ffuf stands for Fuzz Faster U Fool and it’s a tool written in Golang used for web enumeration, fuzzing, and directory brute forcing.
Let’s find out how ffuf works in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What have I learnt today? |
| Stats |
| Resources |
Introduction to bash scripting for beginners
ffuf stands for Fuzz Faster U Fool (yeah, I know…) and it’s a tool written in Golang used for web enumeration, fuzzing, and directory brute forcing.
ffuf belongs to the exploitation phase in the pentesting lifecycle, and also one of the faster open-source fuzzing tools available to us.
What have I learnt today?
Installing ffuf
ffuf is already pre-installed on Linux distributions such as Pentoo, BlackArch, Kali Linux and Parrot. If your OS doesn’t have it, you can install it with git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build, or brew install ffuf if you are using macOs.
Install SecLists
SecLists is a collection of lists used during security assessments, including usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells and more.
If aren’t already included in your Linux distribution, you can deploy them manually with git clone https://github.com/danielmiessler/SecLists.git or apt -y install seclists in Kali Linux
Basics
ffuf has loads of options. You can memorise all of them, sure, but it is better to just run ffuf -h to view the help page.
We have many flags or options, but at minimum, we need to use -u and -w to supply the URL and a wordlist. The keyword FUZZ is used to tell ffuf where the wordlist entries will be injected.
ffuf -u http://<TARGET_IP>/FUZZ -w <WORDLIST>ffuf -u http://10.10.236.61/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
Finding pages and directories
We can enumerate files with wordlists such as raft-medium-files-lowercase.txt.:
ffuf -u http://<TARGET_IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
And we can also get all the extensions used in all the websites with:
ffuf -u http://<TARGET_IP>/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt
But this generates a lot of irrelevant results.
Let’s say we want to just find the index files. We can append the extension after the index word.
ffuf -u http:///indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt
Now, we only get the file that starts with the index word: index.php.
We can also search for directories (see that the text file has directories in its name).
ffuf -u http://<TARGET_IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
Using filters
Remember the first command we saw?
ffuf -u http://<TARGET_IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
We had a lot of output, but few were useful information. For example, the 403 HTTP status code indicates that that file is forbidden to access. Let’s hide responses with 403 status codes with -fc 403 (Filter code).
ffuf -u http://<TARGET_IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403
Cleaner, but we still get other status codes, such as 302 (Temporarily moved to a new location). We can filter also 302 along with 403, and many others, but if we want to only see 200 status code responses, we can use -mc 200 (Match code) to have only those types of web pages.
ffuf -u http://<TARGET_IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -mc 200
Sometimes we get empty files (files with a size of 0). We don’t want them, so let’s filter out by size with -fs 0 (Filter size).
ffuf -u http://<TARGET_IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fs 0
Fuzzing parameters
Sometimes we found an API endpoint, but we don’t know which parameters are accepted. If we knew, we could try a File Inclusion attack, path disclosure, XSS, SQLi, command injection and more. Time for more fuzzing then!
ffuf -u 'http://<TARGET_IP>/sqli-labs/Less-1/?FUZZ=1' -c -w <WORDLIST> -fw 39
P.S: We use -fw 39 to filter out answers with Words: 39 *, as when we get an error while Fuzzing, the server returns a response with Words: 39.
Example without filtering:
Example with proper filtering:
Good, now we know that id is a valid parameter. Now let’s try some ID values, for example, from 0 to 255:
seq 0 255 | ffuf -u 'http://<TARGET_IP>/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
We can also use ffuf for wordlist-based brute-force attacks to uncover passwords. For example, let’s try to get Dummy‘s password:
ffuf -u http://<TARGET_ID>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
Finding vhosts and subdomains
While not as efficient as other tools, we can perform subdomain enumeration actions:
ffuf -u http://FUZZ.<TARGET_IP> -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
But to be honest, better use other tools specialized in that.
Reviewing the options
ffuf has many options that you’ll discover from time to time and you will add them to your toolbox. For example -ic lets you ignore comments in wordlists, such as headers, copyright notes, comments, etc:
ffuf -u http://<TARGET_IP>/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -fs 0
We have only reviewed a small part of all the useful features and options that ffuf has. Remember that you can view all of them with the ffuf -h command.
Summary
Today we have learnt:
- Bash ffuf syntax.
- How to find pages, directories, vhosts and subdomains.
- Using filters.
- Fuzzing parameters.
- Many ffuf optional flags.
Stats
From 51.850th to 50.660th.
Here is also the Skill Matrix:
Resources
Random Room
Other resources
Installing ffuf
Installing SecLists
HTTP status codes
Subdomain enumeration
