WFUZZ and Webslayer

Web!Application!Brute!Forcer
Blackhat!Arsenal!USA!2011 Christian!Martorella www.edge-security.com

WFUZZ
Its! a! web! application! brute! forcer,! that! allows! you to! perform! complex! brute! force! attacks! in! different web! application! parts! as:! parameters, authentication,! forms,! directories/files,! headers files,!etc. It! has! complete! set! of! features,! payloads! and encodings.

WFUZZ

WEBSLAYER

Its! a! GUI! frontend! of! WFUZZ! with! some! new featues! like! the! Payload! Generator, Encoder/Decoder!and!Result!analysis!capabilities.

WEBSLAYER

WFUZZ

WFUZZ

WFUZZ

WFUZZ

WFUZZ

Key!features

Multiple!injection!points Advance!Payload!management Multithreading Encodings Result!filtering Proxy!and!SOCKS!support!(multiple!proxies)

Encodings
urlencode random_uppercase binary_ascii base64 double_nibble_hex uri_hex sha1 md5 double_urlencode utf8 utf8_binary html html!decimal custom

Payloads
File List hexrand range names hexrange

Latest!changes
Dynamic output printers Dynamic payloads Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ) Combine payloads using dynamic iterators (zip, chain, product) Added list payload Added encoder_uri_double_hex encoder_first_nibble_hex encoder_second_nibble_hex encoder_none Multiple encodings per payload Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e. FUZZ/FUZ2Z)

Latest!changes
Added HEAD method scanning Added magictree support Fuzzing in HTTP methods Hide responses by regex Bash auto completion script (modify and then copy wfuzz_bash_completion into /etc/bash_completion.d) Verbose output including server header and redirect location Added follow HTTP redirects option (this functionality was already provided by reqresp)

Directory!discovery

wfuzz.py!-c!-z!file,wordlists/commons.txt!--hc!404 !http://localhost:8888/FUZZ

Directory!&!File!discovery

wfuzz.py!-c!-z!file,wordlist/general/common.txt!-z list,-.asp-.txt!--hc!404!-o!html http://localhost:8888/FUZZFUZ2Z

Local!File!Inclusion

wfuzz.py!-c!-v!-z!file,wordlist/Injections/LFI.txt!!--hc 404!http://192.168.0.126/includer.php?file=FUZZ

Local!File!Inclusion!w/ Delay
wfuzz.py!-c!-v!-z!file,wordlist/Injections/LFI.txt!-s!1!t!1!--hc!404!http://192.168.0.126/includer.php? file=FUZZ

HTTP!Methods!scanning

wfuzz.py!-z!file,wordlists/general/http_methods.txt!z!file,wordlist/general/common.txt!-X http://localhost:8888/FUZ2Z

Using!URL!as!payload and!a!list!of!directories
wfuzz.py!-c!-z!list,http://localhost:8888!-z list,admin-phpMyAdmin-test!!FUZZ/FUZ2Z

wfuzz.py!-c!-z!range,1-254!-z!list,adminphpMyAdmin-test!!http://192.168.0.FUZZ/FUZ2Z

Encoding!a!payload

wfuzz.py!-c!-z!file,wordlist/general/test.txt,md5!--hc 404!http://localhost:8888/test/encoded.php? var=FUZZ

Using!a!baseline!request to!filter!out!results
wfuzz.py!-c!-z!file,wordlist/general/test.txt,md5!--hl BBB!http://localhost:8888/test/encoded.php? var=FUZZ{baseline}

Using!multiple!encodings per!payload

wfuzz.py!-z list,..,double_nibble_hexa@second_nibble_hexa@uri_doub http://localhost:8888/FUZZ/jmx-console

Fuzzing!using!4!payloads
wfuzz.py!-z!list,dir1-dir2!-z file,wordlist/general/common.txt!-z!list,jsp-php-asp -z!range,1-40 !http://localhost:8888/FUZZ/FUZ2Z.FUZ3Z? id=FUZ4Z

User-Agent!brute!forcing filtering!by!Baseline

wfuzz.py!-c!-z file,wordlist/fuzzdb/Discovery/PredictableRes/UserAgen -H!"User-Agent:FUZZ{mybase}"!--hh!BBB !http://localhost:8888/test/agent.php

Username!creation!for password!cracking

wfuzz.py!-c!-z!username,John-doe!-z!list,123456admin-password-love!-b!"user=FUZZ&pass=FUZ2Z" http://localhost:8888/test/login.php

Password!brute!forcing

wfuzz.py!-c!-z!list,john.doe-admin!-z file,wordlist/others/common_pass.txt!-d "username=FUZZ{invalid}&password=FUZ2Z{invalid}" --hl!BBB!-v !http://localhost:8888/test/confirm_login.php

Permutation!payload

wfuzz.py!-c!-z!permutation,abcdefghijk-2!-z permutation,1234567890-2!--hc!404!--hl!BBB http://localhost:8888/test/parameter.php? action=FUZZ{a}FUZ2Z{a}