قالب وردپرس درنا توس
Home / Tips and Tricks / How to Fuzz parameters, directories & more with Ffuf «Zero Byte :: WonderHowTo

How to Fuzz parameters, directories & more with Ffuf «Zero Byte :: WonderHowTo



The art of fuzzing is an important skill for any penetration tester or hacker to have. The faster you lose and the more efficiently you do, the closer you will reach your goal, whether it means finding a valid fault or detecting a first attack vector. A tool called ffuf is useful for helping speed things up and fuzz for parameters, directors and more.

What is Fuzzing?

Fuzzing, or fuzz testing, is the automated process of providing malformed or random data to error detection software. In the case of pentesting, a glossary is usually used to iterate through values, and the results are observed and analyzed.

Fuzzing usually involves testing inputs ̵

1; these can range from alphanumeric characters to find buffer overflows to odd characters to test for SQL injection. Fuzzing is often used to detect hidden directories and files and to determine valid parameter names and values.

We will use Metasploitable 2 as our target and Kali Linux as our local machine to show ffuf’s power in fuzzing.

Step 1: Install and configure Ffuf

The only requirement to run ffuf is to install Go, which can easily be done on Kali with the package manager.

~$ sudo apt install golang

Reading package lists... Done
Building dependency tree
Reading state information... Done
golang is already the newest version (2:1.14~2).
0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.

Then download the latest ffuf release from GitHub. At the time of writing, this is version 1.1.0. We can use wget to download it.

~$ wget https://github.com/ffuf/ffuf/releases/download/v1.1.0/ffuf_1.1.0_linux_amd64.tar.gz

--2020-08-27 11:36:41--  https://github.com/ffuf/ffuf/releases/download/v1.1.0/ffuf_1.1.0_linux_amd64.tar.gz
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/156681830/192d4700-cceb-11ea-97f4-adcd48470676?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200827T163641Z&X-Amz-Expires=300&X-Amz-Signature=493a4881a3e960fb7c29baa5ee999efe96bbb5414fd122355b1ec19fe65d1214&X-Amz-SignedHeaders=host&actor_id=0&repo_id=156681830&response-content-disposition=attachment%3B%20filename%3Dffuf_1.1.0_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2020-08-27 11:36:41--  https://github-production-release-asset-2e65be.s3.amazonaws.com/156681830/192d4700-cceb-11ea-97f4-adcd48470676?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200827%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200827T163641Z&X-Amz-Expires=300&X-Amz-Signature=493a4881a3e960fb7c29baa5ee999efe96bbb5414fd122355b1ec19fe65d1214&X-Amz-SignedHeaders=host&actor_id=0&repo_id=156681830&response-content-disposition=attachment%3B%20filename%3Dffuf_1.1.0_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.217.37.12
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.217.37.12|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3101002 (3.0M) [application/octet-stream]
Saving to: ‘ffuf_1.1.0_linux_amd64.tar.gz’

ffuf_1.1.0_linux_amd64.tar.gz                               100%[========================================================================================================================================>]   2.96M  5.74MB/s    in 0.5s

2020-08-27 11:36:42 (5.74 MB/s) - ‘ffuf_1.1.0_linux_amd64.tar.gz’ saved [3101002/3101002]

Now we need to extract the contents of the archive.

~$ tar xzf ffuf_1.1.0_linux_amd64.tar.gz

We should now have the ffuf run in the current job directory, and we can run it with the dot slash command.

~$ ./ffuf

Encountered error(s): 2 errors occured.
        * -u flag or -request flag is required
        * Either -w or --input-cmd flag is required

Fuzz Faster U Fool - v1.1.0

HTTP OPTIONS:
  -H               Header `"Name: Value"`, separated by colon. Multiple -H flags are accepted.
  -X               HTTP method to use (default: GET)
  -b               Cookie data `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl functionality.
  -d               POST data
  -ignore-body     Do not fetch the response content. (default: false)
  -r               Follow redirects (default: false)
  -recursion       Scan recursively. Only FUZZ keyword is supported, and URL (-u) has to end in it. (default: false)
  -recursion-depth Maximum recursion depth. (default: 0)
  -replay-proxy    Replay matched requests using this proxy.
  -timeout         HTTP request timeout in seconds. (default: 10)
  -u               Target URL
  -x               HTTP Proxy URL

GENERAL OPTIONS:
  -V               Show version information. (default: false)
  -ac              Automatically calibrate filtering options (default: false)
  -acc             Custom auto-calibration string. Can be used multiple times. Implies -ac
  -c               Colorize output. (default: false)
  -maxtime         Maximum running time in seconds for entire process. (default: 0)
  -maxtime-job     Maximum running time in seconds per job. (default: 0)
  -p               Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0"
  -s               Do not print additional information (silent mode) (default: false)
  -sa              Stop on all error cases. Implies -sf and -se. (default: false)
  -se              Stop on spurious errors (default: false)
  -sf              Stop when > 95% of responses return 403 Forbidden (default: false)
  -t               Number of concurrent threads. (default: 40)
  -v               Verbose output, printing full URL and redirect location (if any) with the results. (default: false)

...

