search

Gobuster / Feroxbuster / FUFF / Wfuzz

hashtag
Asset Discover

hashtag
What is Asset?

A website is a public interface of the backend webserver. The webserver hosts many directories with files in them, and these directories and files are called assets. If any asset gives permission to the public, then an user could access this asset through browser, cURL, etc. As a pentester, we are interested in these assets but we don't know their names since most likely we are doing black-box pentesting. The process of discovering assets is called asset discovery.

hashtag
Asset Discovery

The idea of asset discovery is the same as password dictionary attack: we prepare a dictionary (usually /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt) and go through each possible name. A status code 200 indicates that the asset exists on the webserver and we have enough permission to visit it.

hashtag
Method 1: Gobuster

The dir mode in Gobuster handles asset discovery:

gobuster dir -u http://<remote_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,txt | tee dir.txt

hashtag
Method 2: Feroxbuster

feroxbuster -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt

hashtag
Method 3: FFUF

https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.htmlcodingo.iochevron-right
Everything you need to know about FFUF

FFUF (Fuzz Faster U Fool) is a fast web fuzzer written in Go.

hashtag
Installation

Install FUFF:

Upgrade FUFF:

Install SecLists:

hashtag
Usage

circle-info

-u: URL

FUZZ: placeholder

-w: wordlist

On Kali:

On Hack The Box Pwnbox:

hashtag
Recursion

circle-info

-recursion: fuzz recursively

recursion-depth: how many levels to dig into

hashtag
File Extensions

circle-info

-e: extension

hashtag
VHost Discovery

hashtag
What is Virtual Host (VHost)?

LogoVirtual hostingWikipediachevron-right
Virtual hosting - Wikipedia

Virtual hosting is a method for hosting multiple domain names on a single server. In other word, virtual hosting maps one IP address to multiple domain names (or subdomains). In CTF-style pentesting, there may exist hidden websites hosting on hidden subdomains. Again, as a pentester, we are interested in these subdomains but we don't know their names since most likely we are doing black-box pentesting.The process of discovering this subdomain is called VHost discovery.

hashtag
VHost Discovery

If directory fuzzing does not find anything useful, it is time for doing VHost fuzzing, which discovers virtual hosts hosting on the same server.

For example, our target has domain name is hacker.htb and port 80 is open. If we don't find anything through directory fuzzing, we should prepare a dictionary (SecListsarrow-up-right) and search (Gobuster arrow-up-rightor Wfuzzarrow-up-right) for potential subdomains:

  • a.hacker.htb

  • b.hacker.htb

  • c.hacker.htb

  • ...

until we find a hidden subdomain that hosts a website.

hashtag
Method 1: Gobuster

The vhost mode in Gobuster handles VHost discovery:

hashtag
Method 2: Wfuzz

Try brute-forcing subdomain names:

Here we will get tons of false positives. In order to get rid of non-existent subdomain names, use the -hw flag to filter out them:

hashtag
Adding the Subdomain to /etc/hosts

Suppose we found a valid subdomain name 1337, add it to /etc/hosts :

PreviousNmapNextDrupal

Last updated