top of page

Beginners guide to dirbuster

In this article we will learn about dirbuster.This a very useful tool while solving CTF challenges because this tool helps in finding hidden files and directories.


Introduction

DirBuster is a multi-threaded java application designed to brute force directories and files name on web/application servers.


Starting with dirbuster

To start this tool ,we will open our terminal and type in the command : dirbuster

This is what main interface of this tool looks like. As we can see that there are so many option that we can enable while searching for hidden directories and files. So one by one we will explore every option.


In the very first input box it ask for the target URL and then Number of threads to send on a server at a time,Now after this we need to provide a list of common directories and files(you can find it in /usr/share/dirbuster/wordlists)

Now click on start and after some time tool will start displaying different directories and files.(here we have selected the option List based brute force).


Now we have selected Pure Brute force option.


It contains Char set, input boxes for minimum and maximum length to create a wordlist of given parameters.

select the char set that you want and click on start by providing the TargetURL.


  1. Standard start point: It considers directories ending with a / (slash) and files ending with the specified extension.

  2. URL Fuzz: It allows to enter the words in the list directly in the URL in a template like manner.

  3. Brute Force Dirs: It will search for the directories.

  4. Brute to force files: It will search files in the given URL.

  5. Be Recursive: If it founds any folder then it will find files and folders inside it.

  6. Blank Extension: It will search files of different extensions.

  7. File Extension: It will search only for specified extension.

Testing

  1. we entered the Target URL: http://192.168.43.87/ and this machine is hosted on my local server.

  2. we selected Work Method as Auto Switch (HEAD and GET) because it gives better results.

  3. Number of Threads as 200 as it’s hosted on my server but when you are doing it on real web choose the threads wisely because server may get down.

  4. we selected List based brute force.

Location of default wordlists is: /root/usr/share/dirbuster/wordlists/


Scan Information:

It shows results for different directories and files.


Result-List view:

It shows Response like: 200, 301, 302, 403.

  1. 1xx: Informational response

  2. 2xx: Success

  3. 3xx: Redirection

  4. 4xx: Client errors

  5. 5xx: Server errors


Results – Tree View:


It contains visual site map of website.

So this was a basic guide to dirbuster.


About the Author : Harshit Rastogi is a pentester ,bug hunter and a Technical Writer at HacLabs. Contatct him at : rastogiharshit14@gmail.com

Linkedln profile : https://www.linkedin.com/in/harshit-rastogi-0955231a0