# Gobuster / Feroxbuster / FUFF / Wfuzz

## Asset Discover

### What is Asset?

A website is a public interface of the backend webserver. The webserver hosts many directories with files in them, and these directories and files are called **assets**. If any asset gives permission to the public, then an user could access this asset through browser, cURL, etc. As a pentester, we are interested in these assets **but we don't know their names** since most likely we are doing black-box pentesting. The process of discovering assets is called **asset discovery**.

### Asset Discovery

The idea of asset discovery is the same as password dictionary attack: we prepare a dictionary (usually `/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`) and go through each possible name. A status code 200 indicates that the asset exists on the webserver and we have enough permission to visit it.

### Method 1: Gobuster

The `dir` mode in Gobuster handles asset discovery:

```bash
gobuster dir -u http://<remote_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,txt | tee dir.txt
```

### Method 2: Feroxbuster

```bash
feroxbuster -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
```

### Method 3: FFUF

{% embed url="<https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html>" %}
Everything you need to know about FFUF
{% endembed %}

**FFUF (Fuzz Faster U Fool)** is a fast web fuzzer written in Go.

#### Installation

Install FUFF:

```
go get github.com/ffuf/ffuf
```

Upgrade FUFF:

```
go get -u github.com/ffuf/ffuf
```

Install SecLists:

```
sudo apt -y install seclists
```

#### Usage

{% hint style="info" %}
`-u`: URL

`FUZZ`: placeholder

`-w`: wordlist
{% endhint %}

On Kali:

```
ffuf -u http://<remote_ip>:<remote_port>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html -fc 400,401,403
```

On Hack The Box Pwnbox:

```bash
ffuf -u http://<remote_ip>:<remote_port>/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html -fc 400,401,403
```

#### Recursion

{% hint style="info" %}
`-recursion`: fuzz recursively

`recursion-depth`: how many levels to dig into
{% endhint %}

```
ffuf -u https://<host>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion
```

#### File Extensions

{% hint style="info" %}
`-e`: extension
{% endhint %}

```
ffuf -u https://<host>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion -e .bak,.php,.sh
```

## VHost Discovery

### What is Virtual Host (VHost)?

{% embed url="<https://en.wikipedia.org/wiki/Virtual_hosting>" %}
Virtual hosting - Wikipedia
{% endembed %}

**Virtual hosting** is a method for hosting multiple domain names on a single server. In other word, **virtual hosting maps one IP address to multiple domain names (or subdomains)**. In CTF-style pentesting, there may exist hidden websites hosting on **hidden subdomains**. Again, as a pentester, we are interested in these subdomains **but we don't know their names** since most likely we are doing black-box pentesting.The process of discovering this subdomain is called **VHost discovery**.

### VHost Discovery

If directory fuzzing does not find anything useful, it is time for doing **VHost fuzzing**, which discovers virtual hosts hosting on the same server.

For example, our target has domain name is `hacker.htb` and port 80 is open. If we don't find anything through directory fuzzing, we should prepare a dictionary ([SecLists](https://github.com/danielmiessler/SecLists)) and search ([Gobuster ](https://github.com/OJ/gobuster)or [Wfuzz](https://github.com/xmendez/wfuzz)) for potential subdomains:

* `a.hacker.htb`
* `b.hacker.htb`
* `c.hacker.htb`
* ...

until we find a hidden subdomain that hosts a website.

### Method 1: Gobuster

The `vhost` mode in Gobuster handles VHost discovery:

```shell
gobuster vhost -u http://<remote_ip> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | tee vhost.txt
```

### Method 2: Wfuzz

Try brute-forcing subdomain names:

```bash
wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
```

Here we will get tons of false positives. In order to get rid of non-existent subdomain names, use the `-hw` flag to filter out them:

```bash
wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw <word_to_hide>
```

### Adding the Subdomain to /etc/hosts

Suppose we found a valid subdomain name `1337`, add it to `/etc/hosts` :

```
10.10.13.37 hacker.htb 1337.hacker.htb
```