Introduction
In this lab, you will explore the flexible fuzzing capabilities of Gobuster, a popular directory and file brute-forcing tool. While Gobuster is commonly known for its dir mode, its fuzz mode offers a powerful way to discover hidden web content by injecting payloads into various parts of a URL. You will learn how to construct URLs with the special FUZZ keyword, provide custom wordlists, execute fuzzing scans, and interpret the results to identify potential vulnerabilities or hidden resources on a web server. This hands-on experience will enhance your web enumeration skills, which are crucial for penetration testing and security assessments.
Understand the Purpose of fuzz Mode and the FUZZ Keyword
In this step, you will learn about the fuzz mode in Gobuster and the significance of the FUZZ keyword. Unlike the dir mode which primarily brute-forces directory and file names, the fuzz mode allows you to inject payloads into arbitrary positions within a URL. The FUZZ keyword acts as a placeholder where Gobuster will insert each entry from your provided wordlist. This flexibility enables you to test various parts of a URL, such as path segments, file extensions, or even query parameters, for hidden content or vulnerabilities.
For example, if you want to discover hidden directories under http://localhost:8000/, you would use a URL like http://localhost:8000/FUZZ. Gobuster will then replace FUZZ with each word from your wordlist.
Let's verify that Gobuster is installed and accessible in your environment.
gobuster version
You should see output similar to the following, indicating the Gobuster version.
Gobuster v3.x.x
Construct a URL with the FUZZ Keyword in the Path
In this step, you will construct a target URL that includes the FUZZ keyword. This keyword tells Gobuster where to insert the wordlist entries during the fuzzing process. For this lab, we will target a simple HTTP server running locally on port 8000. We will place the FUZZ keyword in the path segment to discover hidden directories or files.
The basic syntax for gobuster fuzz is gobuster fuzz -u <URL_with_FUZZ> -w <wordlist>.
Let's define the base URL for our target server. The server is running on http://localhost:8000. We want to discover hidden paths directly under the root, so our fuzzed URL will be http://localhost:8000/FUZZ.
You can try to access the base URL to confirm the server is running:
curl http://localhost:8000/
You should see the content of index.html:
Hello from index.html
Now, let's prepare the command structure. We won't execute it yet, but we'll ensure the URL is correctly formed.
echo "The fuzzed URL will be: http://localhost:8000/FUZZ"
This command simply prints the URL string, confirming your understanding of how to place the FUZZ keyword.
Use the -w Flag to Provide a Payload Wordlist
In this step, you will learn how to specify a wordlist for Gobuster to use during the fuzzing process. The -w flag is used to provide the path to your wordlist file. Each line in this file will be used to replace the FUZZ keyword in your target URL.
For this lab, a simple wordlist named fuzz_wordlist.txt has been created in your ~/project directory during the setup phase. This wordlist contains a few entries that correspond to existing and non-existing paths on our dummy web server.
Let's inspect the content of the wordlist to understand what payloads will be used:
cat ~/project/fuzz_wordlist.txt
You should see the following content:
secret_dir
admin_panel
test_page.html
nonexistent
Now you know the payloads that Gobuster will try. When we execute the scan, Gobuster will attempt to access URLs like http://localhost:8000/secret_dir, http://localhost:8000/admin_panel, and so on.
Execute the gobuster fuzz Scan
In this step, you will combine all the previous knowledge to execute the gobuster fuzz scan. You will use the fuzzed URL constructed in Step 2 and the wordlist specified in Step 3.
The full command will be:
gobuster fuzz -u http://localhost:8000/FUZZ -w ~/project/fuzz_wordlist.txt
Let's break down the command:
gobuster fuzz: Invokes Gobuster in fuzzing mode.-u http://localhost:8000/FUZZ: Specifies the target URL with theFUZZplaceholder.-w ~/project/fuzz_wordlist.txt: Provides the path to the wordlist containing payloads.
Now, execute the command in your terminal:
gobuster fuzz -u http://localhost:8000/FUZZ -w ~/project/fuzz_wordlist.txt
You will see Gobuster iterating through the wordlist and reporting the status codes for each attempt.
===============================================================
Gobuster v3.x.x
===============================================================
[+] Url: http://localhost:8000/FUZZ
[+] Wordlist: /home/labex/project/fuzz_wordlist.txt
[+] Threads: 10
[+] Timeout: 10s
===============================================================
2024/01/01 12:00:00 Starting gobuster in fuzz mode
===============================================================
http://localhost:8000/secret_dir (Status: 200)
http://localhost:8000/admin_panel (Status: 200)
http://localhost:8000/test_page.html (Status: 200)
http://localhost:8000/nonexistent (Status: 404)
===============================================================
2024/01/01 12:00:00 Finished
===============================================================
Notice the (Status: 200) for secret_dir, admin_panel, and test_page.html, indicating that these paths exist and returned a successful response. The (Status: 404) for nonexistent indicates that this path was not found, as expected.
Analyze the Results of the Flexible Fuzzing
In this final step, you will analyze the output from the gobuster fuzz scan to understand what was discovered. The primary goal of fuzzing is to identify valid responses (typically HTTP status codes like 200 OK, 301 Moved Permanently, etc.) that indicate the existence of a resource.
From the output of the previous step, you should have observed lines similar to these:
http://localhost:8000/secret_dir (Status: 200)
http://localhost:8000/admin_panel (Status: 200)
http://localhost:8000/test_page.html (Status: 200)
http://localhost:8000/nonexistent (Status: 404)
http://localhost:8000/secret_dir (Status: 200): This indicates that a directory namedsecret_direxists under the web root. You can try to access it usingcurl:curl http://localhost:8000/secret_dir/hidden_file.txtYou should see:
Secret contenthttp://localhost:8000/admin_panel (Status: 200): This suggests anadmin_paneldirectory exists.curl http://localhost:8000/admin_panel/login.phpYou should see:
Admin loginhttp://localhost:8000/test_page.html (Status: 200): This indicates a file namedtest_page.htmlexists.curl http://localhost:8000/test_page.htmlYou should see:
Test pagehttp://localhost:8000/nonexistent (Status: 404): This is a "Not Found" status, which is expected for a path that does not exist. This helps confirm that Gobuster is correctly identifying non-existent resources.
By analyzing the status codes, you can effectively identify hidden directories, files, or other resources that might not be directly linked from the main website. This is a crucial step in reconnaissance during security assessments.
Summary
In this lab, you successfully learned how to use the flexible fuzzing mode in Gobuster. You understood the role of the FUZZ keyword as a placeholder for injecting payloads from a wordlist. You constructed a fuzzed URL, provided a custom wordlist, executed a gobuster fuzz scan, and analyzed the results to identify existing web resources. This hands-on experience demonstrated the power and versatility of Gobuster's fuzzing capabilities for web enumeration, a fundamental skill in cybersecurity and penetration testing. You can now apply these techniques to discover hidden content on various web applications.