Gobuster / Feroxbuster / FUFF / Wfuzz
Asset Discover
What is Asset?
A website is a public interface of the backend webserver. The webserver hosts many directories with files in them, and these directories and files are called assets. If any asset gives permission to the public, then an user could access this asset through browser, cURL, etc. As a pentester, we are interested in these assets but we don't know their names since most likely we are doing black-box pentesting. The process of discovering assets is called asset discovery.
Asset Discovery
The idea of asset discovery is the same as password dictionary attack: we prepare a dictionary (usually /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
) and go through each possible name. A status code 200 indicates that the asset exists on the webserver and we have enough permission to visit it.
Method 1: Gobuster
The dir
mode in Gobuster handles asset discovery:
gobuster dir -u http://<remote_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,txt | tee dir.txt
Method 2: Feroxbuster
feroxbuster -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
Method 3: FFUF
FFUF (Fuzz Faster U Fool) is a fast web fuzzer written in Go.
Installation
Install FUFF:
go get github.com/ffuf/ffuf
Upgrade FUFF:
go get -u github.com/ffuf/ffuf
Install SecLists:
sudo apt -y install seclists
Usage
On Kali:
ffuf -u http://<remote_ip>:<remote_port>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html -fc 400,401,403
On Hack The Box Pwnbox:
ffuf -u http://<remote_ip>:<remote_port>/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html -fc 400,401,403
Recursion
ffuf -u https://<host>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion
File Extensions
ffuf -u https://<host>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion -e .bak,.php,.sh
VHost Discovery
What is Virtual Host (VHost)?
Virtual hosting is a method for hosting multiple domain names on a single server. In other word, virtual hosting maps one IP address to multiple domain names (or subdomains). In CTF-style pentesting, there may exist hidden websites hosting on hidden subdomains. Again, as a pentester, we are interested in these subdomains but we don't know their names since most likely we are doing black-box pentesting.The process of discovering this subdomain is called VHost discovery.
VHost Discovery
If directory fuzzing does not find anything useful, it is time for doing VHost fuzzing, which discovers virtual hosts hosting on the same server.
For example, our target has domain name is hacker.htb
and port 80 is open. If we don't find anything through directory fuzzing, we should prepare a dictionary (SecLists) and search (Gobuster or Wfuzz) for potential subdomains:
a.hacker.htb
b.hacker.htb
c.hacker.htb
...
until we find a hidden subdomain that hosts a website.
Method 1: Gobuster
The vhost
mode in Gobuster handles VHost discovery:
gobuster vhost -u http://<remote_ip> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | tee vhost.txt
Method 2: Wfuzz
Try brute-forcing subdomain names:
wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
Here we will get tons of false positives. In order to get rid of non-existent subdomain names, use the -hw
flag to filter out them:
wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw <word_to_hide>
Adding the Subdomain to /etc/hosts
Suppose we found a valid subdomain name 1337
, add it to /etc/hosts
:
10.10.13.37 hacker.htb 1337.hacker.htb
Last updated
Was this helpful?