El fuzzing
Wfuzz : Una Herramienta Obsoleta
Una de las herramientas clásicas para fuzzing es Wfuzz HTTP con diferentes cargas útiles para analizar respuestas. Sin embargo, esta herramienta está bastante desactualizada y ha sido reemplazada por opciones más modernas y eficientes.
FFUF : La Mejor Alternativa
Hoy en día, la herramienta más usada y actualizada es FFUF (Fast Fuzzing) fuzzing en aplicaciones web de manera eficiente.
En las siguientes secciones, exploraremos FFUF en profundidad y aprenderemos cómo utilizarla para encontrar directorios, archivos y vulnerabilidades en aplicaciones web.
Se encuentra en el siguiente repositorio.
URL = ffuf GitHub
Viene por defecto instalada en el kali, por lo que haremos lo siguiente para probarla.
Pero antes de ejecutar la herramienta quitaremos los comentarios del diccionario, ya que si no tambien nos lo va a incluir de la siguiente forma:
Copy sudo sed -i '/^#/d' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt Una vez quitados los comentarios, ahora si lo ejecutaremos.
Copy ffuf -u http://192.168.5.211:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt Con la palabra FUZZ especificamos el campo en concreto donde queremos que pruebe todas esas palabras del diccionario que le estamos pasando. Con -w especificamos el diccionario que queremos que utilice la herramienta.
Info:
Copy
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.5.211:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
documents [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 0ms]
apps [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 0ms]
admin [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 1ms]
portal [Status: 200, Size: 5396, Words: 22, Lines: 25, Duration: 1ms]
db [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 0ms]
bugs [Status: 200, Size: 7858, Words: 504, Lines: 159, Duration: 1ms]
js [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 1ms]
message [Status: 200, Size: 28, Words: 5, Lines: 1, Duration: 2ms]
robots [Status: 200, Size: 167, Words: 9, Lines: 11, Duration: 1ms]
fonts [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 1ms]
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 622ms]
666 [Status: 200, Size: 112, Words: 17, Lines: 7, Duration: 2ms]
soap [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 6ms]
images [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 678ms]
passwords [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 1ms]
stylesheets [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 5ms]
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2ms]
:: Progress: [87651/87651] :: Job [1/1] :: 3636 req/sec :: Duration: [0:00:22] :: Errors: 0 :: Y por lo que vemos aqui nos muestra las rutas que ha podido encontrar con este diccionario en dicha pagina web.
Si por ejemplo queremos que cuando encuentre un directorio valido, tambien haga fuzzing dentro de ese directorio de forma recursiva con cada uno de esos directorios que encuentre, podremos hacerlo con el parametro -recursion:
Copy ffuf -u http://192.168.5.211:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -recursion Info:
Copy
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.5.211:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1ms]
images [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 3ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/images/FUZZ
documents [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 1ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/documents/FUZZ
apps [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 0ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/apps/FUZZ
admin [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 0ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/admin/FUZZ
portal [Status: 200, Size: 5396, Words: 22, Lines: 25, Duration: 3ms]
db [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 1ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/db/FUZZ
bugs [Status: 200, Size: 7858, Words: 504, Lines: 159, Duration: 2ms]
js [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 1ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/js/FUZZ
message [Status: 200, Size: 28, Words: 5, Lines: 1, Duration: 1ms]
robots [Status: 200, Size: 167, Words: 9, Lines: 11, Duration: 1ms]
fonts [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 1ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/fonts/FUZZ
666 [Status: 200, Size: 112, Words: 17, Lines: 7, Duration: 1ms]
soap [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 2ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/soap/FUZZ
passwords [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 1ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/passwords/FUZZ
stylesheets [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 3ms]
[INFO] Adding a new job to the queue: http://192.168.5.211:8080/stylesheets/FUZZ
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 15ms]
[INFO] Starting queued job on target: http://192.168.5.211:8080/images/FUZZ
[Status: 200, Size: 5153, Words: 259, Lines: 38, Duration: 115ms]
cc [Status: 200, Size: 688, Words: 9, Lines: 7, Duration: 13ms]
blogger [Status: 200, Size: 1026, Words: 8, Lines: 5, Duration: 9ms]
favicon [Status: 200, Size: 1150, Words: 4, Lines: 6, Duration: 7ms]
nsa [Status: 200, Size: 15554, Words: 60, Lines: 65, Duration: 7ms]
captcha [Status: 200, Size: 4445, Words: 23, Lines: 28, Duration: 7ms]
mk [Status: 200, Size: 11226, Words: 53, Lines: 42, Duration: 13ms]
facebook [Status: 200, Size: 2636, Words: 16, Lines: 13, Duration: 14ms]
owasp [Status: 200, Size: 16988, Words: 90, Lines: 65, Duration: 11ms]
zap [Status: 200, Size: 17557, Words: 72, Lines: 83, Duration: 2ms]
linkedin [Status: 200, Size: 1742, Words: 7, Lines: 17, Duration: 11ms]
[Status: 200, Size: 5153, Words: 259, Lines: 38, Duration: 10ms]
twitter [Status: 200, Size: 2896, Words: 15, Lines: 10, Duration: 9ms]
mme [Status: 200, Size: 14477, Words: 87, Lines: 72, Duration: 12ms]
[INFO] Starting queued job on target: http://192.168.5.211:8080/documents/FUZZ
[Status: 200, Size: 2311, Words: 136, Lines: 23, Duration: 101ms]
[Status: 200, Size: 2311, Words: 136, Lines: 23, Duration: 9ms]
[INFO] Starting queued job on target: http://192.168.5.211:8080/apps/FUZZ
[Status: 200, Size: 944, Words: 65, Lines: 17, Duration: 74ms]
[Status: 200, Size: 944, Words: 65, Lines: 17, Duration: 18ms]
[INFO] Starting queued job on target: http://192.168.5.211:8080/admin/FUZZ
[Status: 200, Size: 3160, Words: 539, Lines: 125, Duration: 10ms]
[Status: 200, Size: 3160, Words: 539, Lines: 125, Duration: 3ms]
[WARN] Caught keyboard interrupt (Ctrl-C) Por lo que vemos se esta recorriendo cada uno de ellos que ha encontrado, haciendo una busqueda recursiva.
