killchain-compendium/enumeration/docs/ffuf.md

# Fuzz Faster U Fool

## Usage
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
```
* Fuzz dirs
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
```
* Fuzz files
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
```

### Fuzz parameters
```sh
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
```
* Fuzz values
```sh
seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
```
* Fuzz Post Methods
```sh
ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
```
### Fuzz Users and use Bruteforce
* Fuzz users and write file
```sh
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out
```
* Use users saved in `fuff.out` to bruteforce
```sh
ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200
```
### Fuzz Subdomains
```sh
ffuf -u http://FUZZ.test.com -c -w  /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```
or if the subdomains are listed in the target's host file
```sh
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
```
* Fuzz Vhosts & Server Blocks
```sh
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
```

### Proxy
* `-replay-proxy <IP>` or `-x <ProxyIP>`
fuff et al 2021-08-27 00:26:26 +02:00			`# Fuzz Faster U Fool`

			`## Usage`
			```sh
			`ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt`
			```
			`* Fuzz dirs`
			```sh
			`ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt`
			```
			`* Fuzz files`
			```sh
			`ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt`
			```

			`### Fuzz parameters`
			```sh
			`ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39`
			`ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39`
			```
			`* Fuzz values`
			```sh
			`seq 0 255 \| fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33`
			```
			`* Fuzz Post Methods`
			```sh
			`ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'`
			```
bump 2021-10-13 01:17:44 +02:00			`### Fuzz Users and use Bruteforce`
			`* Fuzz users and write file`
			```sh
			`ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/signup -mr "username already exists" -o fuff.out`
			```
			* Use users saved in `fuff.out` to bruteforce
			```sh
			`ffuf -w userlist.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<targetURL>/customers/login -fc 200`
			```
fuff et al 2021-08-27 00:26:26 +02:00			`### Fuzz Subdomains`
			```sh
			`ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt`
			```
bump 2021-09-08 02:09:14 +02:00			`or if the subdomains are listed in the target's host file`
			```sh
			`ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0`
			```
fuff et al 2021-08-27 00:26:26 +02:00			`* Fuzz Vhosts & Server Blocks`
			```sh
			`ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0`
			`ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0`
			```

			`### Proxy`
			* `-replay-proxy <IP>` or `-x <ProxyIP>`