How to use the command 'ffuf' (with examples)

How to use the command 'ffuf' (with examples)

The command ‘ffuf’ is a subdomain and directory discovery tool that is used for finding hidden directories and subdomains on a target website. It is a versatile tool that allows users to fuzz various parts of a URL using wordlists and filters. With colorized and verbose output options, it provides a convenient way to identify potential vulnerabilities and discover sensitive information.

Use case 1: Discover directories using a wordlist on a target URL with colorized and verbose output

Code:

ffuf -w path/to/wordlist -u https://target/FUZZ -c -v

Motivation: This use case is useful when you want to explore the directory structure of a website and identify directories that might not be publicly accessible. By fuzzing the “FUZZ” keyword in the target URL with a wordlist, you can automatically explore a wide range of directory names.

Explanation:

  • -w path/to/wordlist: Specifies the path to the wordlist file containing directory names or paths.
  • -u https://target/FUZZ: Sets the target URL with the “FUZZ” keyword that will be replaced by words from the wordlist.
  • -c (colorized output): Enables colorized output to make it easier to distinguish different outputs.
  • -v (verbose output): Enables verbose output to get more detailed information during the scanning process.

Example output:

2021/08/01 12:34:56 Starting FFUF
2021/08/01 12:34:56 Starting HTTP sniffer on localhost:9000
2021/08/01 12:34:56 [Status: 200, Size: 5214, Words: 315, Lines: 14]
2021/08/01 12:34:56 [Status: 200, Size: 8362, Words: 622, Lines: 45]
2021/08/01 12:34:56 Finished

Use case 2: Fuzz host-Headers with a host file on a target website and match HTTP 200 code responses

Code:

ffuf -w hosts.txt -u https://example.org -H "Host: FUZZ" -mc 200

Motivation: This use case is helpful when you want to discover subdomains of a target website by fuzzing the host header. By specifying a host file containing a list of potential subdomains, you can identify valid subdomains that may have been overlooked.

Explanation:

  • -w hosts.txt: Specifies the path to a file containing a list of subdomains or potential hostnames.
  • -u https://example.org: Sets the target URL.
  • -H "Host: FUZZ": Specifies the host header to fuzz, with the “FUZZ” keyword being replaced by the subdomains from the host file.
  • -mc 200 (match HTTP 200 code responses): Filters the output to only show URLs that return an HTTP 200 status code.

Example output:

2021/08/01 12:34:56 Starting FFUF
2021/08/01 12:34:56 Starting HTTP sniffer on localhost:9000
2021/08/01 12:34:56 [Status: 200, Size: 5214, Words: 315, Lines: 14]
2021/08/01 12:34:56 Finished

Use case 3: Discover directories using a wordlist on a target website with a max individual job time of 60 seconds and recursion discovery depth of 2 levels

Code:

ffuf -w path/to/wordlist -u https://target/FUZZ -maxtime-job 60 -recursion -recursion-depth 2

Motivation: This use case is useful when you want to perform a more comprehensive directory discovery on a target website. By enabling recursion and specifying a maximum individual job time, you can increase the depth and duration of the scanning process.

Explanation:

  • -w path/to/wordlist: Specifies the path to the wordlist file containing directory names or paths.
  • -u https://target/FUZZ: Sets the target URL with the “FUZZ” keyword that will be replaced by words from the wordlist.
  • -maxtime-job 60: Sets the maximum individual job time to 60 seconds for each request.
  • -recursion: Enables directory recursion to discover directories within directories.
  • -recursion-depth 2: Sets the maximum recursion depth to 2 levels.

Example output:

2021/08/01 12:34:56 Starting FFUF
2021/08/01 12:34:56 Starting HTTP sniffer on localhost:9000
2021/08/01 12:34:56 [Status: 200, Size: 5214, Words: 315, Lines: 14]
2021/08/01 12:34:56 [Status: 200, Size: 8362, Words: 622, Lines: 45]
2021/08/01 12:34:56 Finished

Use case 4: Fuzz GET parameter on a target website and filter out message size response of 4242 bytes

Code:

ffuf -w path/to/param_names.txt -u https://target/script.php?FUZZ=test_value -fs 4242

Motivation: This use case is helpful when you want to identify potential vulnerabilities or issues related to a specific GET parameter on a target website. By fuzzing the “FUZZ” keyword in the URL with a wordlist of parameter names, you can test different values and filter out specific message sizes.

