Fuzzing & Directory Brute-Force With ffuf

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys hackersploit here back again with another video in this video we're going to be taking a look at how to use ffuf or fuff i'm not really sure to pronounce it but again there you are and the the way i'm going to be approaching this is uh by utilizing a try hack me room that's been set up to explain how this tool works and how it can be used for enumeration fuzzing and directory brute forcing it really is a great room i recommend checking it out and also again this is a tool that's sort of the new kid on the block when it comes down to uh you know fuzzing and uh directory brute forcing uh really i've also you know been implementing it into my own uh pen tests and stuff like that uh just to get a feel for it and really is a fantastic tool it uh really is a all-in-one tool that i really haven't uh you know been able to find so far when it comes down to fuzzing directory brute forcing etc uh you know you typically utilize various tools to do each of these tasks really but in the case of ffuf i'm just going to be calling that it really integrates all of these all of these key pieces of functionality uh in one and i think it does it really really well that being said let's actually get started right so in order to get started you're going to need to install the tool and by though if you're not familiar what ffuf stands for it stands for fuzz faster you fool so you know we have these creative names once again and as it says here it's a tool used for web enumeration fuzzing and directory brute forcing it already is included uh in the repositories for these pen testing distributions so black arch pen to cali and you can also search repology for other distributions right you also require uh set lists to actually follow along with this particular room i just want to make sure make sure that that is clear as possible and in any case i you know if you are a pen tester you are using set lists to a certain degree because it really is an awesome collection of word lists uh the link to that is uh provided here i believe we can actually check that out yep these are the instructions the installation instructions for the word lists you can actually check them out fantastic i highly recommend using this particular collection of word lists as it were really really helpful for every aspect of pen testing whether you're doing web app and testing you know pen testing generally speaking etc so uh you can install ffuf on cali by typing in you know sudo apt uh apt-get install ffuf right and let me just paste in my password i already have it installed as you can probably tell there we are so we have that installed so let's actually confirm that yes we have it installed i also have set list installed you can also install set lists on kali by you know using the aptitude package manager and that should be done all right cool so let's move on to the basics right so the help page can be displayed using ffufh and it'll be useful as we will be using a lot of options so let's actually do that let's get a feel for the tool we're going to be utilizing as you can see it's a quite a comprehensive help menu here and it's sorted out really really well so it's sorted into categories so when you're dealing with http options these are the various options you can utilize and we'll get to them when we get there we then have general options you know things like verbose and or colorizing output which i use quite often and we also have the matcher options which is a filter or when you'll be filtering through your your actual content and you also have your filter options so match options essentially match out uh results to the uh you know through the results that you actually want displayed so in this case you can actually match uh regular expressions uh http status codes the http response size which is also very helpful and then your filter options allow you to filter http status codes from response right you can also filter regular expressions etc and then you have your input options and your output options so you can actually output your file or you know you can output your results to a particular file so it also gives you example usage here and yeah so let's actually take a look at the instructions here that we're provided with so we need to deploy the machine i've already done that we have the ip here so it's going to say at a minimum we're required to supply two options the url option and the w option which is allows you to specify a word list that's quite important and then the default keyword for fuzzing uh is fuzz right and it's used to tell ffuf where the wordlist entries will be injected so if you're performing directory brute forcing you typically provide the keyword here under the directory that you want to fuzz right if it's at the root of the web server then you just provide it here and then the word list you can provide as it does there so again using this is fairly simple let me just make sure i've copied the url so if i say ffuf and then i say url there paste in the ip i'm just going to say this is http because well we have we actually confirmed that it is running a web server it most likely is uh let's see whether that is the case yeah we can see it's running the damn vulnerable web application so we can fuzz the root of the web server here so we'll just say fuzz for either directories or files so we can say word list and then user share set lists and then of course we can say discovery web content and now it says it's actually utilizing the raft word list i believe we'll actually in this case is utilizing the big dot txt word list so we can actually use that so we can say big dot txt we hit enter it's going to begin performing directory and file brute forcing here this tool is written in go so it's very similar to