If you have ever looked at how cyberattacks unfold in detail, you know that a typical cyberattack has a few distinct phases. The sequential list of phases is commonly referred to as the cyber kill chain, which is a framework developed by Lockheed Martin over a decade ago, apparently using a military model.

Over the years, the cyber kill chain has evolved and been adopted in a number of different forms. The chain originally had seven phases, but these days an eighth monetization phase is often mentioned. Although a variety of popular frameworks and methodologies define these phases in subtly different ways, I like to think of the different phases of an attack as this boiled-down list:

• Information gathering
• Enumeration
• Exploitation
• Post exploitation

See the box entitled "The Phases" for more on the chain of steps that make up a cyberattack. This article focuses on the enumeration phase and studies some of the tools penetration testers and ethical hackers use to enumerate resources.

Fuzzing and Enumeration

One important concept for the enumeration phase is fuzzing. According to the Open Worldwide Application Security Project (OWASP) [2], "Fuzz testing or Fuzzing is a black box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion." Essentially, fuzzing is throwing lots of data at a particular part of a system using automation and looking for changes in the system's response if something of interest is discovered. Fuzzing can consist of testing numbers, characters (including URLs and command-line input), and metadata in the form of user input.

Rusty Nail

One of my favorite tools for fuzzing and enumeration activities is feroxbuster [3]. I often turn to this tool first when attempting Capture the Flag (CTF) exercises, usually on the inimitable TryHackMe [4]. Feroxbuster is written in the Rust language, and the term ferox is apparently short for ferric oxide (which is basically rust, according to the developer) [5].

The venerable feroxbuster aims at what are called forced browsing attacks. According to OWASP [6], forced browsing is "…an attack where the aim is to enumerate and access resources that are not referenced by the application but are still accessible."

The README in the GitHub repository [3] for feroxbuster talks about hunting for resources (enumerating) that might include unlinked content and could contain "source code, credentials, internal network addressing, etc." Under the forced browsing umbrella, these attacks are also referred to as "predictable resource location, file enumeration, directory enumeration, and resource enumeration."

Feroxbuster is available on pen testing Linux distros like Kali Linux [7], but you can also pull the installation script from GitHub using the curl command:

$ curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash

Before blindly copying and pasting that command, remove the | bash part at the end and read through the script so that you are happy with what you're running locally on your machine – safety first.

The result of running that command will be that a binary called feroxbuster is saved in your current directory. To make sure you can access the file from other directories, copy it into /usr/local/bin or another directory in your user path:

$ mv feroxbuster /usr/local/bin

Pack It Up, Pack It In

Feroxbuster is now ready to use. I'm going to test against a WordPress build running on an AWS instance. I've edited my local /etc/hosts file so that I don't need to alter public DNS. I'll call my target website: target.local.

If you get stuck, feroxbuster comes with a detailed help file that you can find with:

$ feroxbuster --help

The verbose output reveals the following description of the -x command, which I will use in a moment:

-x, --extensions <FILE_EXTENSION>
   File extension(s) to search for (ex: -x php -x pdf js)

I'm going to run feroxbuster over my WordPress site, which uses the PHP language for its dynamic pages. However, feroxbuster (like other tools) needs something to search against. In other words, I need to point feroxbuster at a list of words to check URLs against.

There are a number of lists online containing common passwords; other lists contain just usernames. Still others contain common URLs for other applications. For instance, there is a list for Joomla and even lists for enumerating common Grafana plugins.

I found a handy wordlist for WordPress searches online called wp-exploitable-plugins.txt . With a little bit of searching, you can find word lists for other tools, especially in GitHub repositories.

The initial command I'll use is as follows (from now on you will need to substitute the file path for where the wordlist is saved locally):

$ feroxbuster -w /file/path/for/wp-exploitable-plugins.txt -u http://target.local -x php

I'm using the -w switch to point feroxbuster at the wordlist and -u for the URL to scan. The -x switch relates to the file extensions that are of interest. When I've run feroxbuster in the past, my notes suggest that I've grouped file types as follows:

-x pdf,js,html
-x php txt json docx

In the preceding examples, note that comma- and space-delimited options are equally valid. Figure 1 shows the results of the initial command, which looks for files that end with the extension .php.

Figure 1: The fantastic feroxbuster is firing up.

The eagle-eyed among you will notice that there's an option to specify the number of threads. You can change the number using the ---threads or -t) options. Note that you can also adjust the recursion depth. Adjust the depth with the following settings :

• --force-recursion – force recursion attempts on all found endpoints (still respects recursion depth)
• -n, --no-recursion – do not scan recursively
• -d, --depth <RECURSION_DEPTH> – maximum recursion depth (default is 4); a depth of 0 is infinite recursion

Why am I laboring the point about recursion? If you look in Figure 2, you'll see what follows the opening output shown in Figure 1, which is a heavily abbreviated snippet (slightly reformatted) relating to each directory that the clever feroxbuster has discovered.

Figure 2: Feroxbuster has discovered lots of subdirectories on this website.

And, as you can see in Figure 2, a busy website could have hundreds or thousands of subdirectories that feroxbuster would then dutifully explore. The result of increasing the depth of recursion soon becomes obvious with websites that have lots of content. The time taken to run through every discovered asset is exponentially increased if you increase the depth of recursion.

Other options let you pass authentication information, run through proxies, tweak timeouts, and ignore self-signed certificates. See the GitHub page for the official documentation [8].

Feroxbuster also comes with a Docker installation and execution option; just clone the GitHub repository and build the image from the Dockerfile to use it:

$ docker run --init -it epi052/feroxbuster -u http://example.com -x js,html

If you go down the Docker route, take note of the need to mount a volume to the container if you want to use a pre-baked configuration file. You can scan hundreds of hosts at once using the -parallel option, which "spawns a child process per target passed in over stdin." This option will speed up the execution significantly if connectivity and local hardware behave. Note that this functionality is only present in feroxbuster versions newer than version 2.2.0.