Network Discovery

Wfuzz

Fuzz an id from 000 to 020

wfuzz -z range,000-020 http://satctrl.bahamas.ysh/?id=FUZZ

Fuzz a parameter name

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa"

Ctrl-C, identify the number of characters in the answers. For example 400.
Rerun using the --hh option to exclude responses of this size, and to easily identify responses that generate a different page.

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa" --hh 400    

Fuzzing the value of a url parameter

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?command=FUZZ"

Ctrl-C, identify the number of characters in the answers. For example 400.
Rerun using the --hh option to exclude responses of this size, and to easily identify responses that generate a different page.

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa" --hh 400    

Fuzzing an fqdn prefix

wfuzz -z file,./burp-parameter-names.txt "http://FUZZ.bahamas.ysh"
wfuzz -z file,./burp-parameter-names.txt "http://FUZZ.bahamas.ysh" --hh 400    

Usefull lists
subdomains-top1million-5000.txt
burp-parameter-names.txt
From: https://github.com/danielmiessler/SecLists