Fuzzing 101

When it comes to CTF, Cybersecurity, InfoSec or Pen-testing there are a lot of techniques to learn. One of most important, and easiest, to learn is called Fuzzing. Consequently you can use it to find domain names, LFI Directories, Passwords, Hidden Website Pages, Scripts, Vulnerabilities, Backup Files and more. In this post I will introduce to you “Fuzzing 101”, which includes a bit of history, some techniques and common tools. And later, I will do a follow up post on more advanced techniques.

Table of Contents

• What is Fuzzing
• Types of Fuzzing
  • Application Fuzzing
  • Web Fuzzing
    • Extending the Fuzz
    • Tools of the trade
    • Word Lists
  • Directory Fuzzing
    • Example
    • Word Lists
  • Url Fuzzing
  • Password Fuzzing
  • Sub Domain Fuzzing
    • Word Lists
• Tips and Tricks
• Wrap Up

What is Fuzzing

The term “fuzz” was coined around 1990 when students from “University of Wisconsin-Madison” put forward a paper where they sent a stream of random characters to Unix programs in order to produce a crash. They even had a reasonable success rate of around 25% when trying to crash these programs. The name the team came up for this process was “fuzz”. You can take a look at the original paper.

Types of Fuzzing

Application Fuzzing

Application Fuzzing is the original use case for fuzzing. Unix applications were fuzzed with random characters to see if they could be crashed. Interestingly, the first tool for this was a command called “The Fuzz Generator”.

This technique was successful in finding bugs in applications running on Unix systems. So over the years it was ported to other Operating Systems such as Windows NT, MacOS and Linux. There are different types of fuzzing methodologies dealing with Applications and there are specialized tools to use. As Application Fuzzing is a whole universe on it’s own, I will cover it in a later article.

Web Fuzzing

Web fuzzing is the most common type of fuzzing that a new Ethical Hacker will come across when learning to do Capture the Flag Challenges. At the beginning of his learning the Ethical Hacker might even think this is the only use case for fuzzing. But this is not the way, there are many uses for Fuzzing.

Web Fuzzing takes a known URL and starts throwing random words from a list at it so you can identify pages that are not supposed to be exposed.

Easiest way to do anything is by example, so lets create a very basic Python Script to create a fuzz list for a website.

We will use a website called www.example.com for the test. And so we will create a Python List with the fuzzing words. In real world fuzzing you normally just use a text file. There are some very famous ones out there which I will link to later.

def fuzzer():
  fuzzWords = ['test', 'best', 'vest', 'secret']
  url = 'www.example.com'

  for i in fuzzWords:
    print( url + "/" + i)

fuzzer()

This will produce the following output which can be fed into ‘curl’ or ‘wget’ or another python function.

You can see it takes the list and adds each element on to the URL so you can check if it exists. Some software such as WordPress has some very well known paths, such as “wp-admin” and so if you have this in a fuzzing list you can identify WordPress pages. There are lists with tens of thousands of common web directory fuzz words.

Extending the Fuzz

Also worth pointing out is that fuzz lists tend only to have words and no file extensions. Therefore the above list would not find “www.example.com/secret.txt”. So we can fix this by just adding a small bit of code to our script. This includes a new list called extensions.

def fuzzer():
  fuzzWords = ['test', 'best', 'vest', 'secret']
  url = 'www.example.com'
  extentions = [ 'txt', 'bak', 'html', 'php' ]

  for fuzz in fuzzWords:
    print( url + "/" + fuzz)
    for extention in extentions:
      print( url + "/" + fuzz + "." + extention)

fuzzer()

Adding these extra extensions to check for, .txt, .html, .php and .bak starts to make our output a lot bigger. For some of the larger fuzzing files it can add a significant amount of time onto the scan.

As all of this is some very basic Web Site fuzzing but it should give you the idea of how it works.

Tools of the trade

While there are many tools for this job I would recommend you avoid the graphical ones if you are just beginning to learn about Ethical Hacking. As it’s important to get good at running these types of commands on the command line and there is the bonus that its much faster. Note that the Graphical Fuzzers listed below have many other Functions outside of Fuzzing. See my BurpSuite Basic Guide.

