Fuzzing for beginners! FFuF - Hacker Tools

00:00

hello everybody and welcome back to

00:01

another hacker tools video in today's

00:04

video we are going to be taking a look

00:06

at f5 and we're going to look at fuzzing

00:10

for beginners so let's jump straight

00:13

into it

00:17

what is fuzzing well fuzzing is an

00:20

automated process where we send data to

00:23

a server and we see how it reacts for

00:26

example we could have an api and we want

00:28

to find different endpoints on that api

00:30

that we can test

00:32

we can try to send a request saying okay

00:34

api.integrity.com

00:37

users how is integrity.com going to

00:39

react to that it can either react in for

00:42

example a 404 saying hey i did not find

00:45

that and then we know okay that's not a

00:47

valid endpoint but it could also react

00:49

in a 200 status code saying hey the user

00:52

id is not found in this case and you

00:54

know okay that endpoints exist

00:56

and i um can start looking into that

00:59

endpoint more so

01:01

fuzzing is that automated process where

01:03

we run through a whole word list with

01:05

all kinds of words and we try to find

01:07

end points but also v hosts at the

01:10

beginning of a url but you can even try

01:13

to first post the data or anything you

01:15

can really imagine

01:17

and now a very popular tool for fuzzing

01:20

is ff standing for first faster you

01:24

fool now f5 was created by the finnish

01:26

hacker juhoy and we are going to take a

01:29

look at how it works right now so let's

01:32

jump into this and let's let's take a

01:35

look at a simple ff scan so we're going

01:38

to start off by typing of course fff

01:40

and then we're going to supply a word

01:42

list but this is a word list containing

01:44

all the different words or

01:47

things it's going to try to find

01:50

i like to use cyclists for this which is

01:52

a great compilation of all kinds of word

01:54

lists and i have started git repository

01:57

in slash opt set lists i'm going to look

02:00

at discovery because i want to discover

02:02

things and i want to discover some web

02:04

content now there's a ton of web content

02:07

in here as you can see

02:08

but i like to use the raft

02:12

and then let's use

02:13

small directories in this case

02:17

okay with our word list set we can use

02:20

dash u to supply a url

02:23

now i'm going to supply http s

02:26

slash

02:27

www.integrity.com

02:32

and now i want to first end points that

02:34

are that come after this

02:36

this url so i'm going to type in capital

02:38

letters slash first and that is how you

02:40

define the place where ff is going to

02:43

place your words in the word lists so ff

02:46

is going to send a ton of http requests

02:48

with this url always replacing first by

02:51

the word in our word list and if i run

02:53

this we will see that we get a ton of

02:55

requests here and they all have the same

02:58

size the same status of 200 the same

03:01

amount of words and lines

03:03

and this probably means that the

03:04

integrity the back-end server or the

03:06

server here

03:08

sends a 200 status code even if it's not

03:11

found because for example php underscore

03:13

uploads baskets email templates those

03:16

are probably not real endpoints here so

03:18

what we can do now is we can filter out

03:21

all the requests with this specific size

03:24

and to do that we're gonna go to our

03:26

original request again

03:27

and i'm gonna

03:29

do dash f for filter and then s for size

03:34

we're going to filter things out based

03:35

on size and i have to scroll up a bit to

03:37

see the size here that was 2 2

03:41

and 9 6 6 3 9 6 x 3 okay and now we can

03:44

run that again and we see that we get

03:46

some different results with different

03:48

sizes and things that make way more

03:51

sense for integrity such as uh programs

03:54

obviously um

03:56

so okay that's cool i'm gonna quit this

03:57

scan now to ask to not overload the

03:59

server of course

04:02

uh right now we looked at this simple

04:04

command that first end points we can

04:07

obviously also first v hosts or

04:10

posted and i'm gonna explain all of that

04:12

and all these flags and how they work

04:14

in a bit but you can obviously also run

04:18

ff-h for the help

04:21

and that will bring up all of the

04:23

different options but i'm gonna explore

04:25

some with you here in the next section

04:28

here

04:30

and let's look at some of these options

04:32

first of all we're going to talk about

04:33

some post request options because it's

04:35

obviously very useful to try to first in

04:38

post requests that can lead to idols to

04:41

all kind of interesting things in apis

04:43

for example

04:45

first of all we're going to look at the

04:46

dash capital x and that is

04:49

a means for you to supply an http method

04:52

so the default is get but you can also

04:54

say post there and then the server or ff

04:56

is going to send post requests to the

04:58

server

05:00

then you can also supply dash capital

05:02

lowercase d rather and that is to supply

05:05

