CyberNotes
Web Applications/Enumeration

FUFF

Fuzz Faster U Fool is an open-source web fuzzing tool designed for discovering hidden files and directories on web servers by employing brute-force techniques

Subdomains

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.15.249 -fs 2395
  • -fs filters size of responses (may need to check first)

Directories

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u  http://10.0.2.15/FUZZ
  • -recursion : Adds recursion : set to true
  • -recursion-depth : How many levels? : 0-x
  • -fc : Filters HTTP status codes (i.e redirects)

POST Requests

  1. Run this first to see the size of the request
ffuf -request req.txt -request-proto http -w /usr/share/wordlists/fasttrack.txt
  1. And then run this to filter the size you don't want
ffuf -request req.txt -request-proto http -w /usr/share/wordlists/fasttrack.txt -fs 1814

Usernames

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.75.26/customers/signup -mr "username already exists"

  • -w selects the file's location on the computer that contains the list of usernames that we're going to check exists.

  • -X specifies the request method, this will be a GET request by default, but it is a POST request in our example.

  • -d specifies the data that we are going to send. In our example, we have the fields username, email, password and cpassword.

We've set the value of the username to FUZZ. In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will be inserted in the request.

  • -H is used for adding additional headers to the request. In this instance, we're setting the Content-Type so the web server knows we are sending form data.

  • -u specifies the URL we are making the request to, and finally,

  • -mr is the text on the page we are looking for to validate we've found a valid username.

Bruteforce Login

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.75.26/customers/login -fc 200

In this instance, we've chosen W1 for our list of valid usernames and W2 for the list of passwords we will try. The multiple wordlists are again specified with the -w argument but separated with a comma.

For a positive match, we're using the -fc argument to check for an HTTP status code other than 200.

Resources

Enumerating Emails

A python script to enumerate emails

Subdomains

The process of identifying all subdomains for a given domain

On this page