go buster although i know i'm going to get a lot of flack for saying that but it works very similarly in that you can specify the amount of threads you want to use um and of course it provides you with relevant information as to the parameters that you specified so for example the method it's using is get the url the word list follow redirects is set to false which means it's disabled calibration is set to false the timeout the default timeout is set to 10 seconds the default threads have been set to 40 and the matcher uh is going to display the following response code so you know 200 204 301 302 so on and so forth but no uh 500 status codes here or response codes as it were so in this case you can see it begins the process here and it's going to take a while depending on the amount of threads you're using and the size of the word list that you're using and we're all ready to we're already able to start discovering directories here so for example the config directory if we try and access that it's re it looks like it's redirecting but uh that pretty much tells us uh or that tells me rather that this is a directory there we are we can see that that is the case we have the config.inc file here so on and so forth right so immediately we get uh the uh hidden directories and files uh so on and so forth so let me just terminate that that there let's take a look at the instructions it provides us with here right so it um that's the first option here it also tells you that you can use any custom keyword instead of fuzz you just need to define it like this so we instead of saying uh or providing uh fuzz here we can specify our own custom keyword in this case the keyword specified here is noradj and then the word list is specified there and then we can specify that we are using our custom keyword by using a colon and then specifying the keyword to actually match all right so that would look something like this so let me just clear out my output here if i wanted to say the keyword here that we're going to be uh looking to inject our words within the word list so for example i can say you know we can say here right and then of course at the end here we just use a colon and then we say here we hit enter and we'll pretty much get the same results that we did when we use the default keyword which was fuzz all right cool so i'm just going to let this run the reason i'm doing that is because it looks like we need to provide it's going to say what's the first file you found with the 200 status code so if we take a look at the results here we don't have any 200 status codes yet so again you can either do it this way or you can do it using the default keyword i'm just going to do it using the default keyword just so that we have a standardized setup here and if you're following along you can actually do this so again i'm just going to wait for this to actually provide me with my first result that is does have the status code of 200 so just going to let that complete all right so it looks like we got our first result with the status code 200 and that is favicon.ico so it's actually the favicon itself right for the website so we say favicon.ico or icon we hit enter there we are answer is correct and we can move on to the next stage or the next task here as it says and this is going to involve uh let's see this is finding pages and directories so this is directory brute forcing right so uh in this case if we're looking for it's essentially giving you an introduction to uh you know finding hidden files and directories and it says here you know you can you need to actually utilize the correct word list uh in either case so for example if um for example we're trying to find um you know a generic list of files or you know list of hidden files on the target web server then we can use the raft medium files lowercase.txt word list right and what we'll do is we'll just actually do that right now so i'll just terminate that and we'll go we'll head over here and web content and we're then using raft and i just want to make sure that that is correct that is draft medium files lowercase medium files lowercase right.txt we hit enter and you can now see it's only going to give us files right because the word list only contains files uh with their relevant extensions right so in this case we have a few 200 status codes here for example login.php let's see robots.txt we also able to find so on and so forth let's take a look at what this is actually telling us here so it's going to say however using a large generic word list containing irrelevant file extensions is not very efficient that's very true and it says instead we can actually assume that the index.extension is the default page on most websites so it's essentially saying every website has an index page whether it's index.php index.html index.asp etc and we can try common extensions for just the index page to determine what programming language or the languages the site uses so what this is saying here is this is uh primarily to do with enumeration and more specifically a web server enumeration in that you're trying to identify what stack is being used here so you know is it running php is it running the lamp stack is it running microsoft web server etc so in order to do this we can use the webextensions.txt word list so let me just head over into my terminal here and uh you know if i just list out the contents of the file here so user share set lists uh discovery web content and then we're looking for the word list uh let me just make sure that is correct web extensions uh webextensions.txt you can actually i'm sorry i actually wanted to cat that uh my bad let me just head over there there we are um cat that out you can see that this file contains a list of extensions uh that again can be used to identify what uh stack is being used on the web server so you know