This repository contains notes and the Session 2 plan for a workshop series on web exploitation. Enumeration is the active process of extracting detailed information about the target by probing and fuzzing various aspects of the web application. This session focuses on reconnaissance, and the passive part of that was explained during the session.
Duration: 45-60 minutes (adjustable)
- Session 1 concepts (HTTP basics and tooling)
- Basic command-line usage
By the end of this session, participants will understand the role of reconnaissance in web exploitation and how enumeration maps an application's attack surface. They will be able to set up and use SecLists, perform directory/file, recursive, parameter, and vhost/subdomain fuzzing with ffuf, and apply output filtering to reduce noise. Passive reconnaissance was explained during the session, while these notes focus on active enumeration techniques.
- 2.1 Setting Up SecLists
- 2.2 Directory and File Fuzzing
- 2.3 Recursive Fuzzing
- 2.4 Parameter and Value Fuzzing
- 2.5 Virtual Host and Subdomain Fuzzing
- 2.6 Filtering Fuzzing Output
SecLists is a comprehensive collection of wordlists used for fuzzing, enumeration, and various security testing tasks. It's an essential resource for any web security tester.
# Already installed, located at:
ls /usr/share/seclists/
# Or install via apt
sudo apt install seclists
# Clone the repository
git clone https://github.com/danielmiessler/SecLists.git
# Or download specific version
wget https://github.com/danielmiessler/SecLists/archive/master.zip
unzip master.zipSecLists/
├── Discovery/
│ ├── Web-Content/ # Directory and file lists
│ │ ├── common.txt
│ │ ├── directory-list-2.3-medium.txt
│ │ ├── raft-large-directories.txt
│ │ └── ...
│ ├── DNS/ # Subdomain lists
│ └── Infrastructure/
├── Fuzzing/ # Fuzzing payloads
├── Passwords/ # Password lists
├── Usernames/ # Username lists
└── ...
Directory and file fuzzing involves systematically testing for hidden directories, backup files, configuration files, and other resources that aren't linked in the application but may still be accessible.
ffuf (Fuzz Faster U Fool) is the fastest and most versatile fuzzer for directory and file discovery.
go install github.com/ffuf/ffuf@latest# Basic directory fuzzing
ffuf -u http://shellblog.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt
# With file extensions
ffuf -u http://shellblog.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e .php,.html,.txt,.bak
# With custom headers (e.g., cookies)
ffuf -u http://shellblog.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -H "Cookie: session=abc123"
Recursive fuzzing automatically discovers nested directories and continues fuzzing within each discovered directory. This is essential for finding deeply hidden content.
# Recursive fuzzing (continues into found directories)
ffuf -u http://shellblog.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -recursion -recursion-depth 3 -recursion-strategy greedy
# With specific status codes to recurse on
ffuf -u http://shellblog.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -recursion -recursion-depth 2 -mc 200,301,302Parameter fuzzing discovers hidden GET/POST parameters that might not be visible in the application interface. Value fuzzing tests how the application handles different input values for known parameters.
# GET parameter name fuzzing
ffuf -u "http://shellblog.com/page?FUZZ=test" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
# GET parameter value fuzzing
ffuf -u "http://shellblog.com/page?id=FUZZ" -w /usr/share/seclists/Fuzzing/special-chars.txt
# POST parameter fuzzing
ffuf -u http://shellblog.com/api -X POST -d "FUZZ=value" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
Virtual host (vhost) fuzzing discovers different websites hosted on the same server using different hostnames. Subdomain fuzzing identifies additional subdomains that might have different functionality or security posture.
# VHost fuzzing
ffuf -u http://shellblog.com -H "Host: FUZZ.shellblog.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Filter by response size (adjust based on default response)
ffuf -u http://shellblog.com -H "Host: FUZZ.shellblog.com" -w subdomains.txt -fs 1234
# VHost fuzzing with IP address
ffuf -u http://10.10.10.10 -H "Host: FUZZ.htb" -w /usr/share/seclists/Discovery/Web-Content/common.txt # Subdomain enumeration
ffuf -u http://FUZZ.shellblog.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# With auto-calibration to filter false positives
ffuf -u http://FUZZ.shellblog.com -w subdomains.txt -acFiltering is crucial for reducing noise in fuzzing output. By filtering responses based on size, words, lines, or status codes, you can focus on genuinely interesting results.
# Filter by status code (exclude these codes)
ffuf -u http://shellblog.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -fc 404,403,500
# Match by status code (include only these codes)
ffuf -u http://shellblog.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,301,302
# Filter by response size (bytes)
ffuf -u http://shellblog.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 1234