Graphical Fuzzers

• BurpSuite
• Zed Attack Proxy

Command Line Fuzzers

• dirb
• Gobuster

Lists to get Started with

• The dirb command comes with some fuzzing lists installed. In Kali and BlackArch you can find them in the directory “/usr/share/dirb/wordlists”.
• Another popular list for Web Fuzzing is called “directory-list-2.3-medium.txt”. You can grab it on github at Daniel Miesslers SecLists page. Be sure to explore this GitHub page in full as there is a lot of interesting lists on it.

Directory Fuzzing

Directory fuzzing can be used for finding files or directories when a LFI vulnerability is found. An LFI (Local File Inclusion) vulnerability is where files can be grabbed from the local file system of a Web Server. This can be caused by bad PHP code (usually with the include function) which can be exploited. As this is not a post about LFI vulnerabilities I wont go into to much details of it but you can find my post on exploiting LFI that explains it a bit more.

A typical word list for Directory fuzzing would be critical systems files such as /etc/password, /ete/shadow or ssh private keys. However with these types of vulnerabilities the files we are looking for are relative to the directory that we can access on the remote server. Some examples would look like,

../../../../../../../etc/passwd
../../../../../../../home/<users>/.ssh/authorized_keys
../../../../../../../home/<users>/.ssh/bash_history
../../../../../../../home/<users>/.ssh/id_rsa
../../../../../../../root/.ssh/authorized_keys
../../../../../../../root/.ssh/id_rsa

You can get the user you have access to by looking at the below file.

../../../../../../../proc/self/environ

Directory Fuzzing Example

The best tool I have found for fuzzing remote Directories is the command “wfuzz”. Lets take a look at an example.

wfuzz  -w lfi.txt -u 'http://www.example.com/vulnerabilities/fi/?page=FUZZ'

This command would “fuzz” the url with all the words in the word list and if successful would highlight the results.

List to get Started with

Again over on the SecList github page you will find a nice LFI word file to get started with.

URL Fuzzing

Some PHP pages have variables that can be assigned a value. For example take the below url

http://www.example.com/website/sales_detail.php

We can fuzz this page with wfuzz to check if there are any variables that might have a LFI vulnerability. It’s a long shot but in CTF challenges when you come across a blank page this is likely the case. So how would this be fuzzed. See the command below.

wfuzz -c --hh=0 -w common.txt -u 'http://www.example.com/website/sales_detail.php?FUZZ=/etc/passwd'

If you would like an example of this, then there is a CTF over on hackmyvm.eu that has this vulnerability and you can check out my writeup for the details.

Password Fuzzing

Fuzzing techniques can also be used when trying to get password access to a remote system. Tools like Hydra can use a list of usernames passwords to try and fuzz or guess the Login details of remote services such as MySQL, WordPress, ssh, etc.

If you want to learn more about Hydra and Password/Username fuzzing take a look at my post on it.

Sub Domain Fuzzing

Sub Domains can also be fuzzed, with the right word lists. Take for example the domain “example.com”. A Sub Domain of this would “www.example.com” or “mail.example.com” If you would like to know what domains exist you can fuzz it with gobuster. See example below.

 gobuster dns -d example.com -w /tmp/dns.txt

When fuzzing Sub Domains you are really fuzzing the dns servers your system is using and not directly connecting to the domains you are fuzzing.

Lists to get Started

Using our reliable SecList site, there is a great starting list for Sub Domains Fuzzing.

Tips/Tricks

• Add extensions to fuzzing such as txt, bak, php and html. The commands listed on this page have options for for doing this.
• If you are really stuck add other file extensions as well such as jpg, jpeg, phtml, gif.
• When fuzzing for files or directories don’t forget to put a “.” in front of file names for hidden files.
• The Getting Started wordlists above are great but as you go through CTF challenges or Pen-testing you will find some words missing. Be sure to add your own words to these lists and over time you will build up your own customized word lists.
• Which ever command you favour for fuzzing be sure to learn all its options as there are some really useful ones that can speed things up.
• When fuzzing Sub Domains you are only connecting to DNS servers so its not detectable by the domain.

Wrap Up

Fuzzing is one of the easiest to learn but can be tricky to master. The budding Ethical Hacker should practise Fuzzing until it becomes second nature and has built up their own custom word lists. I hope there was some value in this Fuzzing 101 post and if you have anything you would like to add let me know in the comments below.