Skip to content

When you have a hammer, everything looks like a nail

Notifications You must be signed in to change notification settings

Sceptre-Cybersec/gohammer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

License Lifecycle:Maturing

🔨 GOHAMMER 🔨

Overview

GOHAMMER is a general purpose web fuzzer written in go. This project is partly educational to help me learn and play around with the GO language, but it also serves as a more versatile web fuzzer than many other web fuzzers out there.

After playing many hack the box machines and being frustrated with how hard it is to use hydra for password fuzzing and how inflexible many other web fuzzers are, I decided to make one of my own with some functionality that I wish other web fuzzers had.

Useful Functionality:

  • Supports request files captured by BurpSuite for a more flexible and easier fuzzing experience
  • Fuzz anything in the request, from headers to request methods to upload file content
  • Retry failed requests, never miss out on finding an important file due to a bad connection
  • DOS mode for stress testing
  • Transforms: mutate your wordlist on the fly using tansform functions
  • Coming soon: User configuration yaml file containing your desired default configuration

Speed:

Gohammer performs similarily to other fuzzing tools like ffuf. Some differences have been noted when fuzzing through a VPN, Gohammer seems to perform slightly better than ffuf when both are running though a VPN, but slightly worse outside of a VPN. One thing to note while using the request file functionality is the Connection: close header. This header is there by default on most requests intercepted by BurpSuite from your browser. It will slow down fuzzing because it tells the host to close each TCP connection after returning an HTTP response. For the fastest fuzzing using request files, remove the Connection: close header

Installation:

If you have GO installed:

go install github.com/wadeking98/gohammer@latest

Example Usage:

Simple web fuzzing:

gohammer -u http://127.0.0.1/@0@ -t 32 -e .txt,.html,.php /home/me/myWordlist.txt

DOS mode:

gohammer -u http://127.0.0.1/ -t 32 -dos

DOS mode with wordlist:

gohammer -u http://127.0.0.1/@0@ -t 32 -dos /home/me/myWordlist.txt

Bruteforce username and password:

gohammer -u https://some.site.com/ -method POST -d '{"user":"@0@", "password":"@1@"}' -t 32 /home/me/usernames.txt /home/me/passwords.txt

Bruteforce username and password using wordlists like a user:pass list

gohammer -u https://some.site.com/ -method POST -d '{"user":"@0@", "password":"@1@"}' -t 32 -no-brute /home/me/usernames.txt /home/me/passwords.txt

Bruteforce username and password using request file:

gohammer -u https://some.site.com/ -f /home/me/Desktop/burpReq.txt -t 32 /home/me/usernames.txt /home/me/passwords.txt

Bruteforce HTTP Basic Auth using transforms:

gohammer -u https://some.site.com/ -H 'Authorization: Basic @t0@' -transform 'b64Encode(@0@:@1@)' -t 32 /home/me/usernames.txt /home/me/passwords.txt

Please feel free to contribute to this project, pull requests are welcome!

Created and Maintained by:

Hack The Box