you have asp for microsoft web servers the same goes for aspx we also have cgi uh dll exe hdm html so on and so forth you get the idea we also have php right so we can use this to identify what stack is running the way we can do this is simply by fuzzing the index page and then of course providing providing the fuzz parameter and of course we're not providing a dot here before we provide the actual keyword the reason we're doing that is because this word list already contains uh the dots as a prefix to the actual extension so um what this means is we can say you know if we if i just head over into the first command here we'll say um web extensions for the word list webextensions.txt and if we head over here we can say index fuzz right so index fuzz we hit enter and in this case it pretty much tells us you know with quite a lot of certainty that this is a lamp stack because we have php running here and phps that's the other extension but you know we're running php so that is fairly simple we're already able to identify that given the fact that it's running damn vulnerable web application and we were able to tell that it is uh php here it that the login page it redirected us to was a php file so that's fairly simple but can be very useful right um as it says right over here um it provides us with the instructions there so it's going to say now that we know the extension supported we can try a list of generic words without an extension and supply the extension we know works so what this means is we can exclude php from the results and see what other files that we can find with other extensions so as it says here we'll exclude four letter extensions from this word list as it will result in many false positives so we can foster the root of the web server and then use the raft medium words lowercase word list and then exclude php and txt files um because you know we already know that it's uh it's already running php and we're you know excluding these results to find other files here so that can be done again if we just head back over here and uh we are using raft medium files i believe that's the case rough medium words instead of files so raft medium words lowercase.txt we're then going to exclude php and then dot txt right we hit enter and that's going to exclude let's see whether that actually is the correct syntax there there we are we'll exclude the four letter extensions uh in this case it looks like it's still displaying that here um let's see directory names always not dependent on the type of environment you're enumerating it's often a good starting point before attempting to fast for files if we wanted to fast directories we only need to provide a word list did i provide that correctly looks like i did let's see whether that was actually provided correctly the the arguments here so php.txt yup that is the case here and in this case it's still showing us status codes here that are again not really useful however we'll get to status codes in a few seconds um right so it's going to say as it says here we need to provide or perform some directory brute forcing so let's actually do that now so i'm just going to terminate this here um so raft medium directories lower case right we'll get rid of the exclude option thereaft medium directories and then that is lowercase.txt we're going to fuzz that now to find directories so there we are we have docs config so this will provide us with the actual directories which again have the status code of 301 which is a redirect which pretty much means that they work irregardless of whether we may have the permission to view them or not as is the case if directory indexing has been enabled or disabled right so as for the text file that we did find let's take a look at the results here we were able to find let's see robots.txt was one of them i believe there there we are so if we type in robots.txt let's hit submit here there we are that is correct what do file extensions were found for the index page that was php and phps right hit submit that is correct what page has a size of 4840 so let's take a look at the results here we identified here it's about.php so we type that in about.php we hit submit and then it's going to ask us as it says here how many directories are there so if we take a look at the directory brute force we can see there four or five i believe we have a blank directory here for some reason but let's try five let's see whether that will work um no do we have four directories yep that is correct my bad so we have four directories there and we're pretty much done with task three so now we are going to be using filters right so this is where things start getting interesting right uh the reason why filters are so important when it comes down to directory brute forcing or fuzzing is because it's going to output a lot of results that might not be applicable to you or might not be useful so for example a 403 http status code indicates that we're forbidden to access the requested resource let's hide responses with 4.403 status codes for now we can accomplish this by using filters so fc stands for filter code that'll essentially filter out the the actual code there which we can change to 200 403 any http status code that we want to filter we can actually use that here right so let's actually do that now so if we say raft medium let's use the word list that it's actually recommending here files lowercase instead of directories we're using files now um yeah that is correct and then we say the filter code here is fc403 so we're filtering any responses with the http response code 403 we hit enter all right as you can see it tells you here the filter is 403 and now it only displays results that again do not include any uh any response with the response code 403 right so you know we have 200 302 which are expected as i said and yep that looks