wfuzz

https://securitybytes.io/wfuzz-using-the-web-brute-forcer-1bf8890db2fsecuritybytes.io

Find Virtual Hosts

# Find Virtual Hosts running on the same machine
wfuzz --sc 200 -w /usr/share/seclist/Discovery/Web-Content/raft-small-words-lowercase.txt -H "Host: FUZZ.obscurity.htb" 10.10.10.168

Brute-Forcing Auth

wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 http://www.site.com/log.asp?user=FUZZ&pass=FUZ2Z

wfuzz -c -z file,/root/Documents/MrRobot/fsoc.dic -z file,/root/Documents/MrRobot/fsoc.dic --hs Invalid --hs incorrect -d “log=FUZZ&pwd=FUZ2Z” http://192.168.240.129/wp-login.php

Previousjohn NextSearchsploit

Last updated 5 years ago