Ffuf

Related Pages:

• Download: Ffuf Github

• Using Ffuf to Fuzz Web Apps

• Everything About Ffuf

• Advanced Ffuf

Directory Busting

$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.240.137/FUZZ

• -w = wordlist

• -u = URL

• -c = colored

• -v= verbose

• -mc= match code (ex. flag to only look for files with a status of 200.)

• -k=Ignore SSL checks

• -t= Set threads

$ ffuf -u "http://localhost/capstone/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .php -recursion

• -e: is to specify extensions, since the home page is "index.php" it would be a good idea to specify php (can specify multiple like .php,.html,.txt)

• -recursion: This switch tells ffuf that if it encounters a directory it should start another scan within that directory and so on until no more results are found

Enumerate Subdomains

$ ffuf -u http://FUZZ.mydomain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Attacking Login Forms with Username and Password

We have a login form that we are going to try and brute force with unknown usernames and passwords, using FFUF:

We begin with a test login to capture the POST request:

We have the POST request, and pay attention to the Content-Length so we know what to filter out in FFUF, and notice we have to Fuzz parameters for this request since we will be bruteforcing both the username and password fields:

We are also going to create a custom password word list:

Write out the ffuf command:

ffuf  -request <filename> -request-proto http -mode clusterbomb -w <password wordlist>:FUZZPASS -w <username wordlist>:FUZZUSER -fs 3376

We specify the FUZZ parameter that we set in the POST request for both the username and password, we are also filtering out the content-length of 3376 because we identified that earlier as being the length of a failed response. We have to set a wordlist for each parameter. We also set a mode "clusterbomb" this mode will utilize multiple payloads for each defined position, and the attacks iterate through each payload. Checking in BurpSuite's Intruder will give a definition of these modes:

The responses we get back show a content-length of 3256, and trying those credentials shows that the user accounts that are being tried, do not actually exist because we do not get a failed password error, which results in the 3256 length. We can search through the results to see what is different:

Sifting through the 3256 results we see a result with 3378 content-length:

Trying admin:letmein