to have cleaned up the results much much better but as i said we don't want to to actually filter 403 because again in many cases you typically want to limit you know results that really aren't useful at all so as you can see it says here sometimes you might want to filter out multiple status codes such as 500 302 301 etc so if we only want to display status codes or http response codes for maybe 200 for example which is you know actual successful response code then we can match the code to 200 and then you know essentially get rid of any other response codes or any of the results with the response codes that don't match 200 that can be done by saying instead of fc we can say match code 200 we hit enter as you can see response status is only going to display files that match the response status with the http response code of 200 there we are as you can see we now have a much cleaner and much more accurate uh list of results to work with in regards to what we can access already and these of course going to be limited to files you can do the same for directories however as you know directories will typically have a redirect and in many cases if we don't have permission to a directory we'll get a 400 response code which doesn't mean that that doesn't exist it means that we don't have permission to access it so you want to be very careful with your filter and match codes all right cool so um as it says here sometimes it might be beneficial to see what requests the server doesn't handle by matching uh http 500 internal server error response codes so you know that can be used to again find as it says your irregularities in the behavior of the web application that could help you understand how the web application works we will not actually take a look at that because you simply need to change or use the the actual match code 500 option here it then goes on to say there are many other filters and matches for example you could encounter entries with a 200 status code with a response size of zero so for example functions.php or ink under the ink directory so myfile.php so we can again perform fuzzing under a different directory and then filter there is the response codes as it's as it actually does here so the way this would work and of course this is relative to apache and php so let me actually just change that to filter code 403 and then we're still using files or performing file brute force uh file brute forcing here we can say this is under config and then we fuzz that but under that particular directory so we can hit enter and um let's see what we're supposed to do now so uh we're just gonna wait for this to complete enumerating you can see we're able to detect the config.inc.php file which we were able to discover by manual enumeration as we did within the web browser but you know we can also do it this way it's going to say here unless we have a local file inclusion this kind of files aren't interesting which is true so we can use the filter size of zero right so if we take a look at the filled options we can also filter http response sizes um that again in order to limit the results to files that contain data as opposed to files that are empty or don't have any content that you know is or are beneficial to us so as it says here we see uh we often see that there are false positives with files beginning with a dot so htgroups.php etc they through a 403 forbidden error however those files don't actually exist it's tempting to use the filter code 403 but this could hide valuable files that we don't have access to so instead we can use a regular expression to match all files beginning with a dot so again that's uh that can be quite useful so again we can use the um the filter as it says right over here the filter regular expressions option and then specify the regular expressions in this case the regular expression filter is limiting the results to files that begin with a dot so we can actually replicate this so rough medium files lower case let's do that there we are and then filter rejects and we hit enter there let me just head over here and let me get rid of the config folder there we go and in this case you can see that it'll actually as we already did here um filter the output let's actually take a look at the results here there we are filter the filter rejects or use the rejects filter here and in this case where again as it says right over here we can use the regular expressions to match all files beginning with a dot and of course we can also utilize the response codes to again only limit it to uh response codes like 200 or any other response codes that you want all right so let's take a look at the actual question so it's going to say after applying the fc filter the filter code filter how many results were were returned so let's actually take a look at that right now under the fc option um how many results probably just one i guess let's see if that's correct uh that's incorrect so i guess that is uh for the directories right instead of files um let's take a look at that here fc files um there we are let's take a look at what is displaying here how many results were returned so 1 2 3 4 5 6 7 8 9 10 11 right so about 11 i guess let's hit submit there we are that's correct after applying the mc filter how many results were returned so match match code um in this case it looks like one two three four five six let's see if that is correct that is correct there we are so which valuable file would have been uh hidden if we used filter code 403 instead of filter the filter rejects or option here so if we take a look at filter code 0403 we were able to find config.inc.php but when we used the fill the rejects filter here we were able to identify wordpressforum.phps i think that's the file there let's copy the file name there and let's paste it in there let's hit submit that is