Crawl/Fuzz

Crawlers

Commands:

dirhunt https://url.com/
hakrawler -domain https://url.com/
python3 sourcewolf.py -h
gospider -s "https://example.com/" -o output -c 10 -d 1
gospider -S sites.txt -o output -c 10 -d 1
gospider -s "https://example.com/" -o output -c 10 -d 1 --other-source --include-subs

Fuzzers

ffuf

Discover content:

ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w six2dez/OneListForAll/onelistforall.txt -u https://url.com/FUZZ

Headers discovery:

ffuf -mc all -ac -u https://hackxor.net -w six2dez/OneListForAll/onelistforall.txt -c -H "FUZZ: Hellothereheadertesting123 asd"

Proxy / Burp replay:

ffuf -replay-proxy http:127.0.0.1:8080

Fuzzing extensions (common set):

.htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml,.inc

Backups extensions (examples):

'.bak','.bac','.old','.000','.~','.01','._bak','.001','.inc','.Xxx'

kr (kiterunner)

Repository: https://github.com/assetnote/kiterunner

Examples:

kr brute https://whatever.com/ -w onelistforallmicro.txt -x 100 --fail-status-codes 404
kr scan https://whatever.com/ -w routes-small.kite -A=apiroutes-210228 -x 100 --ignore-length=34

chameleon

Repository: https://github.com/iustin24/chameleon

Example:

./chameleon -u http://testphp.vulnweb.com -a -A

Best wordlists for fuzzing

https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
- raft-large-directories-lowercase.txt
- directory-list-2.3-medium.txt
- RobotsDisallowed/top10000.txt
https://github.com/assetnote/commonspeak2-wordlists/tree/master/wordswithext
https://github.com/random-robbie/bruteforce-lists
https://github.com/google/fuzzing/tree/master/dictionaries
https://github.com/six2dez/OneListForAll
AIO: https://github.com/foospidy/payloads
Check https://wordlists.assetnote.io/

Pro tip: set the header Host: localhost

Custom generated dictionary examples

Generate paths from gau output:

gau example.com | unfurl -u paths

Get files only:

sed 's#/#\n#g' paths.txt | sort -u

Other examples:

gau example.com | unfurl -u keys
gau example.com | head -n 1000 | fff -s 200 -s 404

Hardware devices admin panel

Default HTTP login hunter: https://github.com/InfosecMatter/default-http-login-hunter

Example:

default-http-login-hunter.sh https://10.10.0.1:443/

Dirsearch

Example:

dirsearch -r -f -u https://10.11.1.111 --extensions=htm,html,asp,aspx,txt -w six2dez/OneListForAll/onelistforall.txt --request-by-hostname -t 40

dirb

Example:

dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt

wfuzz

Example:

wfuzz -c -z file,six2dez/OneListForAll/onelistforall.txt --hc 404 http://10.11.1.11/FUZZ

gobuster

Example:

gobuster dir -u http://10.11.1.111 -w six2dez/OneListForAll/onelistforall.txt -s '200,204,301,302,307,403,500' -e

Cansina

Repository: https://github.com/deibit/cansina

Example:

python3 cansina.py -u example.com -p PAYLOAD

Get endpoints from JS

LinkFinder: https://github.com/GerbenJavado/LinkFinder

Examples:

python linkfinder.py -i https://example.com -d
python linkfinder.py -i burpfile -b

JS enumeration script: https://github.com/KathanP19/JSFScan.sh

Rate limiting tip

If you get HTTP 429 responses, try adding one of these headers (set value to an IP you control or to localhost for bypass attempts):

Client-Ip: IP
X-Client-Ip: IP
X-Forwarded-For: IP
X-Forwarded-For: 127.0.0.1

PreviousDOM Cloberring NextFile Inclusion (LFI/RFI)

Last updated 2 months ago

hashtagCrawlers

hashtagFuzzers

hashtagffuf

hashtagkr (kiterunner)

hashtagchameleon

hashtagBest wordlists for fuzzing

hashtagCustom generated dictionary examples

hashtagHardware devices admin panel

hashtagDirsearch

hashtagdirb

hashtagwfuzz

hashtaggobuster

hashtagCansina

hashtagGet endpoints from JS

hashtagRate limiting tip

Crawlers

Fuzzers

ffuf

kr (kiterunner)

chameleon

Best wordlists for fuzzing

Custom generated dictionary examples

Hardware devices admin panel

Dirsearch

dirb

wfuzz

gobuster

Cansina

Get endpoints from JS

Rate limiting tip