The same thing as wfuzz but for command line fuzzing. This enables to fuzz any command line execution and filter results.
Also a good friend for bruteforcing
{ Install it ; Use it }
Why?
To perform fuzzing or bruteforcing we have plenty of awesome tools (fuff and wfuzz for web fuzzing, hydra for network bruteforcing, to mention just a few). cfuzz is a tool that propose a different approach with a step-back. The aim is to be able to fuzz/bruteforce anything that can be transcribed in command line.
Consequently, cfuzz can be seen either as an alternative of these tools for simple use case or an extension cause it handles a huge range of use cases
Origins of the idea: when bruteforcing ipmi service to enumerate users. 3 options: use msfconsole, write module for hydra, manually or programmaticaly parse ipmitool tool output
| user password bruteforcing |
|---|
 |
From release:
curl -lO -L -s https://github.com/ariary/cfuzz/releases/latest/download/cfuzz && chmod +x cfuzzWith go:
go install github.com/ariary/cfuzz/cmd/cfuzz@latestIndicate:
- the command, with the fuzzing part determined with the keyword
FUZZ - the wordlist
and let's get it!
export CFUZZ_CMD="printf FUZZ | sudo -S id" # Example bruteforcing user password, I haven't found better
cfuzz -w [wordlist] Or if you prefer in one line:
# example for subdomain enum
cfuzz -w [wordlist] -t 5 ping -c 4 FUZZ.domain.netAdditionnaly it is possible to:
Additionaly, it is possible to filter displayed results:
stdout filters:
-omin, --stdout-min filter to only display if stdout characters number is lesser than n
-omax, --stdout-max filter to only display if stdout characters number is greater than n
-oeq, --stdout-equal filter to only display if stdout characters number is equal to n
-ow, --stdout-word filter to only display if stdout cointains specific wordstderr filters:
-emin, --stderr-min filter to only display if stderr characters number is lesser than n
-emax, --stderr-max filter to only display if stderr characters number is greater than n
-eeq, --stderr-equal filter to only display if stderr characters number is equal to n
-ew, --stderr-word filter to only display if stderr cointains specific wordexecution time filters:
-tmin, --time-min filter to only display if exectuion time is shorter than n seconds
-tmax, --time-max filter to only display if exectuion time is longer than n seconds
-teq, --time-equal filter to only display if exectuion time is shorter than n secondscommand exit code filters:
--success filter to only display if execution return a zero exit code
--failure filter to only display if execution return a non-zero exit codeTo only display results that don't pass the filter use -H or --hide flag.
To make cfuzz more flexible and adapt to different constraints, many options are possible:
-w, --wordlist wordlist used by fuzzer
-d, --delay delay in ms between each thread launching. A thread executes one command. (default: 0)
-k, --keyword keyword used to determine which zone to fuzz (default: FUZZ)
-s, --shell shell to use for execution (default: /bin/bash)
-to, --timeout command execution timeout in s. After reaching it the command is killed. (default: 30)
-i, --input provide command stdin
-if, --stdin-fuzzing fuzz sdtin instead of command line
-m, --spider fuzz multiple keyword places. You must provide as many wordlists as keywords. Provide them in order you want them to be applied
-sw, --stdin-wordlist provide wordlist in cfuzz stdinIt is also possible to choose which result field is displayed in cfuzz output (also possible to use several):
-oc, --stdout display stdout number of characters
-ec, --stderr display stderr number of characters
-t, --time display execution time
-c, --code display exit code
-Hb, --no-banner do not display banner
-r, --only-word only display words
-f, --full-output display full command execution output (can't be combined with others display mode)