gobuster icon indicating copy to clipboard operation
gobuster copied to clipboard

Published 20 hours ago verified publisher icon OJ

[Feature Request] --ip option for VHOST enumeration

Open Castle-Oak opened this issue 3 years ago • 2 comments

Hello,

gobuster has been my go-to for enumeration for a while now. One issue I ran into recently is that the tool assumes the subdomain and the base domain name share the same IP address. Often times this is not the case.

I ran into an issue today where I wanted to enumerate vhosts on a server that was part of the same domain but didn't resolve to the IP of the base domain name. I had to override the domain name in my hosts file just to enumerate vhosts.

I think this is something that should built into gobuster. I'd like to request that we add an --ip option. By default gobuster will brute force using the IP of the base domain if --ip is not supplied.

Example: gobuster vhost -r --wordlist bitquark-subdomains-top100000.txt --url https://xyz.com -k -t 100 xyz.com = 6.6.6.6 test.xyz.com = 6.6.6.6 Both subdomain and base domain name have the same IP.

gobuster vhost -r --wordlist bitquark-subdomains-top100000.txt --url https://xyz.com -k -t 100 --ip 6.6.8.8 xyz.com = 6.6.6.6 test.xyz.com = 6.6.8.8 <- This is the actual target. Subdomain and base domain name have different IP addresses

Castle-Oak avatar Aug 02 '21 19:08 Castle-Oak

Hi @pmgcrypto , the vhost mode is only useful to discover vhosts on the same ipadress / webserver. I think what you are looking for is dns mode where you can find subdomains of a domain hosted on another IP.

firefart avatar Aug 21 '21 09:08 firefart

@FireFart - I'm referring to the host header portion of the HTTP request. Sometimes you can have a single IP that vends multiple websites. You can brute force the host header portion of the HTTP request in order to discover other websites hosted on the same IP

https://stackoverflow.com/questions/43156023/what-is-http-host-header

For instance:

IP: 54.24.67.22
# HTTP Request
GET /someresource.html HTTP/1.1
Host: www.not-vulnerable-1.com

IP: 54.24.67.22
# HTTP Request
GET /someresource.html HTTP/1.1
Host: www.not-vulnerable-2.com

IP: 54.24.67.22
# HTTP Request
GET /someresource.html HTTP/1.1
Host: www.vulnerable-web-server.com

All requests are sent to the same web server but yield different web pages.

Castle-Oak avatar Sep 24 '21 04:09 Castle-Oak

yes but they all share the same ip address so that’s exactly how ghost enumeration works 🤷🏻‍♂️ use http://ip and you are fine

firefart avatar Nov 19 '23 23:11 firefart