How To Hack Website Login Page Using Wfuzz Tool [2021]
Table of Content
- What is the wfuzz tool?
- How to Brute force login page using wfuzz?
What is the wfuzz tool?
Wfuzz is a free & Open-Source tool that allows an attacker to brute-forcing Web Applications. It provides various features, for example, login page bypass, brute force GET and POST parameters, finding hidden credentials (directories, scripts, etc). Wfuzz tool comes with pre-install in Kali Linux. If you desire to install the wfuzz tool in Ubuntu or Kali Linux, follow the below command.
sudo apt-get install wfuzz
Wfuzz features:
- Multiple Injection points capability with multiple dictionaries
- Recursion (When doing directory brute force)
- Post, headers, and authentication data brute forcing
- Output to HTML
- Colored output
- Hide results by return code, word numbers, line numbers, regex
- Cookies fuzzing
- Multi threading
- Proxy support
- SOCK support
- Time delays between requests
- Authentication support (NTLM, Basic)
- All parameters brute-forcing (POST and GET)
- Multiple encoders per payload
- Payload combinations with iterators
- Baseline request (to filter results against)
- Brute force HTTP methods
- Multiple proxy support (each request through a different proxy)
- HEAD scan (faster for resource discovery)
- Dictionaries tailored for known applications (Weblogic, iPlanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion, and many more
Source: https://github.com/xmendez/wfuzz/
How to Brute Force login page using wfuzz?
Before starting to hack the target website, we need to know some basic commands of the wfuzz tool. For that, we can open its help page. Let’s follow the below command.
wfuzz -h
Information gathering is a crucial phase for website hacking. It might be a challenging task to hack a website without information gathering. We spent more time gathering information about the target website, such as name, phone, email, etc. After that, we generated password wordlists using the crunch tool. If you don’t know how to make password wordlists, first, read the below blog.
We opened the target website in our browser that looks pretty charming. Remember, we have used our website for demo purposes. It is only a virtual environment, Don’t try to hack this website.
We will scan the website admin page, for that dirbuster is a good tool that can be used to perform brute force attacks on each website. It could be a comfortable tool to obtain hidden directory, URI, robots.txt file, htacces file, etc.
Excellent! We have discovered the admin page of the target website.
We noticed a suspicious file extension developed in PHP language. I think that there is more malicious code available on the Internet. It depends on the PHP version. Let’s enter some malicious code on the target website.
I found malicious code is not working. Let’s intercept post requests by entering the default username&password on the target website. For that, we will use the Burp suite tool. Burp Suite is one of the most popular penetration testing and bug bounty tools. It comes both free and paid, But the paid version is more reliable compare to free. Burp Suite Community Edition comes pre-installed in Kali Linux.
We have mentioned its essential parameter often used to bypass the login page.
We have obtained the post request data of the target website. The next step! We will append to all credentials with the wfuzz Tool. Let’s follow the below image.
wfuzz -c -u http://pentestblog/cdn-cgi/login/index.php -d 'username=admin&password=subscribe' -w --hc 200
As you know, our mission is to hack the pentestblog website. For that, we need a username & password. Wfuzz tool allows an attacker to use the password wordlists during the brute force attack mentioned above.
Username: admin
Password: password_disctionary.txt
wfuzz -c -u http://pentestblog/cdn-cgi/login/index.php -d 'username=admin&password=FUZZ' -w password_disctionary.txt --hc 200
Excellent! We have discovered the username & password of the target website.
Username: admin
Password: MEGACORP_4dmln!!
Let’s log in with valid credentials.
We have logged in target website with valid credentials. “So that” we could enter in website server.
Recent Posts
- Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228
- Hack The Box Previse HTB CTF Machine Walkthrough
- How Can I See List All Users In A MySQL Database Server
- How to Setup ProxyChains in Kali Linux 2021 || Fully Anonymous on Internet
- How To Hack Website Login Page Using Wfuzz Tool [2021]
Most Popular Posts
Very Intresting blog for me, such awsome content
I was aƄle to find good advice from your articles.
Hello there! Do you use Twitter? I’d like to follow you if that would be okay.
I’m undoubtedly enjoying your blog and look forward to new posts.
follow pentestblogin