{"id":161,"date":"2023-04-11T15:23:09","date_gmt":"2023-04-11T13:23:09","guid":{"rendered":"https:\/\/www.mutareb.com\/?p=161"},"modified":"2023-06-18T20:59:36","modified_gmt":"2023-06-18T18:59:36","slug":"username-enumeration-with-ffuf","status":"publish","type":"post","link":"https:\/\/www.mutareb.com\/index.php\/2023\/04\/11\/username-enumeration-with-ffuf\/","title":{"rendered":"Username Enumeration with ffuf"},"content":{"rendered":"\n<p>We can use the existence of error messages like&nbsp;&#8220;<strong>Sorry, that username already exists!<\/strong>&#8221; to produce a list of valid usernames already signed up on the system by using the ffuf tool below. The ffuf tool uses a list of commonly used usernames to check against for any matches.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>user@localhost$ ffuf -w \/usr\/share\/wordlists\/SecLists\/Usernames\/Names\/names.txt -X POST -d \"username=FUZZ&amp;email=x&amp;password=x&amp;cpassword=x\" -H \"Content-Type: application\/x-www-form-urlencoded\" -u http:\/\/10.11.12.13\/user\/signup -mr \"Sorry, that username already exists!\" &gt; valid_usernames.txt       <\/code><\/pre>\n\n\n\n<p>In the above example, the <code>-w<\/code> argument selects the file&#8217;s location on the computer that contains the list of usernames that we&#8217;re going to check exists. The <code>-X<\/code> argument specifies the request method, this will be a GET request by default, but it is a POST request in our example. The <code>-d<\/code> argument specifies the data that we are going to send. In our example, we have the fields username, email, password and cpassword. We&#8217;ve set the value of the username to <strong>FUZZ<\/strong>. In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will be inserted in the request. The <code>-H<\/code> argument is used for adding additional headers to the request. In this instance, we&#8217;re setting the <code>Content-Type<\/code> to the webserver knows we are sending form data. The <code>-u<\/code> argument specifies the URL we are making the request to, and finally, the <code>-mr<\/code> argument is the text on the page we are looking for to validate we&#8217;ve found a valid username.<\/p>\n\n\n\n<p>Using the valid_usernames.txt file we generated in the previous task, we can now use this to attempt a brute force attack on the login page (http:\/\/10.11.12.13\/customers\/login).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>user@localhost$ ffuf -w valid_usernames.txt:W1,\/usr\/share\/wordlists\/SecLists\/Passwords\/Common-Credentials\/10-million-password-list-top-100.txt:W2 -X POST -d \"username=W1&amp;password=W2\" -H \"Content-Type: application\/x-www-form-urlencoded\" -u http:\/\/10.11.12.13\/customers\/login -fc 200        <\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>We can use the existence of error messages like&nbsp;&#8220;Sorry, that username already exists!&#8221; to produce a list of valid usernames already signed up on the system by using the ffuf tool below. The ffuf tool uses a list of commonly used usernames to check against for any matches. In the above example, the -w argument&hellip; <a class=\"more-link\" href=\"https:\/\/www.mutareb.com\/index.php\/2023\/04\/11\/username-enumeration-with-ffuf\/\">Continue reading <span class=\"screen-reader-text\">Username Enumeration with ffuf<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[44,43,12],"series":[],"class_list":["post-161","post","type-post","status-publish","format-standard","hentry","category-it-security","tag-ethical-hacking","tag-red-team","tag-security","entry"],"_links":{"self":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/comments?post=161"}],"version-history":[{"count":7,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/161\/revisions"}],"predecessor-version":[{"id":207,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/161\/revisions\/207"}],"wp:attachment":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/media?parent=161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/categories?post=161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/tags?post=161"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/series?post=161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}