The artwork of fuzzing is an important ability for any penetration tester or hacker to own. The sooner you fuzz, and the extra effectively you might be at doing it, the nearer you come to attaining your purpose, whether or not meaning discovering a sound bug or discovering an preliminary assault vector. A software known as ffuf turns out to be useful to assist velocity issues alongside and fuzz for parameters, administrators, and extra.

What Is Fuzzing?

Fuzzing, or fuzz testing, is the automated means of offering malformed or random information to software program to find bugs. Sometimes, in relation to pentesting, a wordlist is used to iterate by means of values, and the outcomes are noticed and analyzed.

Fuzzing often entails testing enter — this may be something from alphanumeric characters to seek out buffer overflows, to odd characters to check for SQL injection. Fuzzing can also be generally used to find hidden directories and information and to find out legitimate parameter names and values.

We will probably be utilizing Metasploitable 2 as our goal and Kali Linux as our native machine to reveal ffuf’s energy at fuzzing.

Step 1: Set up & Configure Ffuf

The one requirement to run ffuf is having Go put in, which may simply be completed on Kali with the bundle supervisor.

~$ sudo apt set up golang

Studying bundle lists... Executed
Constructing dependency tree
Studying state info... Executed
golang is already the most recent model (2:1.14~2).
Zero upgraded, Zero newly put in, Zero to take away and 17 not upgraded.

Subsequent, seize the most recent ffuf launch from GitHub. On the time of writing, that is model 1.1.0. We will use wget to obtain it.

~$ wget https://github.com/ffuf/ffuf/releases/obtain/v1.1.0/ffuf_1.1.0_linux_amd64.tar.gz

--2020-08-27 11:36:41--  https://github.com/ffuf/ffuf/releases/obtain/v1.1.0/ffuf_1.1.0_linux_amd64.tar.gz
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... linked.
HTTP request despatched, awaiting response... 302 Discovered
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/156681830/192d4700-cceb-11ea-97f4-adcd48470676?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53Apercent2F20200827%2Fus-east-1percent2Fs3percent2Faws4_request&X-Amz-Date=20200827T163641Z&X-Amz-Expires=300&X-Amz-Signature=493a4881a3e960fb7c29baa5ee999efe96bbb5414fd122355b1ec19fe65d1214&X-Amz-SignedHeaders=host&actor_id=0&repo_id=156681830&response-content-disposition=attachmentpercent3B%20filenamepercent3Dffuf_1.1.0_linux_amd64.tar.gz&response-content-type=applicationpercent2Foctet-stream [following]
--2020-08-27 11:36:41--  https://github-production-release-asset-2e65be.s3.amazonaws.com/156681830/192d4700-cceb-11ea-97f4-adcd48470676?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53Apercent2F20200827%2Fus-east-1percent2Fs3percent2Faws4_request&X-Amz-Date=20200827T163641Z&X-Amz-Expires=300&X-Amz-Signature=493a4881a3e960fb7c29baa5ee999efe96bbb5414fd122355b1ec19fe65d1214&X-Amz-SignedHeaders=host&actor_id=0&repo_id=156681830&response-content-disposition=attachmentpercent3B%20filenamepercent3Dffuf_1.1.0_linux_amd64.tar.gz&response-content-type=applicationpercent2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.217.37.12
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.217.37.12|:443... linked.
HTTP request despatched, awaiting response... 200 OK
Size: 3101002 (3.0M) [application/octet-stream]
Saving to: ‘ffuf_1.1.0_linux_amd64.tar.gz’

ffuf_1.1.0_linux_amd64.tar.gz                               100%[========================================================================================================================================>]   2.96M  5.74MB/s    in 0.5s

2020-08-27 11:36:42 (5.74 MB/s) - ‘ffuf_1.1.0_linux_amd64.tar.gz’ saved [3101002/3101002]

Now we have to extract the contents of the archive.

~$ tar xzf ffuf_1.1.0_linux_amd64.tar.gz

We should always now have the ffuf executable within the present working listing, and we are able to run it with the dot-slash command.

