Clusterbomb or pitchfork?

Clusterbomb and pitchfork are terms you will come across when fuzzing web apps using tools like FFUF or Burp Suite. Let’s see how this works with FFUF.

FFUF has two wordlist modes : clusterbomb and pitchfork.
These modes will matter when you want to fuzz two separate positions in your target URL, using two wordlists.

Here is an example of what the corresponding command could look like:
ffuf -u -w /path/to/list/username.txt:FUZZ1 -w /path/to/list/password.txt:FUZZ2 -X POST -d 'username=FUZZ1&passwd=FUZZ2&submit=Submit' -H 'Content-Type: application/x-www-form-urlencoded'

Let’s take a closer look:

-u  > this specifies the target URL you want to fuzz.
-w /path/to/list/username.txt:FUZZ1  > this specifies the wordlist you will use for the first position and the name of the placeholder for this first position (FUZZ1).
-w /path/to/list/password.txt:FUZZ2  > this specifies the wordlist you will use for the second position and the name of the placeholder for this second position (FUZZ2).
-X POST  > this indicates FFUF will be sending POST requests.
-d 'username=FUZZ1&passwd=FUZZ2&submit=Submit'  > this specifies the data FFUF is sending in the body of the POST requests: the username, the password and a submit confirmation.
-H 'Content-Type: application/x-www-form-urlencoded'  > this is an additional header to let the server know you are sending form data.

So you have two fuzzing positions (FUZZ1 for usernames, FUZZ2 for passwords) and two wordlists to use (username.txt and password.txt).

Clusterbomb mode

In this mode, FFUF will try every password with every username. In other words, if you have 1000 items in your username wordlist and 500 items in your password wordlist, FFUF will run 500.000 requests, effectively trying out all possible combinations but generating a lot of requests. Be aware this heavy traffic may raise a red flag on the server’s side.

Pitchfork mode

In this mode, FFUF will use the words sequentially: the first word in the username list with the first in the password list. Then the second word in the username list with the second in the password list, and so on.
This is useful if you have two lists of matching usernames and passwords that you want to try out.

By default, FFUF works in clusterbomb mode.
If you want to scan in pitchfork mode, add the -mode pitchfork flag to your command:
ffuf -u -w /path/to/list/username.txt:FUZZ1 -w /path/to/list/password.txt:FUZZ2 -X POST -d 'username=FUZZ1&passwd=FUZZ2&submit=Submit' -H 'Content-Type: application/x-www-form-urlencoded' -mode pitchfork

Hi! I'm a tech journalist, getting my feet wet in ethical hacking. What you will find here is me taking notes on the tools and techniques I’m learning and offering answers to the questions I had when I first got started not so very long ago.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top