Skip to content
/ gohammer Public

When you have a hammer, everything looks like a nail

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Sceptre-Cybersec/gohammer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
config
config
 
 
processors
processors
 
 
tests
tests
 
 
utils
utils
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 
main_test.go
main_test.go
 
 

Repository files navigation

License Lifecycle:Maturing

🔨 GOHAMMER 🔨

Overview

GOHAMMER is a general purpose web fuzzer written in go. This project is partly educational to help me learn and play around with the GO language, but it also serves as a more versatile web fuzzer than many other web fuzzers out there.

After playing many hack the box machines and being frustrated with how hard it is to use hydra for password fuzzing and how inflexible many other web fuzzers are, I decided to make one of my own with some functionality that I wish other web fuzzers had.

Useful Functionality:

  • Supports request files captured by BurpSuite for a more flexible and easier fuzzing experience
  • Fuzz anything in the request, from headers to request methods to upload file content
  • Retry failed requests, never miss out on finding an important file due to a bad connection
  • DOS mode for stress testing
  • Transforms: mutate your wordlist on the fly using tansform functions
  • Coming soon: User configuration yaml file containing your desired default configuration

Speed:

Gohammer performs similarily to other fuzzing tools like ffuf. Some differences have been noted when fuzzing through a VPN, Gohammer seems to perform slightly better than ffuf when both are running though a VPN, but slightly worse outside of a VPN. One thing to note while using the request file functionality is the Connection: close header. This header is there by default on most requests intercepted by BurpSuite from your browser. It will slow down fuzzing because it tells the host to close each TCP connection after returning an HTTP response. For the fastest fuzzing using request files, remove the Connection: close header

Installation:

If you have GO installed:

go install github.com/wadeking98/gohammer@latest

Example Usage:

Simple web fuzzing:

gohammer -u http://127.0.0.1/@0@ -t 32 -e .txt,.html,.php /home/me/myWordlist.txt

DOS mode:

gohammer -u http://127.0.0.1/ -t 32 -dos

DOS mode with wordlist:

gohammer -u http://127.0.0.1/@0@ -t 32 -dos /home/me/myWordlist.txt

Bruteforce username and password:

gohammer -u https://some.site.com/ -method POST -d '{"user":"@0@", "password":"@1@"}' -t 32 /home/me/usernames.txt /home/me/passwords.txt

Bruteforce username and password using wordlists like a user:pass list

gohammer -u https://some.site.com/ -method POST -d '{"user":"@0@", "password":"@1@"}' -t 32 -no-brute /home/me/usernames.txt /home/me/passwords.txt

Bruteforce username and password using request file:

gohammer -u https://some.site.com/ -f /home/me/Desktop/burpReq.txt -t 32 /home/me/usernames.txt /home/me/passwords.txt

Bruteforce HTTP Basic Auth using transforms:

gohammer -u https://some.site.com/ -H 'Authorization: Basic @t0@' -transform 'b64Encode(@0@:@1@)' -t 32 /home/me/usernames.txt /home/me/passwords.txt

Please feel free to contribute to this project, pull requests are welcome!

Created and Maintained by:

Hack The Box

About

When you have a hammer, everything looks like a nail

Topics

golang opensource penetration-testing webfuzzer penetration-testing-tools

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 7

Fix transform issue Latest
Sep 29, 2023
+ 6 releases

Packages

No packages published

Languages