Por ejemplo si de estas palabras que esta probando queremos añadirle a cada una de ellas una extension para ver si encuentra algun archivo, podremos hacerlo de la siguiente forma con el parametro -e:
Copy ffuf -u http://192.168.5.211:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -e .php,.txt,.html Info:
Copy
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.5.211:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Extensions : .php .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
images [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 1ms]
index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 4ms]
info.php [Status: 200, Size: 3426, Words: 411, Lines: 94, Duration: 2ms]
login.php [Status: 200, Size: 4013, Words: 523, Lines: 134, Duration: 52ms]
security.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
documents [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 0ms]
apps [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 1ms]
admin [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 0ms]
training.php [Status: 200, Size: 3843, Words: 436, Lines: 102, Duration: 9ms]
.html [Status: 403, Size: 287, Words: 21, Lines: 11, Duration: 318ms]
.php [Status: 403, Size: 286, Words: 21, Lines: 11, Duration: 334ms]
portal.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3ms]
portal [Status: 200, Size: 5396, Words: 22, Lines: 25, Duration: 5ms]
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 607ms]
test.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 1ms]
credits.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 5ms]
install.php [Status: 200, Size: 2270, Words: 220, Lines: 76, Duration: 1ms]
db [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 79ms]
bugs.txt [Status: 200, Size: 7858, Words: 504, Lines: 159, Duration: 2ms]
bugs [Status: 200, Size: 7858, Words: 504, Lines: 159, Duration: 4ms]
update.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 193ms]
js [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 4ms]
message.txt [Status: 200, Size: 28, Words: 5, Lines: 1, Duration: 1ms]
message [Status: 200, Size: 28, Words: 5, Lines: 1, Duration: 5ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 5ms]
connect.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 9ms]
robots [Status: 200, Size: 167, Words: 9, Lines: 11, Duration: 3ms]
robots.txt [Status: 200, Size: 167, Words: 9, Lines: 11, Duration: 4ms]
fonts [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 2ms]
666 [Status: 200, Size: 112, Words: 17, Lines: 7, Duration: 3ms]
captcha.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 6ms]
soap [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 4ms]
passwords [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 0ms]
aim.php [Status: 200, Size: 9958, Words: 608, Lines: 33, Duration: 8ms]
secret.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 9ms]
reset.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 8ms]
backdoor.php [Status: 200, Size: 333, Words: 21, Lines: 1, Duration: 5ms]
lang_en.php [Status: 200, Size: 61, Words: 7, Lines: 1, Duration: 6ms]
stylesheets [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 7ms]
.php [Status: 403, Size: 286, Words: 21, Lines: 11, Duration: 0ms]
.html [Status: 403, Size: 287, Words: 21, Lines: 11, Duration: 0ms]
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 20ms]
top_security.php [Status: 200, Size: 2208, Words: 320, Lines: 75, Duration: 9ms]
phpinfo.php [Status: 200, Size: 78622, Words: 4176, Lines: 941, Duration: 94ms]
lang_fr.php [Status: 200, Size: 65, Words: 7, Lines: 1, Duration: 7ms]
selections.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8ms]
:: Progress: [350604/350604] :: Job [1/1] :: 3333 req/sec :: Duration: [0:01:44] :: Errors: 0 :: Y por lo que vemos el diccionario se duplica ya que esta buscando las palabras normales, mas con las extensiones añadidas que le hemos puesto y ya veremos que encontramos mas resultados.
