ariary / cfuzz

Command line fuzzer and bruteforcer 🌪 wfuzz for command
The Unlicense
86 stars 9 forks source link
bruteforce bruteforcing cli fuzzing hacking pentest security

cfuzz


The same thing as [`wfuzz`](https://github.com/xmendez/wfuzz) **but for command line fuzzing. This enables to fuzz any command line execution and filter results.**
*Also a good friend for bruteforcing* { Install it ; Use it }

Why?
To perform fuzzing or bruteforcing we have plenty of awesome tools (fuff and wfuzz for web fuzzing, hydra for network bruteforcing, to mention just a few). cfuzz is a tool that propose a different approach with a step-back. The aim is to be able to fuzz/bruteforce anything that can be transcribed in command line.

Consequently, cfuzz can be seen either as an alternative of these tools for simple use case or an extension cause it handles a huge range of use cases

Origins of the idea: when bruteforcing ipmi service to enumerate users. 3 options: use msfconsole, write module for hydra, manually or programmaticaly parse ipmitool tool output

Demo

|user password bruteforcing| |:---:| |![demo](https://github.com/ariary/cfuzz/blob/main/img/cfuzz-user-demo.gif)|

Install

From release:

curl -lO -L -s https://github.com/ariary/cfuzz/releases/latest/download/cfuzz && chmod +x cfuzz

With go:

go install github.com/ariary/cfuzz/cmd/cfuzz@latest

Usage

Indicate:

and let's get it!

export CFUZZ_CMD="printf FUZZ | sudo -S id" # Example bruteforcing user password, I haven't found better
cfuzz -w [wordlist] 

Or if you prefer in one line:

# example for subdomain enum
cfuzz -w [wordlist] -t 5 ping -c 4 FUZZ.domain.net

Additionnaly it is possible to:

Filter results

Additionaly, it is possible to filter displayed results:

stdout filters:

  -omin, --stdout-min         filter to only display if stdout characters number is lesser than n
  -omax, --stdout-max         filter to only display if stdout characters number is greater than n
  -oeq,  --stdout-equal       filter to only display if stdout characters number is equal to n
  -ow,   --stdout-word        filter to only display if stdout cointains specific word

stderr filters:

  -emin, --stderr-min         filter to only display if stderr characters number is lesser than n
  -emax, --stderr-max         filter to only display if stderr characters number is greater than n
  -eeq,  --stderr-equal       filter to only display if stderr characters number is equal to n
  -ew,   --stderr-word        filter to only display if stderr cointains specific word

execution time filters:

  -tmin, --time-min           filter to only display if exectuion time is shorter than n seconds
  -tmax, --time-max           filter to only display if exectuion time is longer than n seconds
  -teq,  --time-equal         filter to only display if exectuion time is shorter than n seconds

command exit code filters:

  --success                  filter to only display if execution return a zero exit code
  --failure                  filter to only display if execution return a non-zero exit code

To only display results that don't pass the filter use -H or --hide flag.

cfuzz run configuration

To make cfuzz more flexible and adapt to different constraints, many options are possible:

  -w, --wordlist            wordlist used by fuzzer
  -d, --delay               delay in ms between each thread launching. A thread executes one command. (default: 0)
  -k, --keyword             keyword used to determine which zone to fuzz (default: FUZZ)
  -s, --shell               shell to use for execution (default: /bin/bash)
  -to, --timeout            command execution timeout in s. After reaching it the command is killed. (default: 30)
  -i, --input               provide command stdin
  -if, --stdin-fuzzing      fuzz sdtin instead of command line
  -m, --spider              fuzz multiple keyword places. You must provide as many wordlists as keywords. Provide them in order you want them to be applied
  -sw, --stdin-wordlist     provide wordlist in cfuzz stdin

Displayed field

It is also possible to choose which result field is displayed in cfuzz output (also possible to use several):

  -oc, --stdout              display stdout number of characters
  -ec, --stderr              display stderr number of characters
  -t, --time                 display execution time
  -c, --code                 display exit code
  -Hb, --no-banner           do not display banner
  -r, --only-word            only display words
  -f, --full-output          display full command execution output (can't be combined with others display mode)