Comprehensive Guide on FFUF

at 8:40 AM Thursday, March 25, 2021

In this article, we will learn how we can use ffuf. Where ffuf states for “Fuzz Faster U Fool”, it is an interesting open-source web fuzzing tool. Since its release, many people have gravitated towards ffuf, particularly in the bug bounty scenario. So, lets dive in to this learning process.

Table of Content

·         Introduction to ffuf

·         Setup

·         Input Option:

o    Simple Attack

o    Multiple wordlists

o    Ignore Wordlist Comment and Silent

o    Extensions

·         Match Options:

o    Match HTTP Code

o    Match Lines

o    Match Words

o    Match Size

o    Match Regular Expression

·         Filter Options:

o    Filter Code

o    Filter Lines

o    Filter Size

o    Filter Words

o    Filter Regular Expression

·         General Options

o    Custom Auto Calibration

o    Color

o    Maxtime For Task

o    Maxtime For Job

o    Delay

o    Request Rate

o    Error Functions

o    Verbose Mode

·         Output Options:

o    Output Format in HTML

o    Output Format in CSV

o    All Output Format

·         HTTP Options

o    Timeout

o    Host Header

o    Recursion

o    Cluster Bomb with Burp suite

o    Attack with Cookie

o    Proxy with Burp suite

·         Conclusion

Introduction to ffuf

It is a professional command-line method for web fuzzing on web server. Many people have gravitated towards ffuf since its release, especially in the bug bounty scene. While the bulk of this shift is possibly attributable to the herd mentality, a significant portion of the group has made the switch due to FFUF's tempo, versatility, and capacity to easily merge with external tooling.

It is maintained as public open-source, this ensures that everyone can contribute to ffuf as long as the maintainer (@joohoi) acknowledges and "merges" the contributions back into the main project.

Setup

It is a command-line programme that runs in the Linux Terminal or the Windows Command Prompt. Upgrading from source is not any more difficult than compiling from source, with the exception of the inclusion of the -u flag. When upgrading from the source code, use the following command.

go get -u github.com/ffuf/ffuf

Due to that fact we are using Kali Linux, we’ll find ffuf in the apt repositories, allowing us to install by running this simple command.

apt install ffuf



After installing this tool, to get its working parameters all we need is just use [-h] parameter through this parameter we can see all of its parameters with their functionalities.

ffuf -h



Input Options

These are those parameters which help us to provide the required data for web fuzzing. Example: URL and Wordlist.

Simple Attack:

For the first attack, we need to use to simple parameters [-u] for target URL and [-w] to load a wordlist. Now, let’s type this command to run our first attack with this amazing tool.

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt

After performing this command, lets focus on the results.

·         First things we noticed that it is by default running on HTTP method GET, where GET is used to request data from specified resource.

·         Next things are response code status [200, 204, 301, 302, 307, 401, 403, 405] it also shows the progression of our attack. At the end of the progress, we got our results.

 



Multiple Wordlists:

Sometimes one wordlist doesn’t able to show us our desired results. In that case we case use multiple wordlists at once to get better results. Only ffuf has the ability to as many wordlists as per our need for attack. Follow below command and understand the parameter and to use this parameter in any other scenario.

ffuf -u https://ignitetechnologies.in/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2

 


Ignore Wordlist Comment and Silent:

Generally, the default wordlist might have some comments that can affect our result accuracy. In this case we can use [-ic] parameter that can help us to get rid from those comment. Sometimes we need to be more focused on attack rather than tools banners for this kind of accuracy we need [-s] parameter which has power to remove the banner of the tool.

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt

we can clearly see some comments are listed in the result when we have run above the command and after using [-s] & [-ic] parameters in the next command the comments and banner are removed.

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt -ic -s



Extensions:

We can search a specific extension file on web server with the help of [-e] parameter. Where all we need to just to specify extension file along with [-e] parameter. To get these results we just need to follow this command.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -e .php



Match Options

If we want ffuf to show only that data which is important in our web fuzzing data. Then it will help us to showcase only matched according for parameter. Example: HTTP code, Lines, Words, Size and Regular Expressions.

Match HTTP Code:

To get understanding of this parameter we need to consider a simple attack where we can see which HTTP codes are appearing in our results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt

we can clearly see that it showing some 302 HTTP code along with 200 HTTP code.



