let's dissect the Gobuster vhost fuzzing command:

m4cc18@htb[/htb]$ gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain

• gobuster vhost: This flag activates Gobuster's vhost fuzzing mode, instructing it to focus on discovering virtual hosts rather than directories or files.
• -u http://inlanefreight.htb:81: This specifies the base URL of the target server. Gobuster will use this URL as the foundation for constructing requests with different vhost names. In this example, the target server is located at inlanefreight.htb and listens on port 81.
• -w /usr/share/seclists/Discovery/Web-Content/common.txt: This points to the wordlist file that Gobuster will use to generate potential vhost names. The common.txt wordlist from SecLists contains a collection of commonly used vhost names and subdomains.
• --append-domain: This crucial flag instructs Gobuster to append the base domain (inlanefreight.htb) to each word in the wordlist. This ensures that the Host header in each request includes a complete domain name (e.g., admin.inlanefreight.htb), which is essential for vhost discovery.

In essence, Gobuster takes each word from the wordlist, appends the base domain to it, and then sends an HTTP request to the target URL with that modified Host header. By analyzing the server's responses (e.g., status codes, response size), Gobuster can identify valid vhosts that might not be publicly advertised or documented.

Running the command will execute a vhost scan against the target:

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://inlanefreight.htb:81
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/SecLists/Discovery/Web-Content/common.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: .git/logs/.inlanefreight.htb:81 Status: 400 [Size: 157]
...
Found: admin.inlanefreight.htb:81 Status: 200 [Size: 100]
Found: android/config.inlanefreight.htb:81 Status: 400 [Size: 157]
...
Progress: 4730 / 4730 (100.00%)
===============================================================
Finished
===============================================================

In the output, each line prefixed with "Found:" indicates a valid subdomain discovered by Gobuster.

Exercise

TARGET: 94.237.122.36:49365

Challenge 1

Using GoBuster against the target system to fuzz for vhosts using the common.txt wordlist, which vhost starts with the prefix "web-"? Respond with the full vhost, eg web-123.inlanefreight.htb.

After adding the IP to the /etc/hosts, run the following gobuster command on the target:

┌──(macc㉿kaliLab)-[~]
└─$ gobuster vhost -u http://inlanefreight.htb:49365 -w ~/SecLists/Discovery/Web-Content/common.txt --append-domain

Output:

===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       http://inlanefreight.htb:49365
[+] Method:                    GET
[+] Threads:                   10
[+] Wordlist:                  /home/macc/SecLists/Discovery/Web-Content/common.txt
[+] User Agent:                gobuster/3.8
[+] Timeout:                   10s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
...
ADMIN.inlanefreight.htb:49365 Status: 200 [Size: 100]
Admin.inlanefreight.htb:49365 Status: 200 [Size: 100]

admin.inlanefreight.htb:49365 Status: 200 [Size: 100]

awmdata.inlanefreight.htb:49365 Status: 200 [Size: 104]

ipdata.inlanefreight.htb:49365 Status: 200 [Size: 102]

web-beans.inlanefreight.htb:49365 Status: 200 [Size: 108]
...
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================

• These are the vhosts found!

flag: web-beans.inlanefreight.htb

Challenge 2

Using GoBuster against inlanefreight.com to fuzz for subdomains using the subdomains-top1million-5000.txt wordlist, which subdomain starts with the prefix "su"? Respond with the full vhost, eg web.inlanefreight.com.

Run the following gobuster command on the target inlanefreight.com using the subdomains-top1million-5000.txt wordlist:

┌──(macc㉿kaliLab)-[~]
└─$ gobuster dns --domain inlanefreight.com -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

• Note now we are using the dns flag from gobuster in order to fuzz subdomains
• We have to specify the target domain with --domain (tried doing -d but that didn't work)

Output:

===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     inlanefreight.com
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /home/macc/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
ns1.inlanefreight.com 178.128.39.165
www.inlanefreight.com 134.209.24.248,2a03:b0c0:1:e0::32c:b001
ns2.inlanefreight.com 206.189.119.186
blog.inlanefreight.com 134.209.24.248,2a03:b0c0:1:e0::32c:b001
ns3.inlanefreight.com 134.209.24.248
...
support.inlanefreight.com 134.209.24.248
...
my.inlanefreight.com 134.209.24.248
...
customer.inlanefreight.com 134.209.24.248,2a03:b0c0:1:e0::32c:b001

• The subdomain starting with "su" is support.inlanefreight.com

Note you can see the same output but in a more quieter form using the -q flag: (so you do not have to look between all the clutter in the screen)

┌──(macc㉿kaliLab)-[~]
└─$ gobuster dns --domain inlanefreight.com -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -q

Output:

www.inlanefreight.com 134.209.24.248,2a03:b0c0:1:e0::32c:b001
ns1.inlanefreight.com 178.128.39.165
ns2.inlanefreight.com 206.189.119.186
blog.inlanefreight.com 134.209.24.248,2a03:b0c0:1:e0::32c:b001
ns3.inlanefreight.com 134.209.24.248
support.inlanefreight.com 134.209.24.248
my.inlanefreight.com 134.209.24.248
customer.inlanefreight.com 134.209.24.248,2a03:b0c0:1:e0::32c:b001

flag: support.inlanefreight.com