Running it without any arguments prints the help information and some usage examples. Let’s say we wanted to be able to run this tool anywhere – all we need to do is move ffuf to any directory in our path.

~$ sudo cp ffuf /usr/local/bin/

Now we can run it anywhere without having to have it in the current directory.

~$ ffuf -V

ffuf version: 1.1.0

The last step to get started is optional. Having a good set of dictionaries is important for all security personnel, and there is a collection called SecLists that has almost what you need. It is available on GitHub, but we can also install it locally on our machine.

~$ sudo apt install seclists

Step 2: Perform basic fuzzing

At the most basic level, we can use ffuf to fuzz for hidden directories or files. There are tools like gobusters out there that are made for this specific purpose, but using something like ffuf has its uses.

For example, let’s say you’re testing a website that has some form of speed limit in place. With other tools, it can sometimes be challenging to make them go slower, and this is exactly where tools like ffuf come into play because we can fine-tune the speed and time options. More on that later.

Just provide a glossary -w flag, the URL with -u flag and put FLUFF where we want to insert our fuzzing.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]
docs                    [Status: 301, Size: 317, Words: 21, Lines: 10]
about                   [Status: 302, Size: 0, Words: 1, Lines: 1]
external                [Status: 301, Size: 321, Words: 21, Lines: 10]
favicon.ico             [Status: 200, Size: 1405, Words: 5, Lines: 2]
php.ini                 [Status: 200, Size: 148, Words: 17, Lines: 5]
index                   [Status: 302, Size: 0, Words: 1, Lines: 1]
robots                  [Status: 200, Size: 26, Words: 3, Lines: 2]
robots.txt              [Status: 200, Size: 26, Words: 3, Lines: 2]
instructions            [Status: 302, Size: 0, Words: 1, Lines: 1]
index.php               [Status: 302, Size: 0, Words: 1, Lines: 1]
logout                  [Status: 302, Size: 0, Words: 1, Lines: 1]
phpinfo                 [Status: 302, Size: 0, Words: 1, Lines: 1]
login                   [Status: 200, Size: 1289, Words: 83, Lines: 66]
phpinfo.php             [Status: 302, Size: 0, Words: 1, Lines: 1]
setup                   [Status: 200, Size: 3549, Words: 182, Lines: 81]
security                [Status: 302, Size: 0, Words: 1, Lines: 1]
:: Progress: [4658/4658] :: Job [1/1] :: 388 req/sec :: Duration: [0:00:12] :: Errors: 0 ::

You will notice that the usage is very similar to wfuzz, so new users of the tool will feel somewhat familiar with its function.

After the nice little banner, we can see the request method, URL and some other options that are set. When ffuf encounters something in the dictionary, it will give us the name of the file or directory, the HTTP status code, and some information about the length of the request.

We can also include all necessary cookies in our request using -b flag.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -b "PHPSESSID=a4885a1d1802209109693054d94ae214; security=low" -u http://10.10.0.50/dvwa/FUZZ

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Header           : Cookie: PHPSESSID=a4885a1d1802209109693054d94ae214; security=low
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

In the same way, we can include all the custom headings we want to include -HRS flag.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -H "Host: 10.10.0.50" -u http://10.10.0.50/dvwa/FUZZ

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Header           : Host: 10.10.0.50
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

Instead of making standard GET requests, we can also send POST requests. Used -X flag to specify the request type, in this case, POST, and include request data with -d flag.

~$ ffuf -w /usr/share/seclists/Passwords/darkweb2017-top100.txt -X POST -d "username=admin&password=FUZZ&Login=Login" -u http://10.10.0.50/dvwa/login.php

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : POST
 :: URL              : http://10.10.0.50/dvwa/login.php
 :: Wordlist         : FUZZ: /usr/share/seclists/Passwords/darkweb2017-top100.txt
 :: Data             : username=admin&password=FUZZ&Login=Login
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

123abc                  [Status: 200, Size: 1289, Words: 83, Lines: 66]
123456789               [Status: 200, Size: 1289, Words: 83, Lines: 66]
123321                  [Status: 200, Size: 1289, Words: 83, Lines: 66]

...

We can also use ffuf to fuzz for parameters – simply replace the parameter name to fuzz with the FUZZ keyword.

