What the ffuf
Fancy directories here
Requirements
● Ffuf
● Your Brain
● Go (v1.16.3) / git
● Linux based computer (preferably Debian based)
● Burp is recommended for more advanced usage
Fuzzing
What even is fuzzing? Great question! Fuzzing is when you put random values into an input. Then you basically are just looking to see what happens. Believe it or not things are not always what it seems.... For a quick example what if you find a text field that says enter a number between 1 - 9 and you enter a 0 or better yet you enter a Letter? Does it break? Did it crash?
For these examples we are going to start with installing a tool called Ffuf. Ffuf is a very simple yet powerful and fast fuzzing tool. Used with the language Go.
● INSTALLATION ● First we have to install go
Go to
https://golang.org/dl/go1.16.3.linux-amd64.tar.gz and download the file.
Now in the CLI (command line interface) copy and paste this command:
Little explanation of what this command does is it will remove go (if you had it already), from it’s default path /user/local/go. Now you are probably thinking that’s counterintuitive, right? Well the && is basically the command saying “Hey, when you get that finished I want you to do this next command!!” -C is similar to when you would use the command cd. The xzf is extract with gzip and it’s an archive file. Then it will be extracted as the directory go.
3. Also when that gets finished you want to use the command:
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.16.3.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
What this will do is let you use Go in anywhere in the CLI. 4. To make sure you did it all correctly. You can try:
in the terminal as a normal user if it pops up the version of Go you installed then we are good to Go.
Any issues with installing go please refer to the website:
https://golang.org/doc/install
● Now we have to install Ffuf
Ffuf is a lot more simpler considering we got the hard part (installing go) out of the way!! ● Go back to terminal and simply type:
Pretty simple. It’s going to go get the most updated version of said program from the following url.
Note: Lemons had to do the command from downloads:
$ sudo apt install golang-go
$ sudo apt-get install git
$ git clone
https://github.com/ffuf/fuff
$ cd fuff
$ go get
$ go build
Well since that’s all downloaded let’s see what we can do now!!
● FUZZING TIME Directory Discovery
Why do we need to know about it? Besides being the fastest tool! It helps us find out where we can try out some payloads, maybe uncover some data leak among the
$ go version
go get -u github.com/ffuf/Ffuf
internals that we can see after basically cracking the code in the area? does it let you into a admin panel where you can do where ever you want?
The normal/common way of using ffuf is simple as cheese. All you have to do is go to the cli and know what target you are attacking:
So we start out by letting the computer know we are going to use the ffuf command. Then the -w wordlist.txt tells ffuf that you want to use the wordlist named wordlist.txt. -u
http://target/FUZZ lets ffuf know the target url. Now, if you noticed the FUZZ at the end, that is what we will be fuzzing. it basically lets ffuf know where it is going to put the words from the word list into the url. -o output.txt lets fuff know where to put the results from the output. Now the -replay-proxy
http://127.0.0.1:8080 is for burp basically ffuf will send the working results to burp essentially making if so you can manipulate and modify the working urls as you please! We also have a flag that is not mentioned here -x this flag will send EVERYTHING to burp. Now if you have the free version of burp this is highly not recommended consider free burp throttles you.
File Fuzzing
File fuzzing is juicy! You can find some really critical things with it. The reason why it can work (if not protected) is because everything is stored somehow. That photo that you see could be vulnerable to an attack if given the right circumstances. For example we will be assuming here that you found a photo at:
http://target/image/filename=cool.jpg now what we are going to do is we can use a word list called dotdotpwn.txt from:
What we will use is as the command to fuzz the whole filename area is:
Now with this command. Assuming that the wordlist dotdotpwn.txt is in your home Downloads folder. Will give you the working words/urls that ffuf found. -mc is basically means match http response to: (in this case 200) now to back track a little http response 200 means it worked, it is a go, that is valid. You can also change the 200 to an all which will give you 404 (not found), 403 (forbidden), ect.
And for the results try them out see where they lead you!!
ffuf -w wordlist.txt -u
http://target/FUZZ -o output.txt -replay-proxy
http://127.0.0.1:8080
ffuf -w ~/Downloads/dotdotpwn.txt -u
http://target/image/filename=FUZZ -o File.txt -mc 200
● Parameter Fuzzing
With parameter fuzzing we can take a GET parameter request and throw a ton of things at it. For the example we will be using we will be using the user_id= now the command is going to be similar but let me give a little back story. I was scrolling through
http://target// and found this url:
http://target/user/user_id=12345/dashboard/ so what we are going to try here is a fuzzing of just numbers. Lets just assume you have a file named Numbers.txt that has numbers from 10,000 - 20,000 and we use the command similar to the previous section:
Now i put ffuf in the GET parameter of user_id meaning i will basically have it fuzz ..user_id=10000/dashboard/ all the way up to ..user_id=20000/dashboard/ the scale is really endless and again with the -mc 200 it tells ffuf to only show the working IDs
And thats pretty much it... thanks for reading hope this helps!!
ffuf -u
http://target/user/user_id=FFUF/dashboard/ -o ‘ID numbers for target’.txt -mc 200
