Fuzzing vs Enumeration vs Brute Forcing (not just in terms of password-cracking)


Hello! Love this question.

All of these three things fall in the same general idea; you're shoving forced input into something, usually in an automated way, to achieve some form of outcome. They're used for different things though.

Most commonly used in application testing. Fuzzing takes a variety of input and feeds it into various pieces of logic, usually where users will have the option to provide input, with random or unexpected input. The goal is to uncover behavior you wouldn't expect. You might fuzz for SQLi (SQL Injection) with various SQL statements (think sqlmap, the tool) or you might feed it non-English characters, punctuation, and more. You're basically trying to break your system or ensure that your logic doesn't break when someone puts in an extra ' or ".

Enumeration is the act of, well, enumerating objects. You can enumerate anything. File types, file names, website subdomains, paths, etc etc etc. Commonly enumeration is used in Web Application testing or Capture-The-Flag/HackTheBox type events where you want to uncover hidden directories in a URL, enumerate the types of software installed on a machine, or simply to understand the directory and what exists on the machine as a whole. Other times, in the case of a penetration test, you might want to enumerate valid usernames to try and brute force the passwords

Well, brute-forcing is generally mentioned in terms of password cracking- but really the concept can be applied to both fuzzing and enumeration. You're simply taking some type of input, usually stored in the form of a text file full of passwords, naughty SQLi, naughty punctuations, common URLs, usernames, wordlist, etc etc. So long as you're simply "guessing" multiple times until you get the answer. Think of a padlock with 4 numbers on it. You have 0000 - 9999. If you started with 0000...0001...0002...0003..so on, you're brute-forcing the lock. Modern brute-forcing usually involves automated tools.