ffuf

Link

How I used it

Fuzz Faster You Fool (ffuf) is my default standard for fuzzing directories, subdirectories, and HTTP parameters. I started with gobuster, but ffuf’s speed had me switching permanently. Once you go fast, you don’t go back.

Category	What I did	Why I did it
Fuzzing Directories and Files	FUZZ at the end of the URL to find juicy files and directories.	Hoping to find something fun to play with.
Find Subdomains	FUZZ before the domain to find subdomains we can explore.	The best ones are the "dev" subdomains.
Enumerate HTTP Parameters	FUZZ for HTTP parameter our request might need.	Rarer but sometimes I look for them if I think I can increase my functionality.

Proof

HTB Popcorn - Discovered abusable directory with fuff.
HTB Cronos - Found a subdomain to enumerate.
HTB Planning - Multiple ffufs including the HTTP parameter one.

Commands I Use Every Box

Fuzzing Directories and Files


┌──(kali㉿kali)-[~/Documents/htb/cronos]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://cronos.htb/FUZZ -e .txt,.bak,.html,.php -fw 990

Find Subdomains


┌──(kali㉿kali)-[~/Documents/htb/cronos]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://cronos.htb -H "Host: FUZZ.cronos.htb" -fw 3534

What I Learned the Hard Way

Wordlist Selection Matters
Choose those wordlists carefully. Seclists offers a bunch to play with running. But if you get stuck, double back and try bigger, better wordlists and maybe you will find what you are looking for.

Filters are necessary
Pick a common value from the noise results (like word count), then use -fw <value you picked> to filter out everything with that word count. Suddenly, only interesting results remain

When ffuf Let Me Down

I can’t remember the specific box unfortunately but I was pretty sure I was suppose to find something by brute-force. So, I switched it up with the gobuster and finally found it. So, always be flexible and ready to pivot to move deeper in the attack.