🕸️Ffuf

ffuf es una herramienta de fuzzing de código abierto que se utiliza para descubrir vulnerabilidades en aplicaciones web al enviar solicitudes HTTP manipuladas

Nota: Este tipo de búsquedas son muy invasivas, ya que hacen muchas peticiones al servidor del objetivo, por lo que no podemos utilizar estas técnicas sin un consentimiento o aprobación por parte del objetivo

ffuf utiliza una lista de palabras clave o diccionario para generar solicitudes HTTP manipuladas y ver cómo responde la aplicación.

Donde indiquemos el parámetro FUZZ probará todas las palabras del diccionario

Fuzzing con ffuf

Fuzzing de directorios

ffuf -w /usr/share/wordlists/rockyou.txt -u http://example.com/FUZZ

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u https://inlanefreight.com/FUZZ -mc 200,301,302

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://inlanefreight.com/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,301,302
________________________________________________

wp-content              [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 36ms]
wp-includes             [Status: 301, Size: 330, Words: 20, Lines: 10, Duration: 36ms]
wp-admin                [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 50ms]

Fuzzing buscando archivos específicos

ffuf -w /usr/share/wordlists/rockyou.txt -u http://example.com/FUZZ -e .jpg,.pdf

El parámetro -e sirve para filtrar por tipo de archivo

Fuzzing de subdominios

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.kali.org/   

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://FUZZ.kali.org/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

old                     [Status: 200, Size: 2920, Words: 113, Lines: 18, Duration: 105ms]
www                     [Status: 200, Size: 45355, Words: 2637, Lines: 72, Duration: 511ms]
images                  [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 526ms]
download                [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 520ms]
forums                  [Status: 200, Size: 10277, Words: 1179, Lines: 170, Duration: 503ms]
docs                    [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 519ms]
image                   [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 508ms]
archive                 [Status: 200, Size: 2170, Words: 86, Lines: 13, Duration: 104ms]
tools                   [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 529ms]
git                     [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 496ms]
downloads               [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 503ms]

Niveles de profundidad

ffuf -w rockyou.txt -u http://example.com/FUZZ -recursion -recursion-depth 2

El parámetro -recursion sirve para hacer escaneo profundo dentro de cada directorio encontrado

Respuestas con un código de estado HTTP 200

ffuf -w rockyou.txt -u http://example.com/FUZZ -mc 200

Descubrir Vhosts

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://94.237.48.48:54645/ -H 'Host: FUZZ.example.com' -ms 0

ffuf -u http://example.com -H "Host:FUZZ.example.com" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -fs 612

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://example.com
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.example.com
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 12
________________________________________________

web                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 64ms]
m                       [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 65ms]
mail1                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 65ms]
gw                      [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 66ms]
dev                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 87ms]
secure                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 86ms]
mail2                   [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
ww1                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
ww42                    [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 87ms]
owa                     [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
server                  [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
webmail                 [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 98ms]

Fuzzing de extensiones

ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -u http://faculty.academy.htb:40053/indexFUZZ  

Fuzzing de parámetros de URL

Método GET

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs 774

Método POST

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs 774

Fuzzing con Cookie Session

ffuf -w rockyou.txt -u http://example.com/FUZZ -H "Cookie: sessionid=123456"

Guardar resultados en HTML

ffuf -w rockyou.txt -u http://example.com/FUZZ -o output.txt -of html

Fuzzing avanzado con ffuf

Utilizar varios diccionarios simultáneamente

ffuf -u http://IP_VICTIM/W1/W2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:W1 -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:W2

Utilizar :W1 y :W2 después de la ruta para establecer los diccionarios

Fuzzing de USER o PASSWORD en Login

• Capturar request de login con burpsuite y guardar archivo request-burp

• Editar archivo con un editor de texto como (gedit o nano) cambiando los parámetros que queramos fuzzear por FUZZ o :W1 y :W2 si usamos varios diccionarios

ffuf -request request-burp -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt

Ffuf Cheatsheet

Comando	Descripción
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287	Fuzzing de parámetros en una URL
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287	Fuzzing con LFI payloads
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287	Fuzzing de webroot path
ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287	Fuzzing de configuraciones de servidor
LFI Wordlists
LFI-Jhaddix.txt
Webroot path wordlist for Linux
Webroot path wordlist for Windows
Server configurations wordlist for Linux
Server configurations wordlist for Windows