ffuf

We need to make sure that we add a size filter using (-fs) to not get some junk

ffuf -H "Host: FUZZ.onlyrands.com" -H "User-Agent: PENTEST" -c -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt" -u http://onlyrands.com -fs 23375

Or (filter using words with -fc + consider all response codes with -mc all)

ffuf -u http://10.10.11.193 -H "Host: FUZZ.mentorquotes.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 18 -mc all

Gobuster

In Gobuster, we define this information in a text file, called a pattern file, that gets passed with the -p flag

{GOBUSTER}.onlyrands.com

For filtering the output, we use the —exclude-length flag to sift through the response sizes. Multiple response sizes can be separated by commas.

gobuster vhost -u http://onlyrands.com -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt" -p pattern --exclude-length 301 -t 10

Manual href grep

Simple href grep

curl http://workaholic.offsec/ | grep href

a more advanced one cleaning the output

curl -s http://workaholic.offsec/ | tr '>' '>\n' | grep href

Extract only href="..." values

curl -s http://workaholic.offsec/ | grep -oP 'href="[^"]*"'

Extract all links (including <a> and <link>) cleanly with xmllint

curl -s http://workaholic.offsec/ | xmllint --html --xpath '//a/@href | //link/@href' - 2>/dev/null