~$ ffuf -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -u http://10.10.0.50/dvwa/instructions.php?FUZZ=readme

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/instructions.php?FUZZ=readme
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

!.htpasswd              [Status: 302, Size: 0, Words: 1, Lines: 1]
.AppleDouble            [Status: 302, Size: 0, Words: 1, Lines: 1]
.AppleDesktop           [Status: 302, Size: 0, Words: 1, Lines: 1]
.bak                    [Status: 302, Size: 0, Words: 1, Lines: 1]
!.htaccess              [Status: 302, Size: 0, Words: 1, Lines: 1]

...

Fuzzing for parameter values ​​works in the same way.

~$ ffuf -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -u http://10.10.0.50/dvwa/instructions.php?doc=FUZZ

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/instructions.php?FUZZ=readme
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

!.htpasswd              [Status: 302, Size: 0, Words: 1, Lines: 1]
.AppleDouble            [Status: 302, Size: 0, Words: 1, Lines: 1]
.AppleDesktop           [Status: 302, Size: 0, Words: 1, Lines: 1]
.bak                    [Status: 302, Size: 0, Words: 1, Lines: 1]
!.htaccess              [Status: 302, Size: 0, Words: 1, Lines: 1]

...

Step 3: Test filtering and time options

Ffuf can perform matching and filtering, depending on what you want to see in the results. For example, if we only wanted to see results with a 200 status code, we could use -mc switch to match.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -mc 200

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
favicon.ico             [Status: 200, Size: 1405, Words: 5, Lines: 2]
php.ini                 [Status: 200, Size: 148, Words: 17, Lines: 5]
robots                  [Status: 200, Size: 26, Words: 3, Lines: 2]
robots.txt              [Status: 200, Size: 26, Words: 3, Lines: 2]

...

On the back we can also filter some status codes using -fc switch.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -fc 403

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 :: Filter           : Response status: 403
________________________________________________

README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]
docs                    [Status: 301, Size: 317, Words: 21, Lines: 10]
external                [Status: 301, Size: 321, Words: 21, Lines: 10]
favicon.ico             [Status: 200, Size: 1405, Words: 5, Lines: 2]
php.ini                 [Status: 200, Size: 148, Words: 17, Lines: 5]
about                   [Status: 302, Size: 0, Words: 1, Lines: 1]

...

This hides all results with a 403 status code. Multiple codes for withering or filtering can be used as long as they are comma separated.

We can perform similar matching and filtering with request size and number of words or lines. For example, to filter all results returned with request size 0, do the following.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -fs 0

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 :: Filter           : Response size: 0
________________________________________________

.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]
docs                    [Status: 301, Size: 317, Words: 21, Lines: 10]
external                [Status: 301, Size: 321, Words: 21, Lines: 10]
favicon.ico             [Status: 200, Size: 1405, Words: 5, Lines: 2]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
php.ini                 [Status: 200, Size: 148, Words: 17, Lines: 5]

...

Ffuf also has some additional features to control the timing of requests. To set a timeout for each individual request, use -Pause (default is 10 seconds).

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -timeout 5

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 5
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]

...

We can also set a delay between each request with -p flag. For example, to delay two seconds between requests, try the following.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -p 2

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Delay            : 2.00 seconds
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]

...

This is extremely useful in situations where speed limits are in place, or when we do not want to hammer a website with requests.

Another handy feature is the ability to set a maximum time for ffuf to run – this is useful when using a large dictionary and you do not want to wait all day until it is finished. Used -maxtime options followed by the number of seconds for ffuf to run before exiting.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -maxtime 60

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

If we want to run faster, we can set the number of threads to be used (default is 40).

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -t 60

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 60
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]

...

For easier display in the terminal we can use -s flag to print only the found objects and no other sound.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -s

.htpasswd
README
config
docs
external
favicon.ico
about

...

This is useful if we wanted to grab any output or use the results in a script or something, not to mention it’s just a little cleaner.

We can also save all results in a file using -The switch.

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -o results.txt

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Output file      : results.txt
 :: File format      : json
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

The default format is JSON, but we can change it with -of flag. For example, to save the results in HTML format, try:

~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.0.50/dvwa/FUZZ -o results.txt -of html

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__\  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Output file      : results.txt
 :: File format      : html
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

Ends

In this tutorial we learned a bit about fuzzing and how to use a tool called ffuf to fuzz for directories, parameters and more. First we installed the tool and configured it to run on our system. Next, we covered some basic fuzzing, including fuzzing GET requests, POST requests, and parameters. Finally, we finished with some filter and time options for more fine-grained control. Hope you find ffuf as valuable as we are!

Do you want to start making money as a white hat hacker? Start your career with white hat hacking with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.

Buy now (90% off)>

Cover image by Logan Kirschner / Pexels; Screenshots of drd_ / Zero Byte

Source link