Fuzzers

FeroxBuster

feroxbuster -u http://192.168.198.41 -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "txt,html,php,asp,aspx,jsp" -C 403 -v -k -n -o tcp_30455_http_feroxbuster.txt
feroxbuster -u http://192.168.169.122 -t 10 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x "txt,html,php,asp,aspx,jsp" -C 403 -v -k -n -o tcp_30455_http_feroxbuster.txt
feroxbuster -u http://192.168.198.41 -t 10 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x "txt,html,php,asp,aspx,jsp" -C 403 -v -k -n -o tcp_30455_http_feroxbuster.txt
feroxbuster -u http://192.168.198.41 -t 10 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "txt,html,php" -C 403 -v -k -n -o tcp_80_http_feroxbuster.txt

Dirb

./dirb <url_base> [<wordlist_file(s)>] [options]

========================= NOTES =========================
 <url_base> : Base URL to scan. (Use -resume for session resuming)
 <wordlist_file(s)> : List of wordfiles. (wordfile1,wordfile2,wordfile3...)

======================== HOTKEYS ========================
 'n' -> Go to next directory.
 'q' -> Stop scan. (Saving state for resume)
 'r' -> Remaining scan stats.

 
======================== OPTIONS ========================
 -a <agent_string> : Specify your custom USER_AGENT.
 -c <cookie_string> : Set a cookie for the HTTP request.
 -f : Fine tunning of NOT_FOUND (404) detection.
 -H <header_string> : Add a custom header to the HTTP request.
 -i : Use case-insensitive search.
 -l : Print "Location" header when found.
 -N <nf_code>: Ignore responses with this HTTP code.
 -o <output_file> : Save output to disk.
 -p <proxy[:port]> : Use this proxy. (Default port is 1080)
 -P <proxy_username:proxy_password> : Proxy Authentication.
 -r : Don't search recursively.
 -R : Interactive recursion. (Asks for each directory)
 -S : Silent Mode. Don't show tested words. (For dumb terminals)
 -t : Don't force an ending '/' on URLs.
 -u <username:password> : HTTP Authentication.
 -v : Show also NOT_FOUND pages.
 -w : Don't stop on WARNING messages.
 -X <extensions> / -x <exts_file> : Append each word with this extensions.
 -z <milisecs> : Add a miliseconds delay to not cause excessive Flood.

Gobuster

gobuster dir -u http://192.168.129.71 -w /usr/share/wordlists/dirb/directory-list-2.3-big.txt -e

Usage of gobuster:
  -P string
        Password for Basic Auth (dir mode only)
  -U string
        Username for Basic Auth (dir mode only)
  -a string
        Set the User-Agent string (dir mode only)
  -c string
        Cookies to use for the requests (dir mode only)
  -e    Expanded mode, print full URLs
  -f    Append a forward-slash to each directory request (dir mode only)
  -fw
        Force continued operation when wildcard found (dns mode only)
  -i    Show IP addresses (dns mode only)
  -l    Include the length of the body in the output (dir mode only)
  -m string
        Directory/File mode (dir) or DNS mode (dns) (default "dir")
  -n    Don't print status codes
  -p string
        Proxy to use for requests [http(s)://host:port] (dir mode only)
  -q    Don't print the banner and other noise
  -r    Follow redirects
  -s string
        Positive status codes (dir mode only) (default "200,204,301,302,307")
  -t int
        Number of concurrent threads (default 10)
  -u string
        The target URL or Domain
  -v    Verbose output (errors)
  -w string
        Path to the wordlist
  -x string
        File extension(s) to search for (dir mode only)

Wfuzz

https://certcube.com/wfuzz-cheat-sheet-the-power-of-brute-forcer/
wfuzz -e encodings


wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
Wordlist:
/usr/share/seclists/Fuzzing/XXE-Fuzzing.txt
/usr/share/seclists/Fuzzing/command-injection-commix.txt
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
/usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
/usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt
/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt
/usr/share/seclists/Fuzzing/SQLi/Generic-BlindSQLi.fuzzdb.txt
/usr/share/seclists/Fuzzing/SQLi/quick-SQLi.txt

wfuzz -w /usr/share/wfuzz/wordlist/Injections/All_attack.txt --hc 404 http://127.0.0.1/FUZZ

Wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt -d "auth=FUZZ" -u http://192.168.129.30/scarecrow/login.php

Usage:	wfuzz [options] -z payload,params <url>

	FUZZ, ..., FUZnZ  wherever you put these keywords wfuzz will replace them with the values of the specified payload.
	FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.


Options:
	-h                        : This help
	--help                    : Advanced help
	--version                 : Wfuzz version details
	-e <type>                 : List of available encoders/payloads/iterators/printers/scripts
	
	-c                        : Output with colors
	-v                        : Verbose information.
	--interact                : (beta) If selected,all key presses are captured. This allows you to interact with the program.
	
	-p addr                   : Use Proxy in format ip:port:type. Repeat option for using various proxies.
	                            Where type could be SOCKS4,SOCKS5 or HTTP if omitted.
	
	-t N                      : Specify the number of concurrent connections (10 default)
	-s N                      : Specify time delay between requests (0 default)
	-R depth                  : Recursive path discovery being depth the maximum recursion level.
	-L, --follow              : Follow HTTP redirections
	
	-u url                    : Specify a URL for the request.
	-z payload                : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder.
	                            A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
	                            Encoders category can be used. ie. url
	                            Use help as a payload to show payload plugin's details (you can filter using --slice)
	-w wordlist               : Specify a wordlist file (alias for -z file,wordlist).
	-V alltype                : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
	-X method                 : Specify an HTTP method for the request, ie. HEAD or FUZZ
	
	-b cookie                 : Specify a cookie for the requests
	-d postdata               : Use post data (ex: "id=FUZZ&catalogue=1")
	-H header                 : Use header (ex:"Cookie:id=1312321&user=FUZZ")
	--basic/ntlm/digest auth  : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
	
	--hc/hl/hw/hh N[,N]+      : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
	--sc/sl/sw/sh N[,N]+      : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
	--ss/hs regex             : Show/Hide responses with the specified regex within the content

Wfuzz Examples: https://wfuzz.readthedocs.io/en/latest/