Welcome to the Quick Host Fuzzer tutorial! This guide will walk you through using the Quick Host Fuzzer to uncover subdomains effectively. This tool is designed to be simple, lightweight, and efficient, making it ideal for ethical hacking and penetration testing.

You can find the tool on GitHub: Quick Host Fuzzer

This is perfect for Hack The Box and TryHackMe Challenges!!

The Need!

Sometimes, tools like ffuf or other subdomain fuzzers just don’t cut it for specific scenarios. I ran into this when trying to dynamically test subdomains without manually adding them to /etc/hosts. The issue? I didn’t want to clog my hosts file or sift through endless irrelevant results. On top of that, I needed progress tracking to know the tool wasn’t silently failing on massive wordlists.

This fuzzer was born out of frustration and experimentation. The goal was simple: make something lightweight and customizable, so you can filter by HTTP status codes, get real-time progress updates, and focus on results that matter. The struggles? Getting the right DNS setup with dnsmasq, figuring out how to cleanly filter responses, and keeping the output both readable and useful.

It’s not the flashiest tool out there, but it does the job and saved me a ton of time. If you’ve ever been stuck trying to dig up subdomains on a custom resolver, you know the pain. Hopefully, this script helps make the process smoother for you too.

What is Quick Host Fuzzer?

The Quick Host Fuzzer is a bash-based tool for fuzzing subdomains of a given domain. It sends HTTP requests for each subdomain in a provided wordlist and categorizes them based on HTTP response codes. This makes it easy to identify valid subdomains and quickly filter results based on response status.

Features

• Fast and efficient subdomain fuzzing.
• Progress tracking for large wordlists.
• Filters results based on HTTP response codes.
• Simple usage with no dependencies beyond bash and curl.

Prerequisites

Before you begin, ensure you have the following:

1. Operating System: A Linux or macOS environment.
2. Bash and Curl: Installed by default on most systems.
3. A Wordlist: A file containing potential subdomains. You can create one or use popular lists from repositories like SecLists.
4. Permission to Test: Ensure you have authorization to test the target domain.

Step 1: Clone the Repository

Start by cloning the tool from GitHub and navigating into the directory:

git clone https://github.com/Dan-Duran/quick-host-fuzzer.git
cd quick-host-fuzzer

Step 2: Make the Script Executable

Ensure the script has executable permissions:

chmod +x fuzzer.sh

Step 3: Prepare Your Environment

Identify the Target Domain

Choose the domain you want to test. For this tutorial, we’ll use example.com.

Prepare a Wordlist

Create a simple wordlist with subdomains or use a prebuilt one. Here's an example of creating a small custom wordlist:

echo -e "www\ndev\nadmin\nstaging" > wordlist.txt

For large-scale testing, download a comprehensive wordlist like this:

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt -O large_wordlist.txt

Step 4: Run the Fuzzer

Basic Usage

Run the script with the target domain and wordlist:

./fuzzer.sh -u example.com -w wordlist.txt

Filter by HTTP Status Codes

Use the -i option to include specific status codes in the output:

./fuzzer.sh -u example.com -w wordlist.txt -i 200,403

For example:
- 200 indicates a successful response.
- 403 indicates forbidden access.
- Including multiple codes will list all matching subdomains.

Example Output

Starting fuzzing for 4 subdomains...
Valid: www.example.com -> 200
Valid: dev.example.com -> 403
Invalid: admin.example.com -> 404
Invalid: staging.example.com -> 404

Scan complete! Processed 4 subdomains.

Step 5: Monitor Progress

For larger wordlists, the script dynamically tracks progress:

Starting fuzzing for 5000 subdomains...
Progress: 100/5000 (2%)
Progress: 200/5000 (4%)
...
Scan complete! Processed 5000 subdomains.

This ensures you’re aware of how far along the process is, even for lengthy scans.

Step 6: Use Cases

Finding Valid Subdomains

By specifying -i 200, you can list all valid subdomains returning a 200 status:

./fuzzer.sh -u example.com -w large_wordlist.txt -i 200

Identifying Restricted Subdomains

Use -i 403 to identify subdomains with restricted access:

./fuzzer.sh -u example.com -w large_wordlist.txt -i 403

General Discovery

If you don’t specify -i, the script will categorize all subdomains into valid and invalid:

./fuzzer.sh -u example.com -w large_wordlist.txt

Best Practices

1. Stay Ethical: Only test domains you have explicit permission to audit.
2. Optimize Wordlists: Use a wordlist that is relevant to your target (e.g., industry-specific subdomains).
3. Analyze Results: Investigate subdomains returning 200 or 403 for potential entry points.
4. Log Results: Redirect output to a file for later analysis:

./fuzzer.sh -u example.com -w large_wordlist.txt -i 200 > results.txt

Common Issues and Solutions

• No Results: Ensure the target domain resolves correctly. Verify with dig or nslookup.
• Slow Performance: Optimize your wordlist to include only likely subdomains.
• Permission Denied: Use chmod +x fuzzer.sh to make the script executable.

To Sumarrize # ****

The Quick Host Fuzzer is a powerful yet simple tool for subdomain enumeration. By leveraging its capabilities, you can quickly identify valid subdomains, filter by HTTP response codes, and uncover potential attack vectors.

For more details and the latest updates, visit the GitHub Repository.

Happy fuzzing! 🎯