Wordlist Scanning (T1595)
Finding what isn't linked.
1. Directory Brute-Forcing
Web servers often have folders like /admin, /backup, or /v1 that aren't linked in the homepage.
- Tools:
Gobuster,Feroxbuster,Dirbuster. - Command:
feroxbuster -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt - Extensions: Always check for specific files extensions (
-x php,zip,bak,sql). Findingdatabase.sql.bakis a jackpot.
2. DNS Subdomain Brute-Forcing
Public DNS records (Passive DNS) miss subdomains that haven't been queried recently.
- Tool:
ffuforamass. - Logic: Guessing
dev.target.com,staging.target.com,vpn.target.com.ffuf -w subdomains.txt -u https://TARGET.target.com
3. Virtual Host Discovery
Sometimes dev.target.com resolves to the same IP as target.com, but the web server only responds if the Host header is correct.
- Attack: Fuzzing the
Hostheader.
