ffuf & Gobuster Cheatsheet | Hackers Manifest

Quick Reference

Directory brute-forcing, virtual host discovery, and web fuzzing reference.

Directory fuzz	`ffuf -u URL/FUZZ -w wordlist.txt`
With extensions	`ffuf -u URL/FUZZ -w list.txt -e .php,.html`
POST data	`ffuf -u URL -X POST -d "user=FUZZ" -w list.txt`
Header fuzz	`ffuf -u URL -H "X-Header: FUZZ" -w list.txt`
Cookie fuzz	`ffuf -u URL -b "session=FUZZ" -w list.txt`
Multiple wordlists	`ffuf -u URL/W1/W2 -w u.txt:W1 -w p.txt:W2`

Subdomain enum	`ffuf -u URL -H "Host: FUZZ.target.com" -w subs.txt`
With auto-calibrate	`ffuf -u URL -H "Host: FUZZ.target.com" -w subs.txt -ac`
Filter false positives	`ffuf -u URL -H "Host: FUZZ.target.com" -w subs.txt -fs 1234`

Basic dir scan	`gobuster dir -u URL -w wordlist.txt`
With extensions	`gobuster dir -u URL -w list.txt -x php,html`
Status codes	`-s 200,204,301,302,307,401,403`
Threads	`-t 50`
Follow redirects	`-r`
Cookies	`-c "session=abc123"`
Headers	`-H "Authorization: Bearer token"`
Output	`-o results.txt`

DNS enum	`gobuster dns -d target.com -w subs.txt`
Show CNAME	`gobuster dns -d target.com -w subs.txt -c`
Show IPs	`gobuster dns -d target.com -w subs.txt -i`
VHost enum	`gobuster vhost -u URL -w subs.txt`
Append domain	`--append-domain`

/Discovery/Web-Content/common.txt

/Discovery/Web-Content/directory-list-2.3-medium.txt

/Discovery/Web-Content/raft-large-directories.txt

/Discovery/Web-Content/raft-large-files.txt

/Discovery/DNS/subdomains-top1million-5000.txt

/Discovery/DNS/bitquark-subdomains-top100000.txt

ffuf -u URL/FUZZ -w common.txt -fc 404 -t 100

ffuf -u URL/FUZZ -w medium.txt -e .php,.html,.js,.txt -fc 404 -t 50

ffuf -u http://FUZZ.target.com -w subs.txt -ac

ffuf -u URL?FUZZ=test -w params.txt -fc 404 -fs 1234

FFUF & Gobuster Quick Reference