Gobuster / Feroxbuster / FUFF / Wfuzz
Asset Discover
What is Asset?
A website is a public interface of the backend webserver. The webserver hosts many directories with files in them, and these directories and files are called assets. If any asset gives permission to the public, then an user could access this asset through browser, cURL, etc. As a pentester, we are interested in these assets but we don't know their names since most likely we are doing black-box pentesting. The process of discovering assets is called asset discovery.
Asset Discovery
The idea of asset discovery is the same as password dictionary attack: we prepare a dictionary (usually /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt) and go through each possible name. A status code 200 indicates that the asset exists on the webserver and we have enough permission to visit it.
Method 1: Gobuster
The dir mode in Gobuster handles asset discovery:
gobuster dir -u http://<remote_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,txt | tee dir.txtMethod 2: Feroxbuster
feroxbuster -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txtMethod 3: FFUF
FFUF (Fuzz Faster U Fool) is a fast web fuzzer written in Go.
Installation
Install FUFF:
go get github.com/ffuf/ffufUpgrade FUFF:
go get -u github.com/ffuf/ffufInstall SecLists:
sudo apt -y install seclistsUsage
On Kali:
ffuf -u http://<remote_ip>:<remote_port>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html -fc 400,401,403On Hack The Box Pwnbox:
ffuf -u http://<remote_ip>:<remote_port>/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html -fc 400,401,403Recursion
ffuf -u https://<host>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursionFile Extensions
ffuf -u https://<host>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion -e .bak,.php,.shVHost Discovery
What is Virtual Host (VHost)?
Virtual hosting is a method for hosting multiple domain names on a single server. In other word, virtual hosting maps one IP address to multiple domain names (or subdomains). In CTF-style pentesting, there may exist hidden websites hosting on hidden subdomains. Again, as a pentester, we are interested in these subdomains but we don't know their names since most likely we are doing black-box pentesting.The process of discovering this subdomain is called VHost discovery.
VHost Discovery
If directory fuzzing does not find anything useful, it is time for doing VHost fuzzing, which discovers virtual hosts hosting on the same server.
For example, our target has domain name is hacker.htb and port 80 is open. If we don't find anything through directory fuzzing, we should prepare a dictionary (SecLists) and search (Gobuster or Wfuzz) for potential subdomains:
a.hacker.htbb.hacker.htbc.hacker.htb...
until we find a hidden subdomain that hosts a website.
Method 1: Gobuster
The vhost mode in Gobuster handles VHost discovery:
gobuster vhost -u http://<remote_ip> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | tee vhost.txtMethod 2: Wfuzz
Try brute-forcing subdomain names:
wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txtHere we will get tons of false positives. In order to get rid of non-existent subdomain names, use the -hw flag to filter out them:
wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw <word_to_hide>Adding the Subdomain to /etc/hosts
Suppose we found a valid subdomain name 1337, add it to /etc/hosts :
10.10.13.37 hacker.htb 1337.hacker.htbLast updated
Was this helpful?