A blog by https://twitter.com/darshanp4tel
Q. What is ffuf?
A → FFUF, or “Fuzz Faster you Fool” is an open source web fuzzing tool, intended for discovering elements and content within web applications, or web servers.
Q. What does this mean?
A → Often when you visit a website you will be presented with the content that the owner of the website wants to serve you with, this could be hosted at a page such as index.php.Within security, often the challenges in a website that need to be corrected exist outside of that. For example, the owner of the website may have content hosted at admin.php, that you both want to know about, and test. FFUF is a tool for uncovering those items, for your purusal.
Q. Why ffuf?
A →Since it’s release a lot of people have gravitated towards ffuf due to its speed, flexibility, and ability to quickly integrate into outside tooling. ffuf is also consistently maintained
Other Noteworthy points :
FFUF is a command line driven application that runs in the Linux Terminal, or the Windows Command Prompt, meaning that it doesn’t contain an interactive GUI, and is instead powered by inputted command line flags
- Install from Source
- go get github.com/ffuf/ffuf
- go get -u github.com/ffuf/ffuf (-u : upgrading from the source should be done too)
- Kali Linux
- sudo apt-get install ffuf
- ffuf -V (After installation, you can verify the version)
- ffuf -u https://<website>/FUZZ -w ./wordlist.txt
-u → specifies url
-w → specifies wordlist
FUZZ → parameter wher we want the wordlist to fuzz
ffuf -u https://<website>/FUZZ -w ./wordlist -recursion
-recursion → specifies ffuf to take our scan and apply another layer to it
-recursion-flag → this is similar to -recursion flag but this flag lets us decide how many times the recursion should happen
ffuf -u https://<website>/FUZZ -w ./wordlist -recursion -e .bak
-e → specifies what type of file extensions we are looking for(we can specify multiple file like -e .bak, .php, .html…..)
Fuzzing Multiple Locations
This would scan each of the domains in our wordlist2 files using the wordlist from wordlist1.txt, allowing us to run at scale without needing the use of outside scripting or applications.
Note : We can use different words instead of W1 & W2
A few examples of flags for the same are:
- mc : to specify Status code.
- ml: to specify amount of lines in response
- mr: to specify regex pattern
- ms: to specify response size
- mw: to specify amount of words in response
Here are a few demonstrations to make it clearer and easier to understand.
For getting output of responses with status code 200 and 302 only, use:
ffuf -w wordlist.txt -w http://<website>/FUZZ -e .aspx,.html -mc 200,302
The -maxtime flag offers to end the ongoing fuzzing after the specified time in seconds.
ffuf -w wordlist.txt -u http://<website>/FUZZ -maxtime 60
The above command will work for 60 seconds and then kill itself even if the word-list is not finished.
This tool is able to find subdomains without DNS records at blazing fast speeds.
The tool utilizes the Host header in an HTTP request to look for subdomains. The -H flag is used to specify HTTP request headers. Please note that multiple -H flags are allowed.
ffuf -w subdomains.txt -u http://<website>/ -H “Host: FUZZ.website.com”
If the tool gives many subdomains as output and most of them are not present in reality, then the filter options offered by the tool can be used.
Note either the most common size, words or lines for the false positive responses and then specify them in a filter. Use:
- fw : to filter by the amount of words
- fl : to filter by the number of lines
- fs : to filter by the size of the response
- fc : to filter by the status code
- fr : to filter by the regex pattern
The tool also allows us to fuzz at any place from URL to HTTP Headers.
To fuzz a URL with a particular HTTP method just add the -X flag and specify the method.
For example, for fuzzing a URL with the POST method, use:
ffuf -w wordlist.txt -u http://<website>/FUZZ -X POST
Since ffuf offers fuzzing at any place, we can also fuzz the data to be sent in the POST request.
ffuf -w wordlist.txt -X POST -d “username=admin\&password=FUZZ” -u http://<website>/FUZZ
Here, the -d flag is used to specify the data to be sent with POST request.
The tool can also be used like this.
ffuf -w wordlist.txt -u http://<website>/FUZZ/backup.zip
The tool can also be used to brute force login pages by using the -mode flag and choosing the type of attack from clusterbomb and pitchfork. Both modes will accept two word-lists — one for username and one for password.
- In clusterbomb mode every word in username’s word-list will be used with every word in password’s word-list in combination. Like if there are 4 words in list 1 and 5 in list 2 then there would be a total 20 requests.
- In pitchfork mode, a word at first position in username list will be used with word at first position in password list, likewise a word at second position in username list will be used with word at second position in password list. If the number of words in both lists are not same then the attack will stop as soon as the list with lesser number of words gets exhausted.
The -request flag can be used to specify a file with raw HTTP Request and that would be used to FUZZ accordingly.
To brute force a login form with a clusterbomb attack, with HTTP request,
ffuf -request req.txt -request-proto http -mode clusterbomb -w usernames.txt:HFUZZ -w passwords.txt:WFUZZ
In the request file, HFUZZ is placed at login_username and is fed with usernames.txt. Similarly WFUZZ is placed at login_password and is fed with passwords.txt.
This tool is an edge over all other tools in terms of speed because it is written in golang.
If you like this blog, consider following me on twitter https://twitter.com/darshanp4tel