Documente Academic
Documente Profesional
Documente Cultură
Web!Application!Brute!Forcer
Blackhat!Arsenal!USA!2011 Christian!Martorella www.edge-security.com
WFUZZ
Its! a! web! application! brute! forcer,! that! allows! you to! perform! complex! brute! force! attacks! in! different web! application! parts! as:! parameters, authentication,! forms,! directories/files,! headers files,!etc. It! has! complete! set! of! features,! payloads! and encodings.
WFUZZ
WEBSLAYER
Its! a! GUI! frontend! of! WFUZZ! with! some! new featues! like! the! Payload! Generator, Encoder/Decoder!and!Result!analysis!capabilities.
WEBSLAYER
WFUZZ
WFUZZ
WFUZZ
WFUZZ
WFUZZ
Key!features
Encodings
urlencode random_uppercase binary_ascii base64 double_nibble_hex uri_hex sha1 md5 double_urlencode utf8 utf8_binary html html!decimal custom
Payloads
File List hexrand range names hexrange
Latest!changes
Dynamic output printers Dynamic payloads Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ) Combine payloads using dynamic iterators (zip, chain, product) Added list payload Added encoder_uri_double_hex encoder_first_nibble_hex encoder_second_nibble_hex encoder_none Multiple encodings per payload Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e. FUZZ/FUZ2Z)
Latest!changes
Added HEAD method scanning Added magictree support Fuzzing in HTTP methods Hide responses by regex Bash auto completion script (modify and then copy wfuzz_bash_completion into /etc/bash_completion.d) Verbose output including server header and redirect location Added follow HTTP redirects option (this functionality was already provided by reqresp)
Directory!discovery
wfuzz.py!-c!-z!file,wordlists/commons.txt!--hc!404 !http://localhost:8888/FUZZ
Directory!&!File!discovery
Local!File!Inclusion
wfuzz.py!-c!-v!-z!file,wordlist/Injections/LFI.txt!!--hc 404!http://192.168.0.126/includer.php?file=FUZZ
Local!File!Inclusion!w/ Delay
wfuzz.py!-c!-v!-z!file,wordlist/Injections/LFI.txt!-s!1!t!1!--hc!404!http://192.168.0.126/includer.php? file=FUZZ
HTTP!Methods!scanning
wfuzz.py!-z!file,wordlists/general/http_methods.txt!z!file,wordlist/general/common.txt!-X http://localhost:8888/FUZ2Z
Using!URL!as!payload and!a!list!of!directories
wfuzz.py!-c!-z!list,http://localhost:8888!-z list,admin-phpMyAdmin-test!!FUZZ/FUZ2Z
wfuzz.py!-c!-z!range,1-254!-z!list,adminphpMyAdmin-test!!http://192.168.0.FUZZ/FUZ2Z
Encoding!a!payload
Using!a!baseline!request to!filter!out!results
wfuzz.py!-c!-z!file,wordlist/general/test.txt,md5!--hl BBB!http://localhost:8888/test/encoded.php? var=FUZZ{baseline}
Using!multiple!encodings per!payload
Fuzzing!using!4!payloads
wfuzz.py!-z!list,dir1-dir2!-z file,wordlist/general/common.txt!-z!list,jsp-php-asp -z!range,1-40 !http://localhost:8888/FUZZ/FUZ2Z.FUZ3Z? id=FUZ4Z
User-Agent!brute!forcing filtering!by!Baseline
Username!creation!for password!cracking
wfuzz.py!-c!-z!username,John-doe!-z!list,123456admin-password-love!-b!"user=FUZZ&pass=FUZ2Z" http://localhost:8888/test/login.php
Password!brute!forcing
Permutation!payload