correct all right excellent so that is um the fourth task which uh deals with using filters so now let's take a look at fuzzing parameters and in this case it looks like we need to deploy the new machine so i'm just gonna terminate the old one and i'm gonna start the new machine and wait for that to assign an ip and then we can begin with the next task all right so the new machine has been started and it's actually highlighted this but it says for this task we'll be looking at parameter fuzzing right so this is where things get really interesting and this is why i really like ffuf as a tool because um it's really been quite intuitive when it comes down to parameter fuzzing right so it says that this is the base url we will be fuzzing so um if i just uh copy that there and let's open that up here let me just paste that there and um we want to access sqli labs it looks like this is a vulnerable there we are sqli labs and well that's actually not we're looking for lesson one i believe lesson one there we go so there we are so this looks like a vulnerable web application that is there to teach you sql injection so as it says please input the id as parameter with the numeric value so what this means is if we say id equal one that should dump the username and password for the user in this case the username is dumb and the password is dumb okay i'm not that dumb but let's try another id here let's try id10 we get the login name as admin 2 and password is admin 2. so this is a very simple web application that's there to again teach you sql injection in this case it's error-based injection so we're going to be using ffuf to perform endpoint fuzzing right or parameter fuzzing rather so it says what would you do when you find a page or an api endpoint but don't know what parameters are accepted well of course you fuzz now you can do it manually like i did which again as it says i'm kind of dumb in that regard but this is where we can actually see the the power of ffuf or foof if that's what you want to call it so discovering a vulnerable parameter could lead to file inclusion path disclosure x uh cross site scripting sql injection or even command injection in this case we know we're working with sql injection so now that we have that in mind it essentially provides us with how we can go about performing parameter fuzzing so we can fuzz the actual name of the parameter in order to discover it in our case we already know its id but we can do that anyway so again we provide the uh we provide the fuzz keyword there in uh in in the place of the actual parameter that we want to identify because on different websites and servers are using different web applications the parameter name is going to be different it you know it might not be id it could be something else and then we use the burp parameter names and then we're also using a filter or here which again i'll take you through in a second so let's actually do this what i'm going to do is let me just copy the actual url here and there we are i'll just copy it to that point here we'll not copy the parameter and the actual id and then we'll just say we'll open up our terminal here ffuf and we're specifying the url we want to encapsulate this in single quotes and then we're then going to say less lesson one we want to fuzz that parameter and then we then provide the actual id here which in this case the test you know will just be one and then we can provide a word list as in or in this case it actually colorizes the output so we use the the c option and then the word list is going to be user share set lists and web content well not web content but discovery web content and then burp parameter names and then let me just take you through the actual uh filter that we're using here so if i say ffuf here and i open up the help menu if we take a look at the filter options if i can actually display that here there we have filter options so fw this is uh this will filter the filter by amount of words in response so in this case it's saying let's use 39 so we can use the default option there this will depend on the web application that you're testing so fw 39 and i believe there's a space there from correct uh yeah there we are and we hit enter so let's see what parameter we're able to discover the actual parameter name in this case you can see quite easily we were able to discover that the parameter name is id fairly simple right this could also have been done manually but if you're not able to actually identify the actual parameter name you can use ffuf and it's almost done going through the word list because that particular word list is quite small there we are so we know it's id now that's great um we can also uh you can also use the other word list here however as it says here now that we've found a parameter accepting integer values we'll start fuzzing the values at this point we could generate a word list and save a file containing integers uh as you noted we were testing it manually so for example if i hit a 100 here the integer 100 or the id 100 that doesn't respond to you that doesn't respond with the user but when it comes down to web app pen testing it's good to know or to get a list or a you know to get an understanding of what ids actually work or what is the range of ids that actually work and what integers don't work so if i say 20 that doesn't display anything here if i say 11 we get admin 3 and you know i can go and do this manually and hopefully go through it step by step to find the actual range but that'll take time so this is what ffuf will actually help you with so the way it does this it uses standard um standard output here so you can say to cut out a step we can use the word list option and then a hyphen there which tells ff you have to read a word list from standard output this will allow us to generate a list of integers with a command