Gobuster / Feroxbuster / FUFF / Wfuzz

Asset Discover

What is Asset?

A website is a public interface of the backend webserver. The webserver hosts many directories with files in them, and these directories and files are called assets. If any asset gives permission to the public, then an user could access this asset through browser, cURL, etc. As a pentester, we are interested in these assets but we don't know their names since most likely we are doing black-box pentesting. The process of discovering assets is called asset discovery.

Asset Discovery

The idea of asset discovery is the same as password dictionary attack: we prepare a dictionary (usually /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt) and go through each possible name. A status code 200 indicates that the asset exists on the webserver and we have enough permission to visit it.

Method 1: Gobuster

The dir mode in Gobuster handles asset discovery:

gobuster dir -u http://<remote_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,txt | tee dir.txt

Method 2: Feroxbuster

feroxbuster -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt

Method 3: FFUF

FFUF (Fuzz Faster U Fool) is a fast web fuzzer written in Go.

Installation

Install FUFF:

go get github.com/ffuf/ffuf

Upgrade FUFF:

go get -u github.com/ffuf/ffuf

Install SecLists:

sudo apt -y install seclists

Usage

-u: URL

FUZZ: placeholder

-w: wordlist

On Kali:

ffuf -u http://<remote_ip>:<remote_port>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html -fc 400,401,403

On Hack The Box Pwnbox:

ffuf -u http://<remote_ip>:<remote_port>/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html -fc 400,401,403

Recursion

-recursion: fuzz recursively

recursion-depth: how many levels to dig into

ffuf -u https://<host>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion

File Extensions

-e: extension

ffuf -u https://<host>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion -e .bak,.php,.sh

VHost Discovery

What is Virtual Host (VHost)?

Virtual hosting is a method for hosting multiple domain names on a single server. In other word, virtual hosting maps one IP address to multiple domain names (or subdomains). In CTF-style pentesting, there may exist hidden websites hosting on hidden subdomains. Again, as a pentester, we are interested in these subdomains but we don't know their names since most likely we are doing black-box pentesting.The process of discovering this subdomain is called VHost discovery.

VHost Discovery

If directory fuzzing does not find anything useful, it is time for doing VHost fuzzing, which discovers virtual hosts hosting on the same server.

For example, our target has domain name is hacker.htb and port 80 is open. If we don't find anything through directory fuzzing, we should prepare a dictionary (SecLists) and search (Gobuster or Wfuzz) for potential subdomains:

a.hacker.htb
b.hacker.htb
c.hacker.htb
...

until we find a hidden subdomain that hosts a website.

Method 1: Gobuster

The vhost mode in Gobuster handles VHost discovery:

gobuster vhost -u http://<remote_ip> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | tee vhost.txt

Method 2: Wfuzz

Try brute-forcing subdomain names:

wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

Here we will get tons of false positives. In order to get rid of non-existent subdomain names, use the -hw flag to filter out them:

wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw <word_to_hide>

Adding the Subdomain to /etc/hosts

Suppose we found a valid subdomain name 1337, add it to /etc/hosts :

10.10.13.37 hacker.htb 1337.hacker.htb

PreviousNmap NextDrupal

Last updated 2 years ago