Day 18/100 Hack and Improvement

1 minute read

Using a swiss knife with ffuf

From Sam (CoffeeJunkie) and Rajesh Ranjan. Ffuf has come to the cybersecurity scene as one of the most effective and fastest fuzzer tool in the industry. Depending on the creativity of the user, and the needs at the time for its usage, it can be used for most of the things that can be possible such as directory bruteforcing, virtual host scanner, subdomain bruteforcer, parameter discovery, and more depending of the needs of the user.

Simple Directory Brute Force with Ffuf

Directory brute force can be achieved with the following command.

ffuf -c -w /path/wordlist.txt -u http://redacted.com/FUZZ 

People can filter the type of requests and values by the words of the response, personally I rather to filter by the values of the response in order to find more endpoints to attack.

ffuf -c -w /path/wordlist.txt -u http://redacted.com/FUZZ -mc all -fw 9,10,11

Where:

  • mc all –> will get all the responses.
  • fw –> will filter according the number of words in the response.

Virtual Host Discovery

Firs of all we need to know the response lenght of a false positive with the following command.

curl -s -H "Host: nonexistent.coffeejunkie.com" http://coffeejunkie.com | wc -l

nmap scan

Once we know the lenght of the response, we can filter it with ffuf in order to obtain the desired results.

ffuf -w /path/wordlist -u https://coffeejunkie.me -H "Host: FUZZ" -fs 9115

You’re all set!

Get parameter and values brute forcer

Taking the example from above, we need to know the response lenght in order to obtain the desire results. Once we know the response lenght we can execute the following command.

ffuf -w /path/wordlist.txt -u https://redacted.com/script.php?FUZZ=test_value -fs 4242

As a side note, this can work as well to brute force the values according the lenght response.

ffuf -w /path/wordlist.txt -u https://redacted.com/script.php?valid_name=FUZZ -fc 401

You’re all set!

Fuzzing with POST data

This keep being straightforward, in this time we want to brute force the password, in order to do it we are going to filter the response of the target which in this case is 401.

ffuf -w /path/wordlist.txt -X POST -d "username=admin\&password=FUZZ" -u https://redacted.com/login.php -fc 401

You’re all set!

Subdomain Brute Forcing

In this case we need to know the lenght of the data and a good DNS list to brute force with the following command.

ffuf -w /path/wordlist.txt -u https://FUZZ.redacted.com/ -mc all -fw 24,30

FFuf has come as “all in one” tool depending on the creativity of the user.

Leave a comment