[Feature Request] --ip option for VHOST enumeration

OJ / gobuster

Directory/File, DNS and VHost busting tool written in Go

Apache License 2.0

10.07k stars 1.2k forks source link

[Feature Request] --ip option for VHOST enumeration #303

Closed Castle-Oak closed 11 months ago

Castle-Oak commented 3 years ago

Hello,

gobuster has been my go-to for enumeration for a while now. One issue I ran into recently is that the tool assumes the subdomain and the base domain name share the same IP address. Often times this is not the case.

I ran into an issue today where I wanted to enumerate vhosts on a server that was part of the same domain but didn't resolve to the IP of the base domain name. I had to override the domain name in my hosts file just to enumerate vhosts.

I think this is something that should built into gobuster. I'd like to request that we add an --ip option. By default gobuster will brute force using the IP of the base domain if --ip is not supplied.

Example: gobuster vhost -r --wordlist bitquark-subdomains-top100000.txt --url https://xyz.com -k -t 100 xyz.com = 6.6.6.6 test.xyz.com = 6.6.6.6 Both subdomain and base domain name have the same IP.

gobuster vhost -r --wordlist bitquark-subdomains-top100000.txt --url https://xyz.com -k -t 100 --ip 6.6.8.8 xyz.com = 6.6.6.6 test.xyz.com = 6.6.8.8 <- This is the actual target. Subdomain and base domain name have different IP addresses

firefart commented 3 years ago

Hi @pmgcrypto , the vhost mode is only useful to discover vhosts on the same ipadress / webserver. I think what you are looking for is dns mode where you can find subdomains of a domain hosted on another IP.

Castle-Oak commented 3 years ago

@FireFart - I'm referring to the host header portion of the HTTP request. Sometimes you can have a single IP that vends multiple websites. You can brute force the host header portion of the HTTP request in order to discover other websites hosted on the same IP

https://stackoverflow.com/questions/43156023/what-is-http-host-header

For instance:

IP: 54.24.67.22
# HTTP Request
GET /someresource.html HTTP/1.1
Host: www.not-vulnerable-1.com

IP: 54.24.67.22
# HTTP Request
GET /someresource.html HTTP/1.1
Host: www.not-vulnerable-2.com

IP: 54.24.67.22
# HTTP Request
GET /someresource.html HTTP/1.1
Host: www.vulnerable-web-server.com

All requests are sent to the same web server but yield different web pages.

firefart commented 11 months ago

yes but they all share the same ip address so that’s exactly how ghost enumeration works 🤷🏻‍♂️ use http://ip and you are fine