Open Tib3rius opened 1 year ago
firefart
commented
1 year ago Oh interesting, never tested for those. Do you happen to know a sni only server on tryhackme or anywhere else? This might work when just supplying the ip instead of the domain name but would love to test those cases
Tib3rius
commented
1 year ago Ah! Your intuition was correct, using the IP address as the target along with --domain and --append-domain worked perfectly!
This was the TryHackMe machine: https://tryhackme.com/room/takeover
Original command was: gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -k -u https://futurevera.thm
Working command was: gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -k --domain futurevera.thm -u https://10.10.22.186
Thanks! Do you think a flag might be useful to force this when someone uses the original domain rather than the IP anyway? Just a thought, I'm happy either way considering the second command works.
Dovah0421
commented
1 year ago do you know why i get this error? i used both command, im in hack the box ""Error: error on running gobuster: unable to connect to https://10.129.147.108/: Get "https://10.129.147.108/": dial tcp 10.129.147.108:443: connect: connection refused""
CyberShadow7
commented
2 months ago do you know why i get this error? i used both command, im in hack the box ""Error: error on running gobuster: unable to connect to https://10.129.147.108/: Get "https://10.129.147.108/": dial tcp 10.129.147.108:443: connect: connection refused""
Most probably because you used "https" and not "http"
This stems from a TryHackMe room which required the discovery of virtual hosts on an HTTPS server which implemented SNI. For most virtual hosts, the main domain's cert worked but simply displayed the same content (e.g. www.domain.com, test.domain.com etc. would get the same response as domain.com).
When valid virtual host was found, a 421 status code was returned, since gobuster had used the original domain.com TLS connection, which didn't use the proper cert for the virtual host.
As it turns out, this status code was enough for gobuster to find the virtual host, but my concern is if the server were configured to simply return the same content instead of an error, these virtual hosts would be missed.
This could be solved with an optional flag like --update-sni or --use-sni which would ensure that a new TLS connection was established with the virtual host used as the SNI.