# Fuzzers ### FeroxBuster ``` feroxbuster -u http://192.168.198.41 -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "txt,html,php,asp,aspx,jsp" -C 403 -v -k -n -o tcp_30455_http_feroxbuster.txt feroxbuster -u http://192.168.169.122 -t 10 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x "txt,html,php,asp,aspx,jsp" -C 403 -v -k -n -o tcp_30455_http_feroxbuster.txt feroxbuster -u http://192.168.198.41 -t 10 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x "txt,html,php,asp,aspx,jsp" -C 403 -v -k -n -o tcp_30455_http_feroxbuster.txt feroxbuster -u http://192.168.198.41 -t 10 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "txt,html,php" -C 403 -v -k -n -o tcp_80_http_feroxbuster.txt ``` ### Dirb ``` ./dirb [] [options] ========================= NOTES ========================= : Base URL to scan. (Use -resume for session resuming) : List of wordfiles. (wordfile1,wordfile2,wordfile3...) ======================== HOTKEYS ======================== 'n' -> Go to next directory. 'q' -> Stop scan. (Saving state for resume) 'r' -> Remaining scan stats. ======================== OPTIONS ======================== -a : Specify your custom USER_AGENT. -c : Set a cookie for the HTTP request. -f : Fine tunning of NOT_FOUND (404) detection. -H : Add a custom header to the HTTP request. -i : Use case-insensitive search. -l : Print "Location" header when found. -N : Ignore responses with this HTTP code. -o : Save output to disk. -p : Use this proxy. (Default port is 1080) -P : Proxy Authentication. -r : Don't search recursively. -R : Interactive recursion. (Asks for each directory) -S : Silent Mode. Don't show tested words. (For dumb terminals) -t : Don't force an ending '/' on URLs. -u : HTTP Authentication. -v : Show also NOT_FOUND pages. -w : Don't stop on WARNING messages. -X / -x : Append each word with this extensions. -z : Add a miliseconds delay to not cause excessive Flood. ``` ### Gobuster ``` gobuster dir -u http://192.168.129.71 -w /usr/share/wordlists/dirb/directory-list-2.3-big.txt -e ``` ``` Usage of gobuster: -P string Password for Basic Auth (dir mode only) -U string Username for Basic Auth (dir mode only) -a string Set the User-Agent string (dir mode only) -c string Cookies to use for the requests (dir mode only) -e Expanded mode, print full URLs -f Append a forward-slash to each directory request (dir mode only) -fw Force continued operation when wildcard found (dns mode only) -i Show IP addresses (dns mode only) -l Include the length of the body in the output (dir mode only) -m string Directory/File mode (dir) or DNS mode (dns) (default "dir") -n Don't print status codes -p string Proxy to use for requests [http(s)://host:port] (dir mode only) -q Don't print the banner and other noise -r Follow redirects -s string Positive status codes (dir mode only) (default "200,204,301,302,307") -t int Number of concurrent threads (default 10) -u string The target URL or Domain -v Verbose output (errors) -w string Path to the wordlist -x string File extension(s) to search for (dir mode only) ``` ### Wfuzz ``` https://certcube.com/wfuzz-cheat-sheet-the-power-of-brute-forcer/ wfuzz -e encodings wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ Wordlist: /usr/share/seclists/Fuzzing/XXE-Fuzzing.txt /usr/share/seclists/Fuzzing/command-injection-commix.txt /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt /usr/share/seclists/Fuzzing/SQLi/Generic-BlindSQLi.fuzzdb.txt /usr/share/seclists/Fuzzing/SQLi/quick-SQLi.txt ``` ``` wfuzz -w /usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 404 http://127.0.0.1/FUZZ ``` ``` Wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt -d "auth=FUZZ" -u http://192.168.129.30/scarecrow/login.php ``` ``` Usage: wfuzz [options] -z payload,params FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of the specified payload. FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering. Options: -h : This help --help : Advanced help --version : Wfuzz version details -e : List of available encoders/payloads/iterators/printers/scripts -c : Output with colors -v : Verbose information. --interact : (beta) If selected,all key presses are captured. This allows you to interact with the program. -p addr : Use Proxy in format ip:port:type. Repeat option for using various proxies. Where type could be SOCKS4,SOCKS5 or HTTP if omitted. -t N : Specify the number of concurrent connections (10 default) -s N : Specify time delay between requests (0 default) -R depth : Recursive path discovery being depth the maximum recursion level. -L, --follow : Follow HTTP redirections -u url : Specify a URL for the request. -z payload : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder. A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1. Encoders category can be used. ie. url Use help as a payload to show payload plugin's details (you can filter using --slice) -w wordlist : Specify a wordlist file (alias for -z file,wordlist). -V alltype : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword. -X method : Specify an HTTP method for the request, ie. HEAD or FUZZ -b cookie : Specify a cookie for the requests -d postdata : Use post data (ex: "id=FUZZ&catalogue=1") -H header : Use header (ex:"Cookie:id=1312321&user=FUZZ") --basic/ntlm/digest auth : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ" --hc/hl/hw/hh N[,N]+ : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline) --sc/sl/sw/sh N[,N]+ : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline) --ss/hs regex : Show/Hide responses with the specified regex within the content ``` Wfuzz Examples: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rabakuku.gitbook.io/oscp/services/web/web-enumaration/dirb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.