How to Use the Command 'ffuf' (with Examples)

How to Use the Command 'ffuf' (with Examples)

ffuf is a powerful and fast web fuzzer written in Go, designed to help penetration testers and security researchers discover hidden directories, files, and vulnerabilities on web servers. The tool uses the FUZZ keyword as a placeholder, replacing it with every entry in a specified wordlist to systematically probe the target for potential weak spots. It supports a range of functionalities, including directory enumeration, subdomain checking, and HTTP header manipulation, making it highly versatile for a variety of scenarios in web security testing.

Use Case 1: Enumerate Directories

Code:

ffuf -c -w path/to/wordlist.txt -u http://target/FUZZ

Motivation:

In web applications, directories can often contain sensitive files or endpoints that are not linked or are intentionally hidden. By systematically attempting access to directories using a wordlist, penetration testers can uncover hidden or mistakenly exposed paths that might reveal sensitive information or provide unauthorized access.

Explanation:

  • -c: This option stands for ‘colored output’, which improves readability by using colors to highlight different parts of the response, such as status codes and extracted strings.
  • -w path/to/wordlist.txt: Specifies the path to the wordlist file containing potential directory names that will replace the FUZZ placeholder.
  • -u http://target/FUZZ: The target URL where FUZZ is replaced by each word from the wordlist to attempt directory access.

Example Output:

/admin                   [Status: 301, Size: 308, Words: 20, Lines: 10]
/login                   [Status: 200, Size: 1024, Words: 60, Lines: 40]
/hidden                  [Status: 403, Size: 32, Words: 2, Lines: 1]

Use Case 2: Enumerate Webservers of Subdomains

Code:

ffuf -w path/to/subdomains.txt -u http://FUZZ.target.com

Motivation:

Enumerating subdomains can be critical in identifying additional entry points into an application. Often, subdomains host different services, some of which may lack the stringent security measures present on the main site.

Explanation:

  • -w path/to/subdomains.txt: Specifies the wordlist containing possible subdomain names.
  • -u http://FUZZ.target.com: The URL structure where each subdomain name from the wordlist will be tested by replacing FUZZ.

Example Output:

dev.target.com           [Status: 200, Size: 2048, Words: 200, Lines: 54]
staging.target.com       [Status: 403, Size: 512, Words: 40, Lines: 15]
private.target.com       [Status: 200, Size: 1500, Words: 150, Lines: 50]

Use Case 3: Fuzz with Specified Threads and Proxy Traffic

Code:

ffuf -o -w path/to/wordlist.txt -u http://target/FUZZ -t 500 -x http://127.0.0.1:8080

Motivation:

High-speed fuzzing with multiple threads can discover vulnerabilities more efficiently. Additionally, routing requests through a proxy allows for deeper interception and analysis, which is invaluable for testing scenarios where response details need to be scrutinized.

Explanation:

  • -o: Directs ffuf to save the output to a file, which is useful for data analysis after a scan.
  • -w path/to/wordlist.txt: Indicates the wordlist to be used for fuzzing.
  • -u http://target/FUZZ: The base target URL for fuzzing.
  • -t 500: Sets the number of threads to 500, which increases the fuzzing speed significantly.
  • -x http://127.0.0.1:8080: Configures the proxy setting, so requests are routed via the local machine address, suitable for proxy tools like Burp Suite or mitmproxy.

Example Output:

Results saved to file: ffuf_output.txt
/admin/                       [Status: 301, Size: 308, Words: 20, Lines: 10]
/dashboard/                   [Status: 200, Size: 1124, Words: 89, Lines: 43]

Use Case 4: Fuzz a Specific Header

Code:

ffuf -w path/to/wordlist.txt -u http://target.com -H "Host: FUZZ" -mc 200

Motivation:

HTTP headers can contain information essential for the correct functioning of web applications or services. By fuzzing these headers, testers can identify vulnerabilities or misconfigurations that might lead to unauthorized access or information leakage.

Explanation:

  • -w path/to/wordlist.txt: The wordlist used for fuzzing potential header values.
  • -u http://target.com: The base URL for the HTTP requests.
  • -H "Host: FUZZ": Specifies that the Host header will use the FUZZ wordlist entries.
  • -mc 200: Filters results to show only responses with a 200 HTTP status code, indicating successful access.

