Embed Size (px)
Citation preview
WFUZZ and WebslayerWeb Application Brute Forcer
Blackhat Arsenal USA 2011Christian Martorellawww.edge-security.com
WFUZZ
It´s a web application brute forcer, that allows youto perform complex brute force attacks in differentweb application parts as: parameters,authentication, forms, directories/files, headersfiles, etc.It has complete set of features, payloads andencodings.
WFUZZ
WEBSLAYER
It´s a GUI frontend of WFUZZ with some newfeatues like the Payload Generator,Encoder/Decoder and Result analysis capabilities.
WEBSLAYER
WFUZZ
WFUZZ
WFUZZ
WFUZZ
WFUZZ
Key featuresMultiple injection pointsAdvance Payload management
Multithreading
Encodings
Result filteringProxy and SOCKS support (multiple proxies)
•
•
•
•
•
•
Encodingsurlencoderandom_uppercasebinary_asciibase64double_nibble_hexuri_hexsha1md5double_urlencodeutf8utf8_binaryhtmlhtml decimalcustom
••••••••••••••
PayloadsFile
List
hexrand
range
names
hexrange
•
•
•
•
•
•
Latest changesDynamic output printers
Dynamic payloads
Multiple payload support (FUZZ, FUZ2Z, ... , FUZnZ)
Combine payloads using dynamic iterators (zip, chain, product)
Added list payload
Added encoder_uri_double_hex encoder_first_nibble_hexencoder_second_nibble_hex encoder_none
Multiple encodings per payload
Fixed to FUZZ completely in the URL without hostname or IP or schema (i.e.FUZZ/FUZ2Z)
Fixed to FUZZ mixing all payload's positions (auth, http method, URL, data)
•
•
•
•
•
•
•
•
•
Latest changesAdded HEAD method scanning
Added magictree support
Fuzzing in HTTP methods
Hide responses by regex
Bash auto completion script (modify and then copywfuzz_bash_completion into /etc/bash_completion.d)
Verbose output including server header and redirect location
Added follow HTTP redirects option (this functionality was alreadyprovided by reqresp)
•
•
•
•
•
•
•
Directory discovery
wfuzz.py -c -z file,wordlists/commons.txt --hc 404 http://localhost:8888/FUZZ
Directory & File discovery
wfuzz.py -c -z file,wordlist/general/common.txt -zlist,-.asp-.txt --hc 404 -o htmlhttp://localhost:8888/FUZZFUZ2Z
Local File Inclusion
wfuzz.py -c -v -z file,wordlist/Injections/LFI.txt --hc404 http://192.168.0.126/includer.php?file=FUZZ
Local File Inclusion w/Delay
wfuzz.py -c -v -z file,wordlist/Injections/LFI.txt -s 1 -t 1 --hc 404 http://192.168.0.126/includer.php?file=FUZZ
HTTP Methods scanning
wfuzz.py -z file,wordlists/general/http_methods.txt -z file,wordlist/general/common.txt -Xhttp://localhost:8888/FUZ2Z
Using URL as payloadand a list of directories
wfuzz.py -c -z list,http://localhost:8888 -zlist,admin-phpMyAdmin-test FUZZ/FUZ2Z
wfuzz.py -c -z range,1-254 -z list,admin-phpMyAdmin-test http://192.168.0.FUZZ/FUZ2Z
Encoding a payload
wfuzz.py -c -z file,wordlist/general/test.txt,md5 --hc404 http://localhost:8888/test/encoded.php?var=FUZZ
Using a baseline requestto filter out results
wfuzz.py -c -z file,wordlist/general/test.txt,md5 --hlBBB http://localhost:8888/test/encoded.php?var=FUZZ{baseline}
Using multiple encodingsper payload
wfuzz.py -zlist,..,double_nibble_hexa@second_nibble_hexa@uri_double_hexadecimal@uri_hexadecimal@first_nibble_hexa@nonehttp://localhost:8888/FUZZ/jmx-console
Fuzzing using 4 payloads
wfuzz.py -z list,dir1-dir2 -zfile,wordlist/general/common.txt -z list,jsp-php-asp-z range,1-40 http://localhost:8888/FUZZ/FUZ2Z.FUZ3Z?id=FUZ4Z
User-Agent brute forcingfiltering by Baseline
wfuzz.py -c -zfile,wordlist/fuzzdb/Discovery/PredictableRes/UserAgents.fuzz.txt-H "User-Agent:FUZZ{mybase}" --hh BBB http://localhost:8888/test/agent.php
Username creation forpassword cracking
wfuzz.py -c -z username,John-doe -z list,123456-admin-password-love -b "user=FUZZ&pass=FUZ2Z"http://localhost:8888/test/login.php
Password brute forcing
wfuzz.py -c -z list,john.doe-admin -zfile,wordlist/others/common_pass.txt -d"username=FUZZ{invalid}&password=FUZ2Z{invalid}"--hl BBB -v http://localhost:8888/test/confirm_login.php
Permutation payload
wfuzz.py -c -z permutation,abcdefghijk-2 -zpermutation,1234567890-2 --hc 404 --hl BBBhttp://localhost:8888/test/parameter.php?action=FUZZ{a}FUZ2Z{a}