of our choice and then pipe um pipe the output out to ffuf and then of course we are piping it as you can see here and then it gives you a list of five different ways to generate numbers from zero to 255 um either using bash or ruby so we can use the first option here and what we can do is let's actually just copy the entire thing here i think that should be fine and then we just replace the ip with the machine ip so i'm just going to do this in a text editor and it's fairly simple you can also do it with python and then pipe the output there so you can set up a range of 0 to 1 to 255 or whatever integer range that you have in mind the machine ip in this case is 10 10 78 125 um 78 125 there we are and again it's uh fairly similar to what we were doing before except in this case when i paste that in there we're essentially just uh essentially fuzzing the actual as you can see right over here we are essentially fuzzing the actual integer value or the id itself because we've discovered uh the parameter name so we hit enter and now it'll give us a list of integers with their status codes there as you can see in this case they're all 200 response status codes and the reason why it's colorized in this case is because we're using the c option that essentially means colorize the output based on whether the results are positive or whether you know they're essentially redirects or you know not found etc in this case we can see you know we have a uh fairly you know i think that the highest number here is 14 so that's the highest number of uh that's the highest range in terms of the integer value there or the id because this is from a database so that means they're only about 14 users give or take a few because i can't see a few integers here uh like five well we actually can five so we know it's 1 2 14 right so if we head back over into our browser here we can see that it's going to ask us the question what is the parameter we found let me answer those questions first that's id what's the highest valid id that's 14 i believe and there we are all right so now we're talking about uh wordless based brute force attacks so for example you know performing a brute force against a login page in this case under lesson 11 so if we head over there so we get rid of that there we say lesson 11 we're prompted with a login page right and we can actually take a look at the example it provides us here so it says we can perform a um a word list based brute force attack for the password right so we're fuzzing the password value or the the actual password here and the word list we're using is under leaked databases and hack5.txt and we use the x option if we're you know sending a post request as you can see here we have to use the post method and then provide the post data with d and include the fuzz keyword in the place of the password we can also do that for the username because it's already given us a username called dummy right which is you know sort of holding your hand but i can actually take you through how you can enumerate usernames and furthermore the passwords for this particular web application so as it says here we also need to provide a custom header so you can find the custom header by analyzing the web app with burp suite so you know if i enable my proxy in my browser and open up burp suite here we can actually get our headers and i'm just taking you through this because the documentation doesn't highlight that if you're new to uh web app pen testing let me take a look at my proxy that's activated so if i hit test and test for the username and password and hit submit you get your headers here as well right so there we are application x form url encoded right so you get your headers that way i'm just going to disable intercept there and let me just disable the proxy although we will be revisiting it in a second so going back to the example let me just refresh that going back to the example we can actually copy this out as it is quite cumbersome to actually type out and then i'll show you how to we can actually fuzz for usernames and the passwords right so um we'll just clear that out and i'll paste that in there and let me try and explain what's going on so firstly we're providing the url right we don't have uh we're not fuzzing any parameters we have a login page uh but we're using the post method so colored output word list is a password word list so again post and then we provide the data here which again in this case is username is set to dummy and the password is what we're fuzzing that's the keyword fuzz there and then submit and then the content type for the header is provided there and yeah that's fairly simple so let's try and fuzz the username before we get the password right so um for the password we can leave that as fuzz although you know we are going to be using a word list for user names as opposed to passwords but we can also change the unnamed value to files so we can fuzz both of them although we're only looking for usernames so if we head over into our word list or setlist directory under usernames let's see we can actually use uh huh let's use the mysql usernames there that might give us something although we know i'm not doing this in the hopes that we might find a username so if i hit enter we get a username so we get the admin username so that means there is an admin user and then we can brute force the password using various password pass using various password word lists so for example if we now change the username value um let me just change this really quickly here to admin so username is equal to admin and then we say password equal fuzz and then the word list we will be using is going to be under passwords in the set lists directory so we can then say passwords you know passwords that we are and we then can use any of these so you know 2020 200 most used passwords