Skip to content

Changes

Page history
Create Enumerating Web Server Files and Directories with DirBuster authored by tsk27q's avatar tsk27q
Show whitespace changes
Inline Side-by-side
Enumerating-Web-Server-Files-and-Directories-with-DirBuster.md 0 → 100644
View page @ 6cf4f142
# Enumerating Web Server Files and Directories with DirBuster
****************************************************************
## What is DirBuster?
DirBuster is a multi-threaded java tool created by OWASP that is designed to brute force directories and files on web and application servers.
It is available at a [Kali dirbuster GitLab](https://gitlab.com/kalilinux/packages/dirbuster) (suggested). Alternatively, there is also a [sourceforge download](https://sourceforge.net/projects/dirbuster/) available.
## Using DirBuster
**Note**: This will be written in regard to DirBuster v1.0-RC1 which, at the time of writing, is the current version in the Kali Repo. If the version number is different, there may be some file names or features that differ as well.
### Starting the Application
To run the application, there a few options:
**Shellscript:**
If using the version from the [Kali repository](https://gitlab.com/kalilinux/packages/dirbuster), there's a shell script called `DirBuster-1.0-RC1.sh`. Running this script with `./Dirbuster-1.0-RC1.sh` will start the application.
**Alternative:**
Alternatively, you can directly run the jar file by accessing the directory and running `java -Xmx256M -jar DirBuster-1.0-RC1.jar` The Xmx parameter is the maximum amount of memory that can be allocated to the program, raise or lower as desired, but 256M is a perfectly fine amount for most situations.
After starting DirBuster, the following screen should be seen.
![startscreen](uploads/46ce50b8329b2ac56b2ad0f1d32602e4/startscreen.png)
### Explanation of Available Options
#### Target URL
![target-url](uploads/d40b5785427ec827da59241c6de2fdfb/target-url.png)
This is the target DirBuster will be running on. Unless you want to risk legal ramifications, I suggest keeping this only to targets that have given explicit permission.
This must be in the format of http/s://IPorDOMAIN:PORT/. For example `http://testphp.vulnweb.com/` and `https://127.168.0.6:8080/` are both valid target URLs. However, `192.168.82.102:80` is not a valid URL.
#### Work Method
![work-method](uploads/63d0040c550fce1acefd3b98a52a8294/work-method.png)
Only two choices:
1. Use GET requests only: DirBuster will only make GET requests when scanning.
2. Auto Switch (HEAD and GET): DirBuster will automatically switch between HEAD and GET requests. This will save bandwidth and time compared to a GET request, as DirBuster will try to run a HEAD request first, then a GET request if the HEAD request fails.
(If the difference between HEAD and GET requests is a foreign concept, [here is a resource that may be helpful](https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.3))
#### Number of Threads and Go Faster
![threads](uploads/5c086b4f3e782a1f1b7e5344a3220aae/threads.png)
The number of threads slider sets the number of threads to be used by the application. This greatly hastens or slows the speed of the enumeration.
By default it ranges from 1 to 100. However, but checking the "Go Faster" tick box, this can be raised to up to 500 threads.
The number of threads may be important to consider depending on a few things, such as the number of requests per second before the target may block/limit access (consider limiting threads) OR the time to finish the enumeration (consider increasing threads). This can also be adjusted after starting the scan. (See [Live Scanning Options - Threads](#work-method))
As a general rule, if there is no worry of traffic being limited or blocked, increase the thread count above the default of 10 (200 is a good starting point, adjust as needed from there); otherwise, scans will take much longer than necessary.
Note: Number of requests can be limited in [Advanced Options-Scan Options](#scan-options)
#### Select Scanning Type
##### List based brute force (Recommended)
![scantype-list](uploads/78243bbac19fc3b196a03154b3fe04eb/scantype-list.png)
This uses a given file to use as the input rather than using a pure brute force scan. If the list used is good, it is unlikely to miss many (or any) directories and files. There are a number of lists that are included with DirBuster that can be found by clicking the "List Info" button. They will be found in the same directory as DirBuster, however any file that has URL-valid words/phrases separated by a newline (ie, one word/phrase per line) is acceptable.
Note: `#` indicates a comment in the file, dirbuster will ignore lines starting with `#`.
##### Pure Brute Force
![scantype-brute](uploads/f3c4189db797c13a91ce74d2e0160891/scantype-brute.png)
This will use pure brute force based on a minumum (Min length option) and maximum length (Max length option) for the characters in any of the following charsets seen in the image above in the dropdown menu (Char set option).
#### Select Starting Options
##### Standard Start Point
![scanstartS](uploads/b1759830be290151c881bcd56ad85e2c/scanstartS.png)
This is the typical option. If not selecting this see [URL Fuzz](#url-fuzz)
See the options below ([Brute Force Dirs](#brute-force-dirs), [Be Recursive](#be-recursive), [Dir to start with](#dir-to-start-with), [Brute Force Files](#brute-force-files), [Use Blank Extension](#use-blank-extension), and [File Extension](#file-extension)) for settings options that you may want to change.
##### Brute Force Dirs
DirBuster will search for directories when selected.
##### Be Recursive
When selected, the scan to be recursive with each directory found, meaning if the scan finds the directory `/direct`, it will repeat the entire scan (for example, if using a list it will repeat for every list option) in that directory as well.
##### Dir to start with
This is the starting directory for the scan. Should be a known valid directory. For scanning the whole server, use the default `/`. However, if wanting to start the scan to a specific directory, simply use the directory name.
Example:
The scan will start in the /direct directory if the option is set to `/direct`.