~$ ./ffuf

Encountered error(s): 2 errors occured.
        * -u flag or -request flag is required
        * Both -w or --input-cmd flag is required

Fuzz Sooner U Idiot - v1.1.0

HTTP OPTIONS:
  -H               Header `"Title: Worth"`, separated by colon. A number of -H flags are accepted.
  -X               HTTP technique to make use of (default: GET)
  -b               Cookie information `"NAME1=VALUE1; NAME2=VALUE2"` for copy as curl performance.
  -d               POST information
  -ignore-body     Don't fetch the response content material. (default: false)
  -r               Observe redirects (default: false)
  -recursion       Scan recursively. Solely FUZZ key phrase is supported, and URL (-u) has to finish in it. (default: false)
  -recursion-depth Most recursion depth. (default: 0)
  -replay-proxy    Replay matched requests utilizing this proxy.
  -timeout         HTTP request timeout in seconds. (default: 10)
  -u               Goal URL
  -x               HTTP Proxy URL

GENERAL OPTIONS:
  -V               Present model info. (default: false)
  -ac              Mechanically calibrate filtering choices (default: false)
  -acc             Customized auto-calibration string. Can be utilized a number of occasions. Implies -ac
  -c               Colorize output. (default: false)
  -maxtime         Most working time in seconds for complete course of. (default: 0)
  -maxtime-job     Most working time in seconds per job. (default: 0)
  -p               Seconds of `delay` between requests, or a spread of random delay. For instance "0.1" or "0.1-2.0"
  -s               Don't print extra info (silent mode) (default: false)
  -sa              Cease on all error instances. Implies -sf and -se. (default: false)
  -se              Cease on spurious errors (default: false)
  -sf              Cease when > 95% of responses return 403 Forbidden (default: false)
  -t               Variety of concurrent threads. (default: 40)
  -v               Verbose output, printing full URL and redirect location (if any) with the outcomes. (default: false)

...

Operating it with none arguments will print the assistance info and a few utilization examples. Now as an instance we wished to have the ability to run this software from anyplace — all we have to do is transfer ffuf to any listing in our path.

~$ sudo cp ffuf /usr/native/bin/

Now we are able to run it from anyplace with out the necessity to have it within the present listing.

~$ ffuf -V

ffuf model: 1.1.0

The final step to stand up and working is non-compulsory. Having a great set of wordlists is crucial for any safety skilled, and there’s a assortment known as SecLists that has absolutely anything you want. It’s out there on GitHub, however we are able to additionally set up it regionally on our machine.

~$ sudo apt set up seclists

Step 2: Carry out Some Fundamental Fuzzing

On the most elementary degree, we are able to use ffuf to fuzz for hidden directories or information. There are instruments like gobuster on the market which are made for this particular function, however utilizing one thing like ffuf has its use instances.

For instance, as an instance you are testing an internet site that has some form of rate-limiting in place. With different instruments, it will possibly generally be difficult to get them to go slower, and that is exactly the place instruments like ffuf come into play since we are able to extra finely management the speed and timing choices. Extra on that later.

Merely present a wordlist with the -w flag, the URL with the -u flag, and put FUZZ the place we wish to insert our fuzzing.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: widespread.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]
docs                    [Status: 301, Size: 317, Words: 21, Lines: 10]
about                   [Status: 302, Size: 0, Words: 1, Lines: 1]
exterior                [Status: 301, Size: 321, Words: 21, Lines: 10]
favicon.ico             [Status: 200, Size: 1405, Words: 5, Lines: 2]
php.ini                 [Status: 200, Size: 148, Words: 17, Lines: 5]
index                   [Status: 302, Size: 0, Words: 1, Lines: 1]
robots                  [Status: 200, Size: 26, Words: 3, Lines: 2]
robots.txt              [Status: 200, Size: 26, Words: 3, Lines: 2]
directions            [Status: 302, Size: 0, Words: 1, Lines: 1]
index.php               [Status: 302, Size: 0, Words: 1, Lines: 1]
logout                  [Status: 302, Size: 0, Words: 1, Lines: 1]
phpinfo                 [Status: 302, Size: 0, Words: 1, Lines: 1]
login                   [Status: 200, Size: 1289, Words: 83, Lines: 66]
phpinfo.php             [Status: 302, Size: 0, Words: 1, Lines: 1]
setup                   [Status: 200, Size: 3549, Words: 182, Lines: 81]
safety                [Status: 302, Size: 0, Words: 1, Lines: 1]
:: Progress: [4658/4658] :: Job [1/1] :: 388 req/sec :: Length: [0:00:12] :: Errors: 0 ::

You may discover the utilization is similar to wfuzz, so new customers of the software will really feel considerably accustomed to its operation.

