Open Source Detective

FFUF The Defacto Tool for Website Penetration Testing

Cover Image for FFUF The Defacto Tool for Website Penetration Testing
Open Source Detective

Introduction:

There's an abundance of tools at pentesters fingertips to crack a web applications armor. None seem to be more versatile or useful in the discovery phase than FFUF. FFUF is a web fuzzer tool written in GO which allows users to use wordlists to perform website directory discovery and inject GET and POST parameters to attempt to crack into a websites back end. The following are a few examples of it's usage:

Project Setup:

For this tutorial I'll be using Google Gruyere which is a web app specifically built to be hacked. https://google-gruyere.appspot.com/

For the wordlists I clones the following repository: https://github.com/danielmiessler/SecLists

Directory Discovery:

One of the most common uses of FFUF is directory discovery. This is an important part of any pentesters process when they are trying to gain unauthorized access to a website. FFUF can be given any wordlist to enumerate and check if any of those words match the websites directories. This is a brute-force method of discovery which makes hundreds of requests to accomplish it's goal, depending on how big the wordlist is that was supplied.

ffuf -w SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u https://google-gruyere.appspot.com/470523742524253302105644792224613202319/FUZZ

Subdomain Discovery

Another common use for FFUF is to discover what subdomains exist for a website. Knowing this can expose API's, admin consoles and other interfaces that could be vulnerable to attack.

ffuf -w SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u https://google-gruyere.appspot.com/470523742524253302105644792224613202319/FUZZ

Username Discovery

FFUF can also be used to discover existing usernames for a web application. If the login page sends back a message when a username does not exist, this can be used to send a large list of usernames to the login page and discover which ones are valid. Once we know those valid usernames we can attempt to crack their passwords and gain access to the account

ffuf -w /usr/share/SecLists/Usernames/top-usernames-shortlist.txt -X POST -d "username=FUZZ&&password=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://mydomain.com/login -mr "username already exists"

Conclusion:

This is just a few of the many powerful attacks that FFUF can be used for. Check out their documentation and start learning more!


More Stories

Cover Image for Tutorial: Pentesting Device with Raspberry Pi Zero

Tutorial: Pentesting Device with Raspberry Pi Zero

Lately I’ve been more and more interested in pentesting and cyber security. To continue my deep dive into the topic I’m going to create a pentesting device out of a Raspberry Pi Zero. A few requirements I want to fulfill. First, I’d like to be able to run many of the commands that you can run in Linux. Second, I’d like it to be battery powered and attach my iPhone to it to run commands. Essentially I’d like to be able to carry the device in my pocket and operate it with my iPhone.

Open Source Detective
Cover Image for Local DNS Server with Pi-Hole

Local DNS Server with Pi-Hole

Recently, I’ve been developing some websites to run on my local network and wanted to create my own DNS server. After some research I realized that building my own custom server would be a lot more work than I wanted to undertake. After a little more searching I came across Pi-Hole which offered a much quicker solution.

Open Source Detective