Wfuzz is a free & Open-Source tool that allows an attacker to brute-forcing Web Applications. It provides various features, for example, login page bypass, brute force GET and POST parameters, finding hidden credentials (directories, scripts, etc). Wfuzz tool comes with pre-install in Kali Linux. If you desire to install the wfuzz tool in Ubuntu or Kali Linux, follow the below command.
sudo apt-get install wfuzz
Multiple Injection points capability with multiple dictionaries
Recursion (When doing directory brute force)
Post, headers, and authentication data brute forcing
Output to HTML
Hide results by return code, word numbers, line numbers, regex
Time delays between requests
Authentication support (NTLM, Basic)
All parameters brute-forcing (POST and GET)
Multiple encoders per payload
Payload combinations with iterators
Baseline request (to filter results against)
Brute force HTTP methods
Multiple proxy support (each request through a different proxy)
HEAD scan (faster for resource discovery)
Dictionaries tailored for known applications (Weblogic, iPlanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion, and many more
Before starting to hack the target website, we need to know some basic commands of the wfuzz tool. For that, we can open its help page. Let’s follow the below command.
Information gathering is a crucial phase for website hacking. It might be a challenging task to hack a website without information gathering. We spent more time gathering information about the target website, such as name, phone, email, etc. After that, we generated password wordlists using the crunch tool. If you don’t know how to make password wordlists, first, read the below blog.
We opened the target website in our browser that looks pretty charming. Remember, we have used our website for demo purposes. It is only a virtual environment, Don’t try to hack this website.
We will scan the website admin page, for that dirbuster is a good tool that can be used to perform brute force attacks on each website. It could be a comfortable tool to obtain hidden directory, URI, robots.txt file, htacces file, etc.
Excellent! We have discovered the admin page of the target website.
We noticed a suspicious file extension developed in PHP language. I think that there is more malicious code available on the Internet. It depends on the PHP version. Let’s enter some malicious code on the target website.
I found malicious code is not working. Let’s intercept post requests by entering the default username&password on the target website. For that, we will use the Burp suite tool. Burp Suite is one of the most popular penetration testing and bug bounty tools. It comes both free and paid, But the paid version is more reliable compare to free. Burp Suite Community Edition comes pre-installed in Kali Linux.
We have mentioned its essential parameter often used to bypass the login page.
We have obtained the post request data of the target website. The next step! We will append to all credentials with the wfuzz Tool. Let’s follow the below image.
As you know, our mission is to hack the pentestblog website. For that, we need a username & password. Wfuzz tool allows an attacker to use the password wordlists during the brute force attack mentioned above.