FFUF is a command line tool that helps you find hidden endpoints in web apps (files and directories that are not linked by another page on the same web site or from the Internet). Hackers use FFUF to widen their attack surface by mapping out the target web site more extensively than what they would do by just browsing the site manually.
Thanks to its wide set of options and impressive speed, FFUF has become one of the hacking community’s preferred fuzzing tools. And if you’re wondering, FFUF stands for ‘Fuzz Faster U Fool’.
There doesn’t seem to be a wide consensus on how to pronouce it. I tend to prononce ‘Eff-fuff’, but you can call it whatever you want. Feel free to be creative…
If you’re running Kali Linux, installing FFUF is pretty straight forward. Just run:
sudo apt install ffuf
Otherwise, get it from the author’s Github repository.
FFUF uses wordlists to carry out its attacks. This means you will need to install wordlists to work with (see this post on wordlists for details). Daniel Miessler’s SecLists will set you on a good path.
Fuzzing for directories
FFUF’s basic syntax is:
ffuf -u http://targetsite.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt
-u lets you specify the target URL
-w lets you specify the path to the wordlist you wish to use
FUZZ is the keyword that will be replaced sequentially by every item in the wordlist during a fuzzing operation.
This allows you to fuzz domain names, subdomains, directories, subdirectories and even GET parameters by just positionning the FUZZ keyword wherever you want in the target URL.
Note that, by default, FFUF is not recursive. Without adequate instructions, it scans only the level where the FUZZ keyword is positioned. This means once it finds a directory, it will not attempt to fuzz that directory to list its content.
If you want to run the same wordlist you ran on the main resource on the directories found, use the -recursion flag:
ffuf -u http://targetsite.com/FUZZ -w /path/to/wordlist.txt -recursion
The scan will then continue into all directory levels.
The -recursion-depth flag lets you limit the depth to which the scan will go within the web app’s directory tree:
-recursion-depth 3 will scan into three levels of subdirectories
- maxtime
This flag lets you set the maximum time (in seconds) the recursive scan will be allowed to run.
The -r flag instructs FFUF to follow redirects.
Fuzzing for files
If you’re hunting for files, FFUF lets you add extensions to the words in your chosen wordlist, by using the -e flag with a comma separated list of extensions:
ffuf -u http://targetsite.com/FUZZ -w /path/to/wordlist.txt -e .php,.txt,.bak
This will scan for files with either a .php, .txt or .bak extension.
FFUF also lets you use custom keywords:
ffuf -u http://targetsite.com/KEY -w /path/to/wordlist.txt:KEY
This instructs FFUF to use KEY rather than FUZZ as the placeholder for the fuzzing location in the URL.
The reason for this is that it lets you fuzz for several items inside the same URL using several wordlists:
ffuf -u http://KEY1.com/KEY2 -w /path/to/domainlist:KEY1 -w /path/to/directorieslist.txt:KEY2
The above command takes a list of domains and applies it to search for domains. It also uses a list of directories to search for directories in the domains found. You could use the same logic to search for directories in different subdomains of your target domain.
Useful flags
There are many flags you can use with FFUF to fine tune your scans. Here are the most common ones.
To check which version of FFUF is installed:
ffuf -V
Using silent mode:
The -s flag tells FFUF to skip display during the scan and just print the results found.
Clarifying the output:
The -v flag instructs FFUF to list the full URLs of entry points found (not just the name of the file or directory) and indicate which ones are files and which ones are directories. This is particularly helpful when you’re just getting started with fuzzing.
The -o flag lets you specify the name of a text file you want to save the output to (e.g. -o output.txt).
The output file will be in json format by default. In addition to the -o flag, you may also use the -of flag to specifiy a different file format (available options are ejson, html, md, csv and ecsv).
Some wordlists include comment lines (lines that start with #) at the beginning of the text file to give some details on the list and its use. FFUF will treat these lines as part of the wordlist and will attempt to fuzz using these words.
To avoid this, use the -ic flag to instruct FFUF to ignore comment lines in wordlist files. This will make your life easier and spare you the burden of editing these wordlists to remove the comments.
Adjusting fuzzing speed
As mentioned above, FFUF is particularly fast. As great as this may be, the down side is that your target may become unresponsive if overwhelmed with requests that come in too fast.
The -p flag lets you slow down requests if required.
-p specifies the number of seconds between requests:
-p 2 sends a request every 2 seconds.
-p 0.2-2.5 sets a random delay between 0.2 and 2.5 seconds between requests.
A different throttling option is -rate. This flag sets the number of requests sent per second:
-rate 2 sends 2 requests per second.
You can also increase or decrease scanning speed by using the -t flag to specify the number of concurrent threads you want to use (default is 40).
What next?
As you get familiar with FFUF, you will find many avenues to explore. Here are some of them.
You can direct matching requests to Burp Suite to further investigate the files and directories found and build a directory tree that you can navigate (I’ll go into this in a later post).
You can decide if you want to run a clusterbomb or a pitchfork attack.
You can also send POST requests through FFUF to a login page if you want to guess user names and passwords.
If you want to learn more about FFUF here are some great resources:
Michael Skelton’s (codingo) video tutorial.
Katie Paxton’s (InsiderPhD) video tutorial.
Alexis Ahmed’s (HackerSploit) video tutorial:
And if you want the full story, here is a complete guide written by Michael Skelton.