some post data which is your json data

05:08

or any other kind of data and this data

05:10

can obviously include your first keyword

05:12

which is going to be used to replace uh

05:14

to put the things from your word list

05:17

the words from your word list in so very

05:20

useful if you want to first out post

05:22

requests

05:24

besides that you also have some what i

05:26

like to call book bounty options these

05:28

are options that you can use to adhere

05:30

to the rules of a program uh things like

05:32

dash t for the amount of threads that

05:35

are being used and dash rate for the

05:38

rate of requests per second because

05:40

obviously you don't want to overload a

05:41

program

05:42

requests because you can imagine if 100

05:45

researchers start doing that it will

05:47

become very cumbersome for the program

05:49

so adhere to the rules

05:52

but besides that you can also set the

05:53

dash capital h option to supply a header

05:57

value this is gonna have a header

06:00

injected in every request and the dash

06:02

lowercase b option can be used to set

06:04

some cookies

06:06

so say cookie name equals value

06:10

and that's it for the bug bounty options

06:12

now let's take a look at some recursion

06:14

and redirects now first of all with dash

06:17

recursion you can say okay scan this

06:19

recursively this is only going to work

06:21

if your first word is at the end of the

06:23

url so if you're fuzzing for directories

06:25

or files and what ff is going to do is

06:28

once it finds a valid or a working

06:30

endpoint it's going to add another slash

06:33

to that and add another first keyword to

06:35

that and it's going to try to first that

06:36

whole directory again then you can say

06:38

okay if it's fine if it finds something

06:40

there again it's going to do the same

06:42

again and that way you can keep on

06:44

recursively fuzzing into directory so

06:46

that you found find every file that

06:49

there is to be found on that server with

06:51

dash recursion depth you can then set

06:54

the depth that is going to be taken so

06:56

if you only want to go into two

06:57

directories and not into infinite amount

06:59

of directories you can set the

07:02

recursion depth to two

07:05

then we can also talk about redirects

07:07

and with dash r you can say that it's

07:09

gonna follow redirects

07:11

this can be very useful because

07:12

obviously you are gonna get 301 status

07:16

quotes back

07:17

301 meaning redirect to a specific page

07:19

and with this option it's going to

07:21

actually follow that redirect so that

07:22

you can you can see what it goes to

07:26

but that's it for recursion and

07:27

redirects now let's talk about matcher

07:30

options now what are these these are

07:32

options that are going to say okay if

07:34

the answer that we get back so the

07:36

response for a specific request if it

07:39

matches one of these it's going to be

07:41

shown so for example with dash mc we can

07:45

match status codes so for example if we

07:48

get a 200 bucks show it and by default

07:51

you have 200 204 301 and so on all of

07:54

these codes that are already being

07:56

matched um besides that you can also say

07:59

dash ml and that's going to say okay if

08:01

if this amount these amount of lines

08:03

that you supply so if you say okay 13

08:05

lines

08:06

if the server if ff gets a request back

08:09

from the server that contains 13 lines

08:11

and it's gonna show that entry in your

08:14

list you can also use regex with dash m

08:17

r uh the response size with dash m s and

08:20

then the amount of words in the response

08:22

with dash m w

08:25

now that is matching but we can also

08:28

filter out specific entries

08:31

and for example you can filter out

08:33

status quotes with dash fc

08:35

uh if you say fc200 it will not show you

08:38

any responses that have the status code

08:41

200 you can do dash fl for lines dash fr

08:45

to filter out

08:46

based on specific regex and fs the one

08:50

we used in the video

08:51

to filter out specific response sizes as

08:54

well as dash fw to filter out by the

08:57

amount of words in a response

09:01

now those were all the basic options

09:03

that ff has to offer now there are more

09:06

you can get really really

09:08

granular with this tool so definitely

09:10

check out the health help page and the

09:13

github

09:15

but that's all for now

09:17

i hope ff is going to be your new tool

09:20

of choice for fuzzing out

09:22

your targets and making sure that you

09:24

find every endpoint fee host

09:26

post data item

09:28

that you just found find everything and

09:30

can test everything on a specific

09:32

endpoint

09:33

now i hope you enjoyed this enjoyed this

09:36

video let us know what you think of it

09:38

below in the comments like it if you

09:40

like the video and also if you have any

09:42

suggestions for tools that you would

09:44

like to see us cover in the future then

09:47

definitely comment those below as well

09:50

that was it for the video i hope you

09:51

enjoyed it and take care

09:54

[Music]