Network Discovery

80: HTTP - Fuzz url parameters
Wfuzz

Fuzz an id from 000 to 020

wfuzz -z range,000-020 http://satctrl.bahamas.ysh/?id=FUZZ

Fuzz a parameter name

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa"

Ctrl-C, identify the number of characters in the answers. For example 400.
Rerun using the --hh option to exclude responses of this size, and to easily identify responses that generate a different page. 

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa" --hh 400

Fuzzing the value of a url parameter

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?command=FUZZ"

Ctrl-C, identify the number of characters in the answers. For example 400.
Rerun using the --hh option to exclude responses of this size, and to easily identify responses that generate a different page. 

wfuzz -z file,./burp-parameter-names.txt "http://satctrl.bahamas.ysh/action.php?FUZZ=aaaaaaa" --hh 400

Fuzzing an fqdn prefix

wfuzz -z file,./burp-parameter-names.txt "http://FUZZ.bahamas.ysh"
wfuzz -z file,./burp-parameter-names.txt "http://FUZZ.bahamas.ysh" --hh 400

Usefull lists
subdomains-top1million-5000.txt
burp-parameter-names.txt
From: https://github.com/danielmiessler/SecLists