FFUF Tips And Tricks
Read ffuf recon tool tips and tricks in just 5 minutes🚀🚀
Assalamu Alaikum
peace be upon you
Hello hackers. I hope you are well. I am Tamim Hasan a Security Researcher and Bug Bounty hunter From Bangladesh 🇧🇩.
Today I am sharing some tips and tricks about ffuf tool. I will try to make it simple and easier. For that beginner also understand the tips and tricks about ffuf tool. So let’s started.
So what is ffuf?
FFUF(fuzz faster u fool) is a great tool used for fuzzing. It has become really popular lately with bug bounty hunters/penetration testers. It is written in Go language. For this, you can fuzz a large number of words within a minute.
Before using ffuf tool just see this image once.
## wordlist:
Option name: -w
Use wordlist on ffuf for more affectively fuzzing. I use SecLists-master for example. You can choose yours. I have my own wordlist for dir brute forcing you can find it on https://github.com/tamimhasan404/Wordlist404 or you can choose some awesome wordlist and also learn how to create your custom wordlist from https://github.com/tamimhasan404/Chart-Of-Wordlist
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ
/root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt this is just a path where is the wordlist is situated.
## Fuff with all domain
This is a common problem for beginners that they don’t know how to use fuff in all of their collected subdomains as fuff has no default option for list of domains like dirsearch. So here is something for you that I personally use
for url in $(cat targets.txt); do ffuf -ac -fc 404,403 -w wordlist.txt -u $url/FUZZ >> results.txt; done && sort -u results.txt | grep -E ‘^https?://’ > results.txt
## Filtering:
Option name: -fc
If you don’t see any kind of specific status code then you can just filter them.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -fc 401,403,404
Comma-separated list of codes and ranges
## Recursion:
Option name: -recursion
with this option, it tries to find all possible dir accordingly your given wordlist. Let me explain if ffuf find /index.php dir then it fuzz it again with /index.php/wordlist. Suppose it finds/index.php/configtest.php then it fuzz it again like this /index.php/configtest.php/wordlist.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -recursion
## Recursion-Depth:
Option name: -recursion-depth
By default recursion depth level is 0. With this option, you set how many specific numbers of dir it finds for you. Like 2,3 or 4 etc.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -recursion -recursion-depth 2
Here you see I set recursion-depth 2. Now ffuf find 2 dir basis of my wordlist if these dir are available on the targeted website then stop.
## Extention:
Option name: -e
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -e .html,.php,.txt.pdf
Sometimes it gives you valuable information. Which is maybe goldmine on your penetration testing/bug hunting. For this, you have to choose extension base on your target.
## Silent:
Option name: -s
If you just print the result and don’t see any kind of fuzzing process on your terminal then use silent option.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -s
## Output:
Choose one -of json, ejson, html, md, csv
I generally use | tee for result output. But if you want to get output on GUI(graphical user interface) for your better understand/client demand then your CM is.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -of html -o ffuf-result
## Subdomain Enumeration
./ffuf -w /root/Desktop/wordlist.txt -u http://FUZZ.ab.com -of html -o result
Remember use http:// protocol after “-u” because sometimes many subdomains do not run over https.
## Automatically calibrate filtering
Option name: -ac
So this is a very useful thing, while Directory Bruteforce you may see sometimes we see lots of same length status code like 403,401 etc that means the output isn’t that much useful as they treat all of our directory bruteforce wordlists at the same length. This is problematic when you have a big wordlist and the same length 403 repats 20000 or 30000 times(think about your messy output) So what should you do? should you use -fc option in your command for filtering 403 then you may miss some sensitive directory.
In this time -ac options come into the picture. This option automatically removes the same length dir and gives you a nice and clean output.
./ffuf -w /root/Desktop/wordlist.txt -u http://FUZZ.ab.com -ac
## Throttle(Last one but an important one)
Option name: -rate 2 (set your number 2,3 etc)
This is very useful because with this you throttle/delay your request. As you know ffuf is very fast tool with that and a large number of wordlist makes much noise on the server which may cause to block your IP, Dos, Slow down the server, etc. To avoid this you can use -rate and your CM is.
./ffuf -w /root/Desktop/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -rate 2
rate 2 means two requests per second. You can also customize the number.
** Here are some other useful options on ffuf:
timeout → HTTP request timeout in seconds (default: 10)
-V → Show version information (default: false/off)
-t → Number of concurrent threads(default: 40)
-v → Verbose/details output,printing full URL and redirect location (if any) with the results (default:false/off)
-mc → Match HTTP status codes, or “all” for everything (default: 200,204,301,302,307,401,403)
mode → Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork (default: clusterbomb(1 to 1,2 to 2)
If you want to easily copy these ffuf commands then check this out
Thank you💕 so much guys to read my story. Have a nice day :)
You can follow me on Youtube | Github | Twitter | Linkedin | Facebook
## I Explain a little bit more in the Bengali language
## Some Video references In the English language.
