Fuzzing and Ffuf
Difference between Fuzzing and Crawling
the difference between fuzzing and crawling is that crawling will start with a seed and map out a website based on links. Where you think of crawling as slowely following a trail to find everything Fuzzing is more like teleporting to a bunch of random parts that might exist to see if they do exist. It is a way to brute force a bunch of options to see if they do or do not exist.
Here is a link to a helpful wordlist I will want to install in my vm: https://github.com/danielmiessler/SecLists
Fuzzing a Directory
ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZthe above command we see that -w is to se the following wordlist we will be using and the -u is for the URL we will be using
we can also see that the word list has :FUZZ appended to the end this is saying to replace in the URL where we put FUZZ with a value from our list
Fuzzing for Webpages
once you have some directories you can start fuzing for the webpages attached to them. You can find out what web pages exist by checking for the extension. Like you can see here:
ffuf -w /opt/useful/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZas you can see we look at the index since most endpoints will at least have an index page.
once we have that we can then scan for possible pages with the following command
ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.phpFuzzing Recursively
Fuzzing recursively allows you to dig deeper. In this case for sub directories. With a command like the following:
ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -vThe -recursion tag tells ffuf that we want to do a recursion scan -recursion-depth 1 tells ffuf that we only want to go to a depth of one. -e is adding a comma separated extension. In this case we are only searching for one ending in PHP. -v is basic verbose answer.
Fuzzing Subdomains
ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb/Note: If you are fuzzing a locally hosted site you wont be able to get the subdomains from fuzzing them with FFUF because if it can not find it in the /etc/hosts file it will then go to public DNS records. So you will have to do Vhost fuzzing
Vhost Fuzzing
Grabbing public domains is good and all but if a subdomain is not public you might be able to acquire it via Vhost fuzzing.
ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'We can see in the script above we are setting the host with the -H flag followed by the string Host: FUZZ.academy.htb
When we run this we will always get a 200 response back so we want to look for size from the response. To do that run it for a second and see what the average file size is coming back.
Filtering Results
You can filter and and match. Just use ffuf -h
Parameter Fuzzing
GET Request Fuzzing
ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:31830/admin/admin.php?FUZZ=key -fs 798 -vPOST Request Fuzzing
ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx-X POST tells ffuf that we are making a POST request
-d 'FUZZ=key' lets us pass it in the header
-H 'Content-Type: application/x-www-form-urlencoded' is needed to pass a value in the header.
Value Fuzzing
for i in $(seq 1 1000); do echo $i >> ids.txt; doneffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxxthen once we have the right ID we can curl call like so
curl http://admin.academy.htb:31830/admin/admin.php -X POST -d 'id=73' -H 'Content-Type: application/x-www-form-urlencoded'