Hacking Tutorial

Bruteforcing Usernames w/ WFuzz

In a recent post, I showed you how to Brute-force Subdomains w/ WFuzz. This time, I’m going to show you how we can use the same tool to brute-force a list of valid users. This guide is going to use Falafel from Hack The Box as an example, but does not intend to serve as a walkthrough or write-up of the machine.


Setting the Stage

If we navigate to the web interface of the box, we can attempt to sign into a login page. We notice that when we type a valid username into the field, the error message states “Wrong identification“.

However, entering a username that doesn’t exist returns a message that states “Try again..” We can use this to enumerate valid usernames.

Looking at the request in Burp, we see that its being sent as a /POST request with two parameters; username and password.


Using WFuzz to Brute-Force Valid Users

To begin, we’ll need a wordlist that contains a list of usernames. Seclists has one that is great for this, which you can get from Github. I have mine downloaded already.

Let’s start piecing together our command! Let me break down all the pieces that we’ll use.

-c : Return output in color.
-z file,<wordlist> : Specify our payload. In this case, a list of usernames.
--sc 200 : Show responses that return a response code of 200.
-d "username=FUZZ&password=anything" : Provide parameters for the /POST request.

Putting all of the above together, this is what our first command looks like!

wfuzz -c -z file,/usr/share/seclists/Usernames/Names/names.txt --sc 200 -d "username=FUZZ&password=anything" http://10.10.10.73/login.php

Running this doesn’t actually produce results we want though. That’s because every page comes back w/ a success 200 response code.

However, notice that each response contains 657 words. Let’s rewrite our command so that it only shows us results that DO NOT contain 657 words.

wfuzz -c -z file,/usr/share/seclists/Usernames/Names/names.txt --hw 657 -d "username=FUZZ&password=anything" http://10.10.10.73/login.php

After letting it run for a bit, we start to enumerate a list of users!

Hacking Tutorial

Bruteforcing Subdomains w/ WFuzz

This guide is going to use CMess from TryHack.me as an example, but does not intend to serve as a walkthrough or write-up of the machine.


Before we begin, make sure you can resolve the domain name that we’re targeting. If you’re doing this in a CTF-type environment, you may need to update your /etc/hosts file with the hostname/address of the target.

We can use a tool called wfuzz to bruteforce a list of subdomains, but first, we’ll need a list to use.

I like to use the top 5000 list from Seclists, which can be found at https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt

With our list in hand, let’s set up our command using the sub-fighter mode.

sudo wfuzz -c -f sub-fighter.txt -Z -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --sc 200,202,204,301,302,307,403 <targetURL>

Now you may get a ton of output that shows valid subdomains depending on how the site is configured. If you notice a large amount of results that contain the same word count, this may just be an indication that the site returns a 200 response, but it just displays a “Not found” error.

To remove results with a specific word count, you can append your command w/ --hw <value>. For example, our new command that removes results that respond w/ a word count of 290 would look like the following:

wfuzz -c -f sub-fighter -w top5000.txt -u 'http://target.tld' -H "Host: FUZZ.target.tld" --hw 290

This will return a list of subdomains that do not contain a word count of 290. If you get a successful result, make sure you’re able to resolve the subdomain as well before trying to browse to it. If you’re in a CTF-type environment, you may need to update your /etc/hosts file.

With our /etc/hosts file updated, we should be able to browse to the page.