Explanation:

  • -w path/to/param_names.txt: Specifies the path to the wordlist file containing parameter names to fuzz.
  • -u https://target/script.php?FUZZ=test_value: Sets the target URL with the “FUZZ” keyword that will be replaced by parameter names from the wordlist and a fixed value.
  • -fs 4242 (filter out message size response): Filters the output to only show URLs with a response size of 4242 bytes.

Example output:

2021/08/01 12:34:56 Starting FFUF
2021/08/01 12:34:56 Starting HTTP sniffer on localhost:9000
2021/08/01 12:34:56 [Status: 200, Size: 4242, Words: 236, Lines: 18]
2021/08/01 12:34:56 Finished

Use case 5: Fuzz POST method with POST data of password on a target website and filter out HTTP response code 401

Code:

ffuf -w path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401

Motivation: This use case is useful when you want to test the authentication mechanism of a target website by fuzzing the POST data. By providing a wordlist of potential passwords, you can automatically test different passwords and filter out specific HTTP response codes.

Explanation:

  • -w path/to/postdata.txt: Specifies the path to the wordlist file containing potential passwords.
  • -X POST: Sets the request method to POST.
  • -d "username=admin\&password=FUZZ": Specifies the POST data with the “FUZZ” keyword being replaced by passwords from the wordlist.
  • -u https://target/login.php: Sets the target URL for the login page.
  • -fc 401 (filter out HTTP response code): Filters the output to only show URLs with an HTTP response code of 401 (Unauthorized).

Example output:

2021/08/01 12:34:56 Starting FFUF
2021/08/01 12:34:56 Starting HTTP sniffer on localhost:9000
2021/08/01 12:34:56 [Status: 401, Size: 424, Words: 81, Lines: 10]
2021/08/01 12:34:56 Finished

Use case 6: Discover subdomains using a subdomain list on a target website

Code:

ffuf -w subdomains.txt -u https://website.com -H "Host: FUZZ.website.com"

Motivation: This use case is helpful when you want to enumerate subdomains of a target website. By providing a wordlist of potential subdomains, you can discover subdomains that are associated with the main website.

Explanation:

  • -w subdomains.txt: Specifies the path to the wordlist file containing potential subdomains.
  • -u https://website.com: Sets the target URL.
  • -H "Host: FUZZ.website.com": Specifies the host header to fuzz, with the “FUZZ” keyword being replaced by the subdomains from the wordlist.

Example output:

2021/08/01 12:34:56 Starting FFUF
2021/08/01 12:34:56 Starting HTTP sniffer on localhost:9000
2021/08/01 12:34:56 [Status: 200, Size: 5214, Words: 315, Lines: 14]
2021/08/01 12:34:56 Finished

Conclusion:

The ‘ffuf’ command is a powerful and flexible tool for subdomain and directory discovery on a target website. With its ability to fuzz different parts of a URL and apply filters, it provides users with a versatile solution for identifying potential vulnerabilities and sensitive information. By using the examples and understanding the different command arguments, users can effectively utilize ‘ffuf’ in their penetration testing or security assessment workflows.

Tags :

Related Posts

How to Use the Command 'enca' (with examples)

How to Use the Command 'enca' (with examples)

The ’enca’ command is a powerful utility designed to detect and convert the encoding of text files.

Read More
How to Use the Command 'mycli' (with examples)

How to Use the Command 'mycli' (with examples)

MyCLI is a command-line interface specifically designed to interact with MySQL databases.

Read More
Managing Google Cloud Configurations with 'gcloud config' (with examples)

Managing Google Cloud Configurations with 'gcloud config' (with examples)

The gcloud config command is a powerful tool in the Google Cloud SDK that allows you to manage various configurations for your Google Cloud projects.

Read More