##### Brute Force Files
This option will cause DirBuster to search for files as well. See [Use Blank Extension](#use-blank-extension) and [File Extension](#file-extension) for more information.
##### Use Blank Extension
This allows for files without extensions (such as a text file named `thisisatxtfile` <--Note no extension) to be tested as well. Prevents extensionless files from being over-looked during the scan. Use as desired.
##### File Extension
DirBuster will check for each file extension dictated here (as well as extensionless files in the case of [Use Blank Extension](#use-blank-extension) being active). Each file extension will increase scan time, however, as DirBuster will run the entire scan word list/brute force set for each extension.
Multiple extensions can be added by separating them by a comma and a space. (Eg Using the option `php, html, jpg, txt` will search for any files with ".php", ".html", ".jpg", or ".txt" extensions) See the image below for an example:
![multi-extension](uploads/52fb74d0abc9d1fd13a2f1603a0490da/multi-extension.png)
Consider what type of server is running when selecting file types.
For example, if it is an Apache webserver, including php files may be useful since Apache is php based.
##### URL Fuzz
![scanstartF](uploads/23ea7213737cd3ed320bdc52bf0d5dab/scanstartF.png)
Allows for inserting the entries in a non-standard way.
Non-standard option, if not selecting this see [Standard Start Point](#standard-start-point)
##### URL to Fuzz
The URL to start the fuzzing in. {dir} indicates the insertion by dirbuster.
#### Options (Tab)
![options](uploads/d61ce0fd2ada2d3f4da87f3cb5f9eb0e/options.png)
##### Follow Redirects
Allows DirBuster to follow redirect pages to the redirect location.
##### Parse HTML
Allows DirBuster to parse the HTML for potential directories and files allowing it to locate files and directories present in html files without having to guess them.
##### Look and Feel
Changes appearance of DirBuster GUI.
### Advanced Options
#### HTML Parsing Options
![html-parse](uploads/968cbbb9e95d76f5a8ea993905b0fe70/html-parse.png)
Allows for editing certain aspects of the HTML parsing feature in [Options](#options-tab).
#### Authentification Options
![authentification-options](uploads/350ca144bfcd335091d5cb640088a7be/authentification-options.png)
Allows for the use of [HTTP Authentification](https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/understanding-http-authentication).
#### HTTP Options
![http-options](uploads/9c2d03f3204e3202b7a031ce12d1daae/http-options.png)
Able to set up custom HTTP headers and to run requests through a proxy.
#### Scan Options
![scan-options](uploads/d4c37dc7c090f279a071d5adf4bd8273/scan-options.png)
##### Connection Time out
Time (in seconds) for the connection to timeout
##### Limit number of requests per second and Number of requests per seconds
When "Limit number of requests per second" is checked, the value in "Number of requests per second" is the max number of requests per second that DirBuster will attempt to make.
****************************************************************
## During the Scan
![live-scan](uploads/03a030f36df2a9c608c717e8792f7583/live-scan.png)
### Scan Estimation and details (Pink)
In the pink section above, you can find the Current Speed, the Average Speed, the Total Requests (Finished/Estimated Total) and the Time to Finish.
### Current number of running threads: N (Blue)
In the blue section above, you can find the number of currently running threads. In addition, you can raise or lower the number of threads with the text entry box.
### Control Panel (Green)
Allows for the scan to be paused temporarily with the pause button. Or stopped entirely with the stop button.
### Scan Information (Purple)
In the purple you can find the various information provided in the scan. You can see the progress of each directory and file extension search in the scan information view.
### Results - List View: Dirs: X Files: Y
![list-view](uploads/44993bdedc78ce5371251c9453dbe087/list-view.png)
This tab shows a list view of the found files/directories in real time. The tab also details how many files and directories have been found at the current size. As can be seen in the image above, you can see whether the found object is a file or directory, the location of the object, the response given when accessing the object, and the size of the object.
### Results - Tree View
![tree-view](uploads/5689cf3c2a02c466ff74be075be789cd/tree-view.png)
This tab shows a tree view of the found files/directories in real time. The tab also details how many files and directories have been found at the current size. As can be seen in the image above, you can see the directory structure in a tree view, the response given when accessing the object, and the size of the object.
Selecting an object then right clicking allows for the page to be opened in a browser, for the response to be viewed, or for the URL to the object to be copied (see below).
![tree-click](uploads/889d9ef2371225d5951c248d442ec80a/tree-click.png)
### Errors
![errors](uploads/abbab5e84035722a1646a744529cb77d/errors.png)
Shows errors that occured when trying to access certain pages. Typically filled with connection errors, but worth looking at if running into issues.
### Reports
After the scan is finished by clicking the report button in the bottom right the following screen can be reached.
![report-options](uploads/4337234f31fab509bc3c691a8debde19/report-options.png)
This will generate reports (as selected). The save location and name of the reports can be selected. There are a few options to generate. Each can be seen below.
#### Full text report(.txt)
![full-report](uploads/0de5579311d2786e9d4a424eb2dd37ee/full-report.png)
#### Simple text list (simple.txt)
Can show both files and dirs, only dirs, or only files
![simplelist](uploads/cec9ce18c2b186f1a1ef394018d83c20/simplelist.png)
#### XML report (.xml)
![xml](uploads/c5816fa35b54ad8d8fa14bff9e37d510/xml.png)
#### CSV report (.csv)
![csv](uploads/59e694b02cc07e685837a0755a55d992/csv.png)
****************************************************************
## Example Use
Below is a short example of scanning http://testphp.vulnweb.com/80/
### Example Options
![example-