After the good little banner, we are able to see the request technique, URL, and another choices which are set. When ffuf comes throughout one thing within the wordlist, it would give us the title of the file or listing, the HTTP standing code, and a few details about the request size.

We will additionally embrace any obligatory cookies in our request utilizing the -b flag.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -b "PHPSESSID=a4885a1d1802209109693054d94ae214; safety=low" -u http://10.10.0.50/dvwa/FUZZ

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Header           : Cookie: PHPSESSID=a4885a1d1802209109693054d94ae214; safety=low
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

Alongside the identical strains, we are able to embrace any customized headers we would like with the -H flag.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -H "Host: 10.10.0.50" -u http://10.10.0.50/dvwa/FUZZ

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Header           : Host: 10.10.0.50
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

As a substitute of doing the default GET request, we are able to additionally ship POST requests. Use the -X flag to specify the request sort, on this case, POST, and embrace the info for the request with the -d flag.

~$ ffuf -w /usr/share/seclists/Passwords/darkweb2017-top100.txt -X POST -d "username=admin&password=FUZZ&Login=Login" -u http://10.10.0.50/dvwa/login.php

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : POST
 :: URL              : http://10.10.0.50/dvwa/login.php
 :: Wordlist         : FUZZ: /usr/share/seclists/Passwords/darkweb2017-top100.txt
 :: Information             : username=admin&password=FUZZ&Login=Login
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

123abc                  [Status: 200, Size: 1289, Words: 83, Lines: 66]
123456789               [Status: 200, Size: 1289, Words: 83, Lines: 66]
123321                  [Status: 200, Size: 1289, Words: 83, Lines: 66]

...

We will use ffuf to fuzz for parameters as nicely — merely change the parameter title to fuzz for with the FUZZ key phrase.

~$ ffuf -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -u http://10.10.0.50/dvwa/directions.php?FUZZ=readme

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/directions.php?FUZZ=readme
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

!.htpasswd              [Status: 302, Size: 0, Words: 1, Lines: 1]
.AppleDouble            [Status: 302, Size: 0, Words: 1, Lines: 1]
.AppleDesktop           [Status: 302, Size: 0, Words: 1, Lines: 1]
.bak                    [Status: 302, Size: 0, Words: 1, Lines: 1]
!.htaccess              [Status: 302, Size: 0, Words: 1, Lines: 1]

...

Fuzzing for parameter values works the identical manner.

~$ ffuf -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -u http://10.10.0.50/dvwa/directions.php?doc=FUZZ

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/directions.php?FUZZ=readme
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

!.htpasswd              [Status: 302, Size: 0, Words: 1, Lines: 1]
.AppleDouble            [Status: 302, Size: 0, Words: 1, Lines: 1]
.AppleDesktop           [Status: 302, Size: 0, Words: 1, Lines: 1]
.bak                    [Status: 302, Size: 0, Words: 1, Lines: 1]
!.htaccess              [Status: 302, Size: 0, Words: 1, Lines: 1]

...

Step 3: Strive the Filtering & Timing Choices

Ffuf can carry out matching and filtering, relying on what you wish to see within the outcomes. As an illustration, if we solely wished to see outcomes with a 200 standing code, we might use the -mc swap to match.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -mc 200

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200
________________________________________________

README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
favicon.ico             [Status: 200, Size: 1405, Words: 5, Lines: 2]
php.ini                 [Status: 200, Size: 148, Words: 17, Lines: 5]
robots                  [Status: 200, Size: 26, Words: 3, Lines: 2]
robots.txt              [Status: 200, Size: 26, Words: 3, Lines: 2]

...

On the flip facet, we are able to additionally filter sure standing codes utilizing the -fc swap.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -fc 403

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
 :: Filter           : Response standing: 403
________________________________________________

README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]
docs                    [Status: 301, Size: 317, Words: 21, Lines: 10]
exterior                [Status: 301, Size: 321, Words: 21, Lines: 10]
favicon.ico             [Status: 200, Size: 1405, Words: 5, Lines: 2]
php.ini                 [Status: 200, Size: 148, Words: 17, Lines: 5]
about                   [Status: 302, Size: 0, Words: 1, Lines: 1]

...

