# Ffuf

{% hint style="success" %}
Related Pages:

* **Download:** [Ffuf Github](https://github.com/ffuf/ffuf)
* [Using Ffuf to Fuzz Web Apps](https://www.freecodecamp.org/news/web-security-fuzz-web-applications-using-ffuf/)
* [Everything About Ffuf](https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html)
* [Advanced Ffuf](https://medium.com/@qaafqasim/mastering-ffuf-basic-and-advanced-commands-60e53bdbffc7)
  {% endhint %}

## Directory Busting

{% code overflow="wrap" %}

```shell
$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.240.137/FUZZ
```

{% endcode %}

* `-w` = wordlist
* `-u` = URL
* `-c` = colored
* `-v`= verbose
* `-mc`= match code (ex. flag to only look for files with a status of 200.)
* `-k`=Ignore SSL checks
* `-t`= Set threads

{% code overflow="wrap" %}

```shell
$ ffuf -u "http://localhost/capstone/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .php -recursion
```

{% endcode %}

* `-e`: is to specify extensions, since the home page is "index.php" it would be a good idea to specify php (can specify multiple like .php,.html,.txt)
* `-recursion`: This switch tells ffuf that if it encounters a directory it should start another scan within that directory and so on until no more results are found

## Enumerate Subdomains

{% code overflow="wrap" %}

```shell
$ ffuf -u http://FUZZ.mydomain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```

{% endcode %}

## Attacking Login Forms with Username and Password

We have a login form that we are going to try and brute force with unknown usernames and passwords, using FFUF:

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FSM0a7eRwlnO73HFhpjVE%2Fimage.png?alt=media&#x26;token=995385f2-3365-4bf2-919d-788ddd0529f1" alt=""><figcaption></figcaption></figure>

We begin with a test login to capture the POST request:

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FbkyXk4EysUQYwDm7iHgr%2Fimage.png?alt=media&#x26;token=9baac37e-6cde-4f2f-bdc2-531b8c4b5cff" alt=""><figcaption></figcaption></figure>

We have the `POST` request, and pay attention to the **Content-Length** so we know what to filter out in FFUF, and notice we have to Fuzz parameters for this request since we will be bruteforcing both the username and password fields:

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2F91COIdWkXTef1YUpijzG%2Fimage.png?alt=media&#x26;token=06718941-5174-466d-add5-87f4f6104bb5" alt=""><figcaption></figcaption></figure>

We are also going to create a custom password word list:

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FUpqRdmA4YTeqX49vFP1N%2Fimage.png?alt=media&#x26;token=bc40c789-600c-4a87-aeaa-b16a6bf205d2" alt=""><figcaption></figcaption></figure>

Write out the ffuf command:

{% code overflow="wrap" %}

```shell
ffuf  -request <filename> -request-proto http -mode clusterbomb -w <password wordlist>:FUZZPASS -w <username wordlist>:FUZZUSER -fs 3376
```

{% endcode %}

We specify the `FUZZ` parameter that we set in the `POST` request for both the username and password, we are also filtering out the **content-length** of **3376** because we identified that earlier as being the length of a *failed response*. We have to set a wordlist for each parameter. We also set a mode "**clusterbomb**" this mode will utilize multiple payloads  for each defined position, and the attacks iterate through each payload. Checking in BurpSuite's Intruder will give a definition of these modes:

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FoHpa9Ebcfsn8LEiAiXT7%2Fimage.png?alt=media&#x26;token=d8845dd6-4323-4155-b31c-9499d2d3dd86" alt=""><figcaption></figcaption></figure>

The responses we get back show a **content-length** of **3256**, and trying those credentials shows that the user accounts that are being tried, do not actually exist because we do not get a failed password error, which results in the 3256 length. We can search through the results to see what is different:<br>

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2Frk9wiUeLmcuPmGsA84NM%2Fimage.png?alt=media&#x26;token=07a18c33-bc26-4dc5-9b14-04e2afd6a460" alt=""><figcaption></figcaption></figure>

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2F1r0UkgIo1dHN2jzPM6Wo%2Fimage.png?alt=media&#x26;token=f3ddeaca-4f3e-40b2-b72a-348a3f9856bb" alt=""><figcaption></figcaption></figure>

Sifting through the 3256 results we see a result with **3378** content-length:

Trying `admin:letmein`

<figure><img src="https://537410186-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FH9oYbVb7VAsDxBfUpLeo%2Fuploads%2FiRzkNrNaYszwKVzf4dIS%2Fimage.png?alt=media&#x26;token=73008311-9a31-43bd-83c4-389c0b0eb0c9" alt=""><figcaption></figcaption></figure>