for example we hit enter uh nothing found there so nothing under the admin user we can also use the roku word list nothing there um so i'm just going to try one more before we actually just use the dummy username as it provided uh you know the one it actually provided us with here so that we can go through this test correctly let's try one that i know works really really well do we have the rocky word list here the rocky passwords i believe we might but let's try one more here so common credentials 100k most used passwords hey why not man let's go ahead and do that although we know we probably won't find anything useful here um you know unless we run a few uh you know utilize some of the other password word lists uh but yeah uh that's how you can fuzz um it looks like we get a very weird output there but hey anyway as i was saying let's use the dummy username let me make sure i get that correctly the username is dummy with a capital d that's very important there so so username is dummy there we go and then the we're using the leaked passwords uh under let's see leaked licked databases and then hack five dot txt we hit enter let's see whether we can find a password for the user dummy with ffuf all right so i'm going to let that run and looks like we get the password so let's copy that there we can also try and log in i guess let's actually test that out so we head over into the web application we say dummy log in there looks like that works successfully logged in so we can provide that here it's going to say what's dummy's password paste that in there and there there we are fantastic done all right so we can close that task and let's move on to task six which is finding v hosts and sub domains let me just terminate that i've actually terminated it so now we're talking about uh subdomain brute forcing uh and also vost brute forcing so uh it already tells you this from the start that ffuf may not be as efficient as specialized tools when it comes down to subdomain enumeration but it's possible to do so all you need to do is provide the first keyword and then the dot domain.com or domain.org or whatever top level domain you're trying to enumerate subdomains for and then you use an appropriate word list like you know under the discovery and dns directory like subdomains top one million dot txt right and in this case uh we don't have a domain that we can work with but what this would look like is as follows so head over into my terminal um ffvuf you specify the url here we say fuzz dot hack exploit well that's incorrectly typed in hackersplay.org and then we can output that in colorized format and the word list is user share set lists and then you know we can say um is that under discovery web content well actually under dns not web content so dns and then we can use any of these word lists here so for example the fierce host list is quite useful in my opinion so there we are we'll let that run although in my case i don't think this might work although we can always try it out let's see whether we're able to enumerate any sub domains for my particular domain all right so yeah this looks like it's going to take a while so i'm not going to go through with that but as it says this is not one of its strong suits as it says here you can also as it says some sub domains might not be resolvable by the dns server you're using an only resolvable from within the target's local network by their private dns server so that's fairly normal we expect that some virtual hosts vios may exist with private subdomains so the previous command doesn't find them to try finding sub-domains private sub-domains we'll have to use the host http header as the requests might be accepted by the web server so the instructions for that are provided here as you can see we need to provide the host or the header and then of course fuzz the the actual sub domain there and yeah so that's how to do that i'm not going to be covering that because as i said that's not really one of its strong suits let's take a look at proxing with proxiing ffuf traffic which is quite useful so if we want to proxy the requests uh through burp suite for example you can you can actually utilize or do that using the x option and then pass in the proxy the proxy parameters or url in the case of burp suite and with osap that is going to be a local host under port 8080 right so again for example if we wanted to do this here we would say get rid of that there let's go to a shorter parameter list here is that the correct ip i believe 125 no that's not the correct one um let's use this one here right so let's say we just wanted to fuzz the root of the web server so fuzz we can output that in colorized format let me just get rid of the single quote there there we go and then we can say you know user share set lists and then discovery web content and then common.txt and then we can say x http uh 127.0.0.1 make sure you have burp suites started up and we'll hit intercept on i'm going to hit enter now there we are we can see burp suite opens up and we get the first get request here for the file dot web and then we can forward it or drop it or send it to the repeater but that will you know really be quite stupid we can confirm that the use agent is fuzz faster you fool version 1.3.1 which is a cali exclusive uh for those of you who didn't know that already so we can hit forward dot perf um dot get config mysql history so on and so forth and then you can view the response etc etc so that's how to proxy uh if you have traffic um you know through through burp or any other proxy tool that you're using so um yeah that's pretty fairly simple as it says it's also possible to send only matches to your proxy for replaying and that can again be done by saying replay proxy which is fairly simple and then you can do that with burp or any other proxy that's done that's