It will cover any outcomes with a 403 standing code. A number of codes for wither matching or filtering can be utilized so long as they’re comma-separated.

We will carry out comparable matching and filtering with request dimension and the variety of phrases or strains. For instance, to filter any outcomes returning with request dimension 0, do the next.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -fs 0

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
 :: Filter           : Response dimension: 0
________________________________________________

.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]
docs                    [Status: 301, Size: 317, Words: 21, Lines: 10]
exterior                [Status: 301, Size: 321, Words: 21, Lines: 10]
favicon.ico             [Status: 200, Size: 1405, Words: 5, Lines: 2]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
php.ini                 [Status: 200, Size: 148, Words: 17, Lines: 5]

...

Ffuf has some extra options to manage timing of requests as nicely. To set a timeout for every particular person request, use the -timeout choice (default is 10 seconds).

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -timeout 5

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 5
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]

...

We will additionally set a delay between every request with the -p flag. For instance, to delay 2 seconds between requests, attempt the next.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -p 2

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Delay            : 2.00 seconds
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]

...

That is extraordinarily helpful in conditions the place price limiting is in place, or after we do not wish to hammer a web site with requests.

One other helpful function is the flexibility to set a most time for ffuf to run — that is helpful when utilizing a big wordlist, and you do not wish to wait round all day for it to complete. Use the -maxtime choice adopted by the variety of seconds for ffuf to run earlier than exiting.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -maxtime 60

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

If we wish to run sooner, we are able to set the variety of threads to make use of (default is 40).

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -t 60

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 60
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]
.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
config                  [Status: 301, Size: 319, Words: 21, Lines: 10]

...

For less complicated viewing within the terminal, we are able to use the -s flag to solely print the discovered objects and not one of the different noise.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -s

.htpasswd
README
config
docs
exterior
favicon.ico
about

...

That is helpful if we wished to grep any output or use the ends in a script or one thing, to not point out it is only a bit cleaner.

We will additionally save any outcomes to a file utilizing the -o swap.

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -o outcomes.txt

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Output file      : outcomes.txt
 :: File format      : json
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

The default format is JSON, however we are able to change that with the -of flag. For instance, to save lots of the ends in HTML format, attempt:

~$ ffuf -w /usr/share/seclists/Discovery/Net-Content material/widespread.txt -u http://10.10.0.50/dvwa/FUZZ -o outcomes.txt -of html

        /'___  /'___           /'___
       / __/ / __/  __  __  / __/
         ,__  ,__/ /    ,__
          _/   _/  _    _/
          _    _   ____/   _
          /_/    /_/   /___/    /_/

       v1.1.0
________________________________________________

 :: Technique           : GET
 :: URL              : http://10.10.0.50/dvwa/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Net-Content material/widespread.txt
 :: Output file      : outcomes.txt
 :: File format      : html
 :: Observe redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response standing: 200,204,301,302,307,401,403
________________________________________________

.htaccess               [Status: 403, Size: 297, Words: 22, Lines: 11]
.hta                    [Status: 403, Size: 292, Words: 22, Lines: 11]
.htpasswd               [Status: 403, Size: 297, Words: 22, Lines: 11]
README                  [Status: 200, Size: 4934, Words: 637, Lines: 120]

...

Wrapping Up

On this tutorial, we discovered a bit about fuzzing and tips on how to use a software known as ffuf to fuzz for directories, parameters, and extra. First, we put in the software and configured it to run on our system. Subsequent, we lined some primary fuzzing, together with fuzzing GET requests, POST requests, and parameters. Lastly, we concluded with some filtering and timing choices for extra fine-grained management. Hopefully, you discover ffuf as beneficial as we do!

Wish to begin making a living as a white hat hacker? Soar-start your white-hat hacking profession with our 2020 Premium Moral Hacking Certification Coaching Bundle from the brand new Null Byte Store and recover from 60 hours of coaching from moral hacking professionals.

Purchase Now (90% off) >

Cowl picture by Logan Kirschner/Pexels; Screenshots by drd_/Null Byte