If only need successful results like 200 HTTP code we just need to use [-mc] parameter along with our specific HTTP code. To use this parameter just follow this command.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -mc 200

Match Lines:

Like the match code which we discussed earlier, it gives us the result for a specific-lines in a file with the help of [-ml] parameter. We can use this [-ml] parameter by specifying the lines we need in a file. Follow this command for its results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -ml 15  



Match Words:

Similarly, as above functionalities match function it can provide us a result with a specific word count. To get this result we need to use [-mw] parameter along specific words count we want in our results. Follow this command to get these results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -mw 53



Match Size:

Similarly, as above functionalities match function it can provide us a result with a size of the file. We can use [-ms] parameter along with specific size count we want in our result. Get these results by following these.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -ms 2929



Match Regular Expression:

It is last of all match functions available in this tool. We are going to fuzz for LFI by matching string the followed pattern “root:x” for given dictionary.

We are using URL that can achieve this functionality and by using [-mr] parameter we define the matching string “root:x” and we got HTTP respond 200 for /etc/passwd for the given wordlist.

This our special wordlist looks like.



By using this wordlist, follow the below command to use [-mr] parameter in an attack scenario.

ffuf -u http://testphp.vulnweb.com/showimage.php?file=FUZZ -w dict2.txt -mr "root:x"



Filter Options

The Filter options is absolutely opposite to Match options. We can use these options to remove the unwanted from for our web fuzzing. Example: HTTP Code, Lines, Words, Size, Regular Expressions. 

Filter Code:

The [-fc] parameter need the specific HTTP status code we want to remove from result. To get this result follow this command.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fc 302



Filter Lines:

The [-fl] parameter has ability to remove a specific length from our result or we can filter out from our attack. This is how we can use this parameter.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fl 26s



Filter Size:

The [-fs] parameter has ability to filter out the specified size is described by us during the command of the attack.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fs 2929



Filter Words:

The [-fw] parameter has ability to filter out the words count from results which we want to removed. Use this command to get results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fw 83



Filter Regular Expression:

The [-fr] parameter we can remove a specific regular expression. Use this command to better understand this function.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fr "log"



General Options

These are the general parameters of this tool, which revolves around its general working on web fuzzing.

Custom Auto Calibration:

We know that, the power of a computer or machine to automatically calibrate itself is known as auto calibration. Where calibration is the process of providing a measuring instrument the information it requires to understand the context in which it will be used. When gathering data, calibrating a computer ensures its accuracy.

In this tool there is a feature, where we can customize this feature according to our need with the help of [-acc] parameter. Which can’t be used without [-ac] parameter for its customization.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -acc -ac -fl 26 -ac -fs 2929 -ac -fw 54



Color:

Sometime separation of color creates extra attention to all details having in results. This [-c] parameter helps to create color separation. Follow this command to use this parameter.

 ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -c



Maxtime For Task:

Some we have less time for an attack or we want to limit the time for our attack. There is a parameter in ffuf that can do this for us [-maxtime] parameter. Follow this command to provide a timeslot.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -maxtime 5



Maxtime For Job:

With the help of [-maxtime-job] parameter, we can put a time limit for a particular job. By using this command, we are trying to achieve this feature.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -maxtime-job 2



Delay:

If we create a particular delay in each request offered by the attack. Through this feature a request has a better opportunity to get better results. The [-p] parameter help us to achieve delay in those requests.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -p 1



Request Rate:

We can create a separated request rate for each of our attack with the help of the [-rate] parameter. Through this parameter we create our request per second as per our attack desired.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -rate 500



Error Functions:

There are three parameters which support Error function. First parameter is [-se], which is a spurious error. It states that following request is genuine or not. Second parameter is [-sf], it will stop our attack when our more than 95% requests were occurred as an error. Third and final parameter is [-sa], which is a combination of both error parameter.

In our scenario we are using [-se] parameter where it will stop our attack when our request is not real.

ffuf -u http://ignitetechnologies.in/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2 -se



Verbose Mode:

As we all know, verbose mode is a feature used in many computer operating systems and programming languages that provides extra information on what the computer is doing and what drivers and applications it is loading at initialization. In programming, it produces accurate output for debugging purposes, making it easy to debug a program. There is parameter called [-v] parameter.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -v



Threads:

The [-t] parameter is used to speed up or slow down a process. By default, it is set on 40. if we want to pace up the process, we need to increase its number, vice versa to slow down process. 

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -t 1000



Output Options

We save the performance of our attacks for the purposes of record keeping, improved readability, and potential references. We use [-o] parameter to save our output, but we need to specify its format with [-of] parameter.

