zerodumb@hacking-journal:~/helper-notes$
FFUF Command Reference
· 8 min read
commandsweb-securitytools
FFUF Command Reference
A quick reference for common FFUF commands and flags used in web directory enumeration and fuzzing.
Basic Usage
Directory Enumeration
# Basic directory scan
ffuf -u http://target.com/FUZZ -w wordlist.txt
# With output file
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.txt
# Recursive scan
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
Parameter Fuzzing
# GET parameter fuzzing
ffuf -u http://target.com/search?q=FUZZ -w wordlist.txt
# POST parameter fuzzing
ffuf -u http://target.com/login -X POST -d "username=admin&password=FUZZ" -w wordlist.txt
# Header fuzzing
ffuf -u http://target.com/ -H "X-Custom-Header: FUZZ" -w wordlist.txt
Advanced Scans
Response Filtering
# Match specific status codes
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403,401,500
# Filter by response size
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 0
# Filter by response lines
ffuf -u http://target.com/FUZZ -w wordlist.txt -fl 0
# Filter by response words
ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 0
Performance Tuning
# Set number of threads
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 50
# Set request rate
ffuf -u http://target.com/FUZZ -w wordlist.txt -rate 100
# Set timeout
ffuf -u http://target.com/FUZZ -w wordlist.txt -timeout 10
Output Formats
File Output
# CSV format
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.csv -of csv
# JSON format
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json
# Markdown format
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.md -of md
# HTML format
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.html -of html
Console Output
# Verbose output
ffuf -u http://target.com/FUZZ -w wordlist.txt -v
# Silent mode
ffuf -u http://target.com/FUZZ -w wordlist.txt -s
# Color output
ffuf -u http://target.com/FUZZ -w wordlist.txt -c
Common Wordlists
Built-in Wordlists
# Common directories
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Big wordlist
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/big.txt
# Apache files
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/apache.txt
# PHP files
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/vulns/php.txt
Custom Wordlists
# Use custom wordlist
ffuf -u http://target.com/FUZZ -w custom_wordlist.txt
# Multiple wordlists
ffuf -u http://target.com/FUZZ -w wordlist1.txt,wordlist2.txt
# Recursive with different wordlists
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
Authentication
Basic Auth
# Basic authentication
ffuf -u http://target.com/FUZZ -w wordlist.txt -u admin:password
# Auth with custom headers
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ="
Cookie Authentication
# With session cookie
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "session=abc123"
# Multiple cookies
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "session=abc123;user=admin"
Advanced Techniques
Recursive Scanning
# Recursive scan with depth limit
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 3
# Recursive with different wordlists per level
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2 -recursion-strategy greedy
Virtual Host Discovery
# Virtual host enumeration
ffuf -u http://target.com/ -w vhosts.txt -H "Host: FUZZ.target.com"
# With custom DNS
ffuf -u http://target.com/ -w vhosts.txt -H "Host: FUZZ.target.com" -r
Subdomain Enumeration
# Subdomain fuzzing
ffuf -u http://FUZZ.target.com/ -w subdomains.txt
# With wildcard handling
ffuf -u http://FUZZ.target.com/ -w subdomains.txt -fc 403
Payload Types
Custom Payloads
# Custom payload positions
ffuf -u http://target.com/FUZZ1/admin/FUZZ2 -w wordlist.txt
# Multiple payload positions
ffuf -u http://target.com/FUZZ1/admin/FUZZ2 -w wordlist1.txt:FUZZ1,wordlist2.txt:FUZZ2
Extensions
# File extension fuzzing
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak
# Multiple extensions
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak,.old,.backup
Common Flags
Essential Flags
-u- Target URL-w- Wordlist file-o- Output file-of- Output format-mc- Match status codes-fc- Filter status codes-fs- Filter response size-t- Number of threads-v- Verbose output-s- Silent mode-c- Color output
Advanced Flags
-X- HTTP method-H- Custom headers-b- Cookies-d- POST data-r- Follow redirects-timeout- Request timeout-rate- Request rate limit-recursion- Enable recursion-recursion-depth- Recursion depth-e- File extensions
Example Commands
HTB-Style Enumeration
# Quick directory scan
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302,403,401,500 -v -t 50 -c
# Comprehensive scan with output
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirb/big.txt -o results.txt -of csv -mc 200,301,302,403,401,500 -v -t 100
# Recursive scan
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirb/common.txt -recursion -recursion-depth 2 -mc 200,301,302,403,401,500 -v
Web Application Testing
# Parameter fuzzing
ffuf -u http://target.com/search?q=FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200 -v
# POST data fuzzing
ffuf -u http://target.com/login -X POST -d "username=admin&password=FUZZ" -w passwords.txt -mc 200,302 -v
# Header fuzzing
ffuf -u http://target.com/ -H "X-Forwarded-For: FUZZ" -w /usr/share/wordlists/dirb/common.txt -mc 200 -v
Best Practices
- Start with common wordlists before using larger ones
- Use appropriate status code filtering to reduce noise
- Set reasonable thread limits to avoid overwhelming the target
- Save results to files for later analysis
- Use recursion carefully to avoid infinite loops
- Monitor response times to detect rate limiting
- Combine with other tools like nmap and burp suite
- Document interesting findings for further investigation
Question loudly so others can learn quietly. Stay curious. Stay loud.
Don’t Be A Skid -Zero