-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathidentify-vhosts.sh
48 lines (44 loc) · 1.77 KB
/
identify-vhosts.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/bin/bash
###########################################################################################################
# Script to perform discovery of Virtual Hosts (VHOSTS) via brute forcing.
# Is an addition to the dedicated NMAP NSE script:
# https://github.com/righettod/toolbox-pentest-web/blob/master/docs/README.md#nmap-vhosts-scanning
#
# System dependencies to install via the package manager:
# apt install ffuf
###########################################################################################################
if [ "$#" -lt 1 ]; then
script_name=$(basename "$0")
echo "Usage:"
echo " $script_name [PROTOCOL://IP:PORT] [ROOT_DOMAIN]"
echo ""
echo "[i] PORT is optional if it is the default one for the protocol used."
echo "[i] ROOT_DOMAIN is optional."
echo ""
echo "Call example:"
echo " $script_name http://10.10.10.10"
echo " $script_name https://10.10.10.10:8000"
echo " $script_name http://10.10.10.10 righettod.eu"
exit 1
fi
function write_step(){
echo -e "\e[93m[+] $1\e[0m"
}
root_domain=""
target=$1
if [ "$#" -eq 2 ]; then
root_domain=".$2"
write_step "Add the root domain suffix to the HOST header: $root_domain"
fi
write_step "Hide response with a specific length (count of characters)?"
echo -n "If yes enter the length otherwise press ENTER: "
read x
if [ "$x" == "" ]; then
filter_opt=""
else
filter_opt="-fs $x"
fi
write_step "Launch the discovery operation..."
cat /tools/sec-lists/Discovery/DNS/namelist.txt /tools/sec-lists/Discovery/DNS/subdomains-top1million-20000.txt | sort -u > /tmp/dico.txt
ffuf -u $target -w /tmp/dico.txt -c -H "Host: FUZZ$root_domain" $filter_opt
ffuf -u $target -w /tools/sec-lists/Discovery/Web-Content/raft-small-words.txt -c -H "Host: FUZZ$root_domain" $filter_opt