Output Format in HTML:

We use [-of] parameter and this defining with an HTML format. By using this command, we can create our report.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o file.html -of html



Now after completion of this attack, we need to check our output file is up to that mark or not. As we can see that our file is successfully created.



Output Format in CSV:

Similarly, we just need to csv format along with [-of] parameter. Where csv is a comma-separated values, which file allows you to store data in a tabular format.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o file.csv -of csv



Now after completion of this attack, we need to check our output file is up to that mark or not. As we can see that our file is successfully created.



All Output Format:

Similarly, if we want all output format at once just use [-of all] parameter. Like json, ejson, html, md, csv, ecsv. Follow this command to generate all reports at once.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o output/file -of all

Now after completion of this attack, we need to check our output files is up to that mark or not. As we can see that our all files are successfully created.



HTTP Options

The options move around HTTP options, sometimes it required the details to run web fuzzing Like HTTP request, Cookie, HTTP header, etc.

Timeout:

Timeout act as a deadline for the event. The [-timeout] parameter help of established this feature with ease, follow this command to run this parameter.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -timeout 5



Host Header:

If we want to perform fuzzing on sub domain, we can use [-H] parameter along with a domain name wordlist as given below in the command.

ffuf -u https://google.com -w dns_dict.txt -mc 200 -H "HOST: FUZZ.google.com"



Recursion:

Recursion is the mechanism of repeating objects in a self-similar manner, as we all know. If a programme requires you to access a function within another function, this is referred to as a recursive call of the function. By using [-recursion] parameter, we can achieve this functionality in our attacks.

ffuf -u "http://testphp.vulnweb.com/FUZZ/" -w dict.txt -recursion



Cluster bomb with Burpsuite:

Burp Suite is an advanced framework for conducting web application security monitoring. Its different instruments act in agreement to help the testing process as a whole. Cluster bomb is a feature that uses several payload sets. For each given location, there is a different payload package. attack goes through each payload package one by one, checking all potential payload variations.

There is various parameter of this tool, which help to use this our scenario. Like [-request] parameter which can use our request in the attack, [-request-proto] parameter through which we can define our parameter, [-mode] parameter help us to define the mode of attack.

First of all, we use random credentials on our targeted URL page and set proxy up to capture its request in intercept mode on Burpsuite.


 

Now in the intercept tab of the Burpsuite, change our provided credential with HFUZZ and WFUZZ. Put HFUZZ in front of uname and WFUZZ in front of pass. Then copy paste this request in a text and name as per your desire. In our case we named that to brute.txt. 



Now procced towards main attack, where [-request] parameter hold our request text file. [-request-proto] help us derive http prototype. [-mode] help us to derive us cluster bomb attack. The wordlists we use in these (users.txt and pass.txt) consist the SQL injections. Follow this command start attacking using these parameters.

ffuf -request brute.txt -request-proto http -mode clusterbomb -w users.txt:HFUZZ -w pass.txt:WFUZZ -mc 200

as we can see in our attack results, we have successfully found out SQL injections working on that particular target.



Attack with Cookie:

Sometimes web fuzzing does not show result on authenticated site without authentication. There is a [-b] parameter through which we can achieve your goal by providing session cookie. Follow this command for more details.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -b "PHPSESSID:"7aaaa6d88edcf7cd2ea4e3853ebb8bde""



Proxy with Burp suite:

As you might be aware, there are speed restrictions when using the Intruder function in the free version of Burp suite (Community Edition). The Intruder attack has been severely slowed, with each order slowing the attack even further.

In our case we are using Burp suite proxy to get results for evaluation in it. First, we have to established localhost proxy on port 8080.



Now use [-replay-proxy] parameter, which help us to derive our local host proxy which we established in previous step on port 8080 along with our attack. Follow this command to understand this concept.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -replay-proxy http://127.0.0.1:8080 -v -mc 200



This attack will show our results on two platform. First platform on the kali terminal and second on Burp suite HTTP history tab. Through these various techniques we can better understand our target and our attack results.


 

 

Conclusion

The ffuf is often compared to tools like dirb or dirbuster, which, although accurate to certain extents, isn't a reasonable analogy. Although FFUF can be used to brute force files, its true strength lies in its simplicity, and a better comparative tool for FFUF would be anything like Burp Suite Intruder or Turbo Intruder.


 

 

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)