fairly simple to understand and then reviewing the options right so it says here as you start as you start to use ff you have more some options will prove to be very useful depending on your situation for example ic allows you to ignore comments in the word list such as headers copyright notes comments etc so for example under directory list 2.3 medium you have quite a bit of commentary or actual documentation here which you might want to actually try and exclude so you know we can actually just copy this command and see what they're talking about without the ic option which actually ignores comments and then of course we can actually do that here so let me just terminate that there if we do that right now and hit enter that's going to ignore the comments if we do that without providing the ic option you can see that the comments are provided here and you know for some reason it provides status codes for the comments and you can see how messy that that output looks so the iec option is quite useful there all right so um it's going to say how do you save the output to a markdown file so ffuf allows you to output your results into various file formats so if i say ff uf help we can take a look at the output format here and then we say output format md and then we specified the file name so if we were to do that we would say output format md and then ffuf.md hit submit there we are that works the way that would look like is as follows so for example if we were doing the same thing here we could ignore the comments ignore comments and then we would say output format sorry output format and then that's md and then we could say you know ffuf.md hit enter that's going to output it into the markdown file as i said you can do that in various other formats for example if i can actually find that here output formats there we are json which can be great for importing it or utilizing it with a web application html md csv ecsv or you can output or use the all option for all formats and you can also specify specify the output directory if you want right so um if you want to reuse a raw http request file we're not actually covered that'll probably be making a video that highlights that in the future that's under here so there we are that's request so we can specify that there there we go submit how do you strip comments from a word list that is ic as we already know how do you how would you read a word list from standard input so that's uh hyphen w hyphen uh there we are that's correct how do you print full urls and redirect locations i believe that's r and uh no that's it that's incorrect uh how do you print uh full urls and redirect locations let's actually take a look at that right now uh redirect output that is v so for for both output because we're outputting the urls and redirect locations so that's verbose output that's not really recommended with this tool um what option would you use to follow redirects that's the r option as i'm quite familiar with that and how do you enable colorized output that's c here and we hit submit and that looks like that is done this is more information about the author of this room and yeah we're pretty much done with that room so we can hit complete that's done and there we are so that is how to use ffuf that's just a you know general introduction there's many other ways that you can use it as i said it's a great place to begin is the documentation page as i said you can also change the rate um you know if you want to increase the the rate also the timeout so http request timeout in seconds so for example i can say in this particular case let me just get rid of the output options here we'll say that the uh that the rate is maybe something like let's say we wanted 10 there and then the timeout options which i want to actually highlight here there we are timeout um if we say timeout we can change that to maybe 20 seconds there we hit enter as you can see the timeout has been changed and the rate has also been changed there and yeah that's how to modify that if you want to change the threads let me actually take you through that as well because that's quite important when utilizing a tool like this let's take a look at the option here there we are that's the thread so you can also change the amount of threads so if i wanted to say maybe something like a hundred threads which i really don't recommend but you can see changes the threads to 100 there and that will speed it up but it may also cause a denial of service uh type of situation if the web application is being overloaded you know so on and so forth right so that's going to be it for this video let me know what you guys think of this tool as i said it's a fairly recent tool one that i've been uh in you know learning how to use incorporating into my own pen tests and engagements i'd love to know what you guys think the write up for this video uh will be on our blog at hackersploit.org if you want to uh you know join in the discussion you can do that on our forum so that's forum.hackersploit.org or on our discord server the link will be in the description section and yeah thank you very much for watching and i'll be seeing you in the next video a huge thank you to all of our patreons your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sids up doozy defeam barry dustin empress and michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music]

Info

Channel: HackerSploit

Views: 41,465

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, ffuf, ffuf tutorial, ffuf tool, ffuf kali linux, fuzzing with ffuf, ffuf fuzzing, ffuf usage, ffuf output, ffuf install, ffuf bug bounty, ffuf brute force, directory brute force, directory brute force attack, fuzzing, fuzzing for vulnerabilities, fuzzing bug bounty

Id: 9Hik0xy9qd0

Channel Id: undefined

Length: 51min 19sec (3079 seconds)

Published: Mon Oct 04 2021