Ffuf(fuzz faster u fool) is a great tool used for fuzzing. It has become really popular lately with bug bounty hunters/penetration tester. It is written in Go language.For this you can fuzz a large amount of words within a minute.
Option name: -w
Use wordlist on ffuf for more affectively fuzzing. I use SecLists-master for example. You can choose yours. I have my own for dir brute forcing you can find it on https://github.com/tamimhasan404/wordlist.git
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ
/root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt this is just a path where is the wordlist is situated.
This is a common problem for beginners that they don’t know how to use fuff in all of their collected subdomains as fuff has no default option for list of domains like dirsearch. So here is something for you that I personally use
for url in $(cat targets.txt); do ffuf -ac -fc 404,403 -w wordlist.txt -u $url/FUZZ >> results.txt; done && sort -u results.txt | grep -E '^https?://' > results.txt
- You can also see check https://twitter.com/0xJin tweet.
cat live.txt | xargs -I@ sh -c 'ffuf -w wordlists.txt -u @/FUZZ -mc 200'
Option name: -fc
If you don’t want to see any kind of specific status code then you can just filter them.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -fc 401,403,404
Comma-separated list of codes and ranges
Option name: -recursion
With this option, it tries to find all possible dir accordingly your given wordlist. Let me explain if ffuf find /index.php dir then it fuzz it again with /index.php/wordlist. Suppose it finds/index.php/configtest.php then it fuzz it again like this /index.php/configtest.php/wordlist.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -recursion
Option name: -recursion-depth
By default recursion depth level is 0.with this you set how many specific numbers of dir it find for you. Like 2,3 or 4 etc.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -recursion-depth 2
Here you see I set recursion-depth 2. Now ffuf find 2 dir basis of my wordlist if these dir are available on the targeted website then stop.
Option name: -e
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -e .html,.php,.txt,.pdf
Sometimes it gives you valuable information. Which is maybe goldmine on your penetration testing/bug hunting.For this, you have to choose extension base on your target.
Option name: -s
If you just print the result and don’t see any kind of fuzzing process on your terminal then use silent option.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -s
Choose one -of json, ejson, html, md, csv
I generally use | tee for result output. But if you want to get output on GUI(graphical user interface) for your better understand/client demand then your CM is.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -of html -o ffuf-result
./ffuf -w /root/Desktop/wordlist.txt -u http://FUZZ.ab.com -of html -o result
Remember use http:// protocol after "-u" because sometimes many subdomains do not run over https.
Option name: -ac
So this is a very useful thing, while Directory Bruteforce sometimes we see a lot of same length status code like 403,401 etc that means the output isn’t that much useful as they treat all of our directory bruteforce wordlists at the same length. This is problematic when you have a big wordlist and the same length 403 repats 20000 or 30000 times(think about your messy output) So what should you do? should you use -fc option in your command for filtering 403 then you may miss some sensitive directory. In this time -ac options comes into the picture. This option automatically removes the same length dir and gives you a nice and clean output.
./ffuf -w /root/Desktop/wordlist.txt -u http://FUZZ.ab.com -ac
Option name: -rate 2 (set your number 2,3 etc)
This is very useful because with this you throttle/delay your request. As you know ffuf is very fast tool with that a large number of wordlist makes much noise on the server which may cause to block your IP,Dos,Slow down the server etc. To avoid this you can use -rate and your CM is.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -rate 2
rate 2 means two requests per second. You can also customize the number.
- Here are some other useful options on ffuf:
timeout → HTTP request timeout in seconds (default: 10)
-V → Show version information (default: false/off)
-t → Number of concurrent threads(default: 40)
-v → Verbose/details output,printing full URL and redirect location (if any) with the results (default:false/off)
-mc → Match HTTP status codes, or "all" for everything (default: 200,204,301,302,307,401,403)
mode → Multi-wordlist operation mode.Available modes: clusterbomb, pitchfork (default: clusterbomb(1 to 1,2 to 2)
Thank you💕
https://www.youtube.com/watch?v=wGX3HwCTpKE
https://youtu.be/sC1I5VsuXSk --> My video explain in bengali Language