# Course #687: Introduction to wfuzz$
## Installation and Configuration on Kali Linux
### Prerequisites
Before you install `wfuzz$`, ensure that your Kali Linux system is up-to-date. Open a terminal and run the following commands:
"`bash
sudo apt update && sudo apt upgrade
"`
### Installing wfuzz$
`wfuzz$` comes pre-installed in the latest versions of Kali Linux. To verify if it is installed, you can run the following command:
"`bash
wfuzz –version
"`
If for any reason it is not installed, you can install it by running:
"`bash
sudo apt install wfuzz
"`
### Configuration
`wfuzz$` does not require extensive configuration out of the box. However, you may want to customize a few settings based on your pentesting needs. Configuration files are usually located in `~/.wfuzz`. You can create or edit the configuration file:
"`bash
nano ~/.wfuzz/wfuzz.conf
"`
In this file, you can set various options, such as default headers, user agents, and other parameters that you use frequently.
### Basic Configuration Example
Here’s an example configuration that sets a default user agent and adds custom headers:
"`ini
[global]
user-agent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
add_header = X-My-Header: MyValue
"`
## Step-by-Step Usage and Real-World Use Cases
### Overview of wfuzz$
`wfuzz$` is a versatile tool primarily used for brute-forcing web applications. It allows penetration testers to perform a variety of tasks, including:
– Directory and file brute-forcing
– Parameter fuzzing
– Authentication brute-forcing
– Vulnerability testing for sites like WordPress
### Basic Syntax
The basic syntax of `wfuzz$` is as follows:
"`bash
wfuzz -c -z
"`
Where:
– `-c`: Colorize the output.
– `-z`: Specify the fuzzing payload.
– `-d`: Specify POST data.
– `
### Example Use Cases
#### 1. Directory and File Brute-Forcing
To perform a directory and file brute-force attack, you’ll need a wordlist. Kali Linux provides several wordlists, which can be found in `/usr/share/wordlists/`. For example, `dirb/common.txt` is a common wordlist.
Run the following command to brute-force directories:
"`bash
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ
"`
#### 2. Parameter Fuzzing
`wfuzz$` can also be used for parameter fuzzing in web applications. This is particularly useful for testing SQL injection, XSS, and other vulnerabilities.
Example command for fuzzing a parameter:
"`bash
wfuzz -c -z file,/path/to/payloads.txt -u http://TARGET_URL/index.php?param=FUZZ
"`
#### 3. WordPress Authentication Brute-Forcing
WordPress is a popular target due to its widespread usage. You can use `wfuzz$` to brute-force WordPress login credentials.
Use the following command:
"`bash
wfuzz -c -z file,/path/to/usernames.txt -z file,/path/to/passwords.txt -d "log=FUZZ&pwd=FUZ2Z" -u http://TARGET_URL/wp-login.php
"`
### Detailed Technical Explanations
#### Fuzzer Payloads
The `-z` option is fundamental as it defines how `wfuzz$` will mutate your requests. You can pass different payload source types:
– **File**: As shown in the examples, you can specify a file path to use as your wordlist.
– **List**: You can provide a list of values directly in the command.
– **Range**: You can create numeric ranges for brute-forcing.
#### Output and Response Codes
`wfuzz$` is capable of parsing HTTP response codes, which helps identify valid responses. The `-p` option can be used to filter responses based on status codes.
Example of filtering for 200 and 404 status codes:
"`bash
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -p "200,404"
"`
#### External Reference Links
1. [Official wfuzz Documentation](http://wfuzz.readthedocs.io/en/latest/)
2. [Kali Linux Documentation](https://www.kali.org/docs/)
3. [OWASP: Web Application Testing](https://owasp.org/www-project-web-security-testing-guide/)
## Code Examples for WordPress
### Listing WordPress Plugins
One of the common tasks during a pentest on a WordPress site is to identify installed plugins. You can use `wfuzz$` for this purpose:
"`bash
wfuzz -c -z file,/usr/share/wordlists/wordpress_plugins.txt -u http://TARGET_URL/wp-content/plugins/FUZZ
"`
### Finding Sensitive Files
Another useful command is to find sensitive files that might be accessible:
"`bash
wfuzz -c -z file,/usr/share/wordlists/sensitive_files.txt -u http://TARGET_URL/FUZZ
"`
### Conclusion
In summary, `wfuzz$` is a highly flexible and powerful tool for penetration testing web applications. This course section provided insights into its installation, configuration, usage, and real-world scenarios. With this knowledge, you can effectively leverage `wfuzz$` in your pentesting endeavors, particularly for web applications like WordPress.
—
Made by pablo rotem / פבלו רותם