CSbyGB - Pentips

CS By GB - PenTips
- Welcome to CSbyGB's Pentips
Networking, Protocols and Network pentest
Ethical Hacking - General Methodology
External Pentest
- External Pentest
Web Pentesting
Mobile App Pentest
- Android
- IOS
Wireless Pentest
- Wireless pentest
Cloud Pentest
Thick Client Pentest
- Thick Client
Hardware Pentest
- ATM
- IoT
Secure Code Review
- Secure code review
- Java notes for Secure Code Review
AI & AI Pentest
Checklist
Tools
VM and Labs
- General tips
- Setup your pentest lab
Linux
Windows
Programming
Binary Exploitation
OSINT
Pentester hardware toolbox
Post Exploitation
Reporting
- How to report your findings
Red Team
Writeups
Digital skills
Durable skills
- Durable skills wheel/Roue des compétences durables
Projects
- Projects
  - Technical Projects
  - General Projects
Talks
Resources
- A list of random resources

Powered by GitBook

On this page

Subdomain enumeration
Directory busting
API Fuzz

Tools

WFuzz

PreviousPasswords, Hashes and wordlist tools NextWPScan

Last updated 1 year ago

Official description: "Wfuzz provides a framework to automate web applications security assessments and could help you to secure your web applications by finding and exploiting web application vulnerabilities."
It is preinstalled on kali. Check it out on github
is the documentation

Subdomain enumeration

wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://lazyadmin.thm/' -H "HOST: FUZZ.lazyadmin.thm" --hw 968
- hw will filter the response that contains the number of words specified. Very convenient for notfound pages that give 200 code.
- hc 302 will remove all 302 responses from the output

Directory busting

wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt http://target.com/FUZZ

API Fuzz

Check out this article to see how to use it on API