Ffuf vhost fuzzing

navs_truma · December 23, 2022, 6:31pm

Hi,

I tried to understand the reason why I need to filter for the size when I fuzz for vhosts. Unfortunately the description does not help me to understand the reason.

Why do I need to filter for the size ?
Why would a webserver respond with 200 when the vhost does not exist or does this webserver do a fallback to the “default” page and the shown size is the size of the default page ?

BR truma

r3nt0n · December 24, 2022, 1:04am

From Apache docs:

Having this config file as example:

# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/www/example2"
    ServerName www.example.org

    # Other directives here
</VirtualHost>

Due to the fact that the virtual host with ServerName www.example.com is first in the configuration file, it has the highest priority and can be seen as the default or primary server. That means that if a request is received that does not match one of the specified ServerName directives, it will be served by this first .

As far I understand, the assumption “does this webserver do a fallback to the “default” page and the shown size is the size of the default page ?” would be right in most cases.

navs_truma · December 24, 2022, 8:52am

Hello r3nt0n,

thank you for the detailed description. This was also my assumption. But what makes no sense and brought me to the questio is why I am not able to connect to those websites via browser, because if I receive a 200 via ffuf I should be at least see an empty page but I was not able to see this.

Furthermore why is it necessary to add a /etc/hosts entry ? I know and understood what is the reason for /etc/hosts but if I am not completely wrong it should not be necessary to add the entry.

Maybe you could also help me with this questions.

BR

r3nt0n · December 24, 2022, 12:07pm

I think I understand what is confusing you. What ffuf is doing to get 200 responses is to send the request to the IP and including a Host header with the name of the virtual host he try to access. You can do the same test using curl:

curl -i -H "Host: vhost.example.htb" http://10.10.10.10

The reason you are not being able to access via browser is because you request the domain name, and if the browser is not able to resolve it (either using your /etc/hosts or via DNS) he simply doesnt know to which IP have to send it.

emer1ca · January 7, 2024, 6:28am

Hi.

For those confused like me, I will rephrase.

The IP address of the target is 10.10.10.10
If I’m interested in accessing the index page at vhost.example.htb and vhost.example.htb does not exist, I still get a 200 response code. Why?

As per @r3nt0n answer, this is due to the way the web server is configured. It defaults back to the page that actually exist (www.example.htb) and returns the status code and response size for THAT page, and not the vhost we’re after.

So, while ffuf prints something like that:

mail2                   [Status: 200, Size: 900, Words: 423, Lines: 56]
dns2                    [Status: 200, Size: 900, Words: 423, Lines: 56]
ns3                     [Status: 200, Size: 900, Words: 423, Lines: 56]
dns1                    [Status: 200, Size: 900, Words: 423, Lines: 56]
lists                   [Status: 200, Size: 900, Words: 423, Lines: 56]
webmail                 [Status: 200, Size: 900, Words: 423, Lines: 56]
static                  [Status: 200, Size: 900, Words: 423, Lines: 56]
web                     [Status: 200, Size: 900, Words: 423, Lines: 56]
www1                    [Status: 200, Size: 900, Words: 423, Lines: 56]
<...SNIP...>

Actually, it does not land on any of those pages. It’s misleading and utterly confusing.

Also, the course says:

We see that all words in the wordlist are returning 200 OK ! This is expected, as we are simply changing the header while visiting http://academy.htb:PORT/ . So, we know that we will always get 200 OK . However, if the VHost does exist and we send a correct one in the header, we should get a different response size, as in that case, we would be getting the page from that VHosts, which is likely to show a different page.

Well, I disagree. It is not expected. We SPECIFICALLY ask for a particular vhost and ffuf tells us: “Yes, it’s right there, and it’s that big”, when in fact none of the vhost listed by ffuf above exist. While I do understand the logic described above (webserver falling back to the default page, thus serving a 200 and 900 in size), I also understand ffuff should be able to differentiate between a fallback and the actual vhost we’re after. A fallback is essentially a redirect, so if ffuf gets a 301, why would it call it a 200, duh?