Example Output:

Resolving host: sub1                         [Status: 200, Size: 1344, Words: 90, Lines: 56]
Resolving host: sub2                         [Status: 200, Size: 1320, Words: 82, Lines: 52]

Use Case 5: Fuzz with Specified HTTP Method and Data

Code:

ffuf -w path/to/postdata.txt -X POST -d "username=admin&password=FUZZ" -u http://target/login.php -fc 401,403

Motivation:

Testing login forms requires an understanding of how incorrect or different inputs are handled. This command allows for effective brute-force checks or bypass attempts on authentication systems by replacing parts of the POST data.

Explanation:

  • -w path/to/postdata.txt: Indicates the wordlist for potential passwords or data inputs.
  • -X POST: Specifies the HTTP method to use, which is POST in this case, common for form submissions.
  • -d "username=admin&password=FUZZ": Sets up POST data with the FUZZ placeholder in the password field.
  • -u http://target/login.php: URL pointing to the login endpoint.
  • -fc 401,403: Filters out HTTP status codes 401 and 403 from the results, usually indicating unauthorized access attempts.

Example Output:

Correct login detected with password: welcome123 [Status: 200, Size: 1024, Words: 95, Lines: 45]

Use Case 6: Fuzz Multiple Positions with Multiple Wordlists

Code:

ffuf -w path/to/keys:KEY -w path/to/values:VALUE -mode pitchfork|clusterbomb -u http://target.com/id?KEY=VALUE

Motivation:

Fuzzing multiple positions simultaneously allows testers to evaluate complex input interactions. This can be especially useful when both keys and values in query parameters need to be tested for vulnerabilities like SQL injection or cross-site scripting.

Explanation:

  • -w path/to/keys:KEY: Specifies the wordlist for potential keys in the URL query parameters.
  • -w path/to/values:VALUE: Specifies the wordlist for potential values.
  • -mode pitchfork|clusterbomb: Determines how the inputs are combined; pitchfork uses entries in parallel, whereas clusterbomb tests all combinations.
  • -u http://target.com/id?KEY=VALUE: The target URL with both KEY and VALUE placeholders for fuzzing.

Example Output:

Detected successful payload with KEY: session and VALUE: admin [Status: 200, Size: 1400, Words: 200, Lines: 64]

Use Case 7: Proxy Requests Through an HTTP MITM Proxy

Code:

ffuf -w path/to/wordlist -x http://127.0.0.1:8080 -u http://target.com/FUZZ

Motivation:

Proxied requests allow researchers to capture, inspect, and manipulate traffic as it traverses the network. This can help in identifying vulnerabilities during fuzzing, which might not be apparent from HTTP responses alone.

Explanation:

  • -w path/to/wordlist: The wordlist used for fuzzing.
  • -x http://127.0.0.1:8080: Sets the proxy through which requests are sent, enabling a MITM (Man-In-The-Middle) for inspection.
  • -u http://target.com/FUZZ: The URL structure used for fuzzing, with FUZZ as the changing parameter.

Example Output:

Captured request for: /test                     [Status: 301, Size: 288, Words: 18, Lines: 10]

Conclusion

ffuf is an essential tool for security professionals seeking to explore the security measures of web applications by automating complex tasks like directory enumeration and subdomain discovery. By understanding and utilizing its different options, testers can tailor their assessments to uncover hidden vulnerabilities, misconfigured services, and secure their web presence effectively. These examples illustrate various scenarios where ffuf can be employed strategically to achieve robust penetration testing results.

Related Posts

How to Manage Swap Files with the 'dphys-swapfile' Command (with examples)

How to Manage Swap Files with the 'dphys-swapfile' Command (with examples)

‘dphys-swapfile’ is a command-line tool used in Debian-based Linux systems to manage the swap file effectively.

Read More
How to use the command 'git annotate' (with examples)

How to use the command 'git annotate' (with examples)

The git annotate command is a tool from the Git version control system that allows users to gain insights into the history of individual lines within a file.

Read More
How to Use the Command 'ark' (with examples)

How to Use the Command 'ark' (with examples)

Ark is a versatile archiving tool developed by the KDE community, primarily used for creating, modifying, and extracting archives of various formats.

Read More