#ffuf #directory-brute-forcing #subdomain-brute-forcing Can use to search for useful directories and subdomains during [[Web Enumeration]] ## Directory Brute Force ```shell ffuf -u http://hostname.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -v -c -t 100 ``` - Append `-fs` once replies are shown to filter out bad responses. Alternatively, `-fc` or `-ft` for filtering response codes and time respectively. ## Subdomain Bruteforce ```shell ffuf -u http://hostname.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST: FUZZ.hostname.com" -c -v -t 100 ``` - Append `-fs` once replies are shown to filter out bad responses. Alternatively, `-fc` or `-ft` for filtering response codes and time respectively. ## Miscellaneous ### Useful Switches | Swtich | Description | | ------ | ---------------------- | | -v | Verbose | | -c | Color | | - t | Threads (e.g. 100) | | -fs | Filter size | | -fc | FIlter Code | | -ft | Filter time to respond | ```shell # Using ffuf with multiple word lists to search for hidden directories ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS ``` ### Recursion This is simular to the first scan but this time we're using the -recursion switch. This switch tells ffuf that if it enounters a directory it should start another scan within that directory and so on until no more results are found Run and filter word size of invalid responses ```shell ffuf -u http://devvortex.htb/ -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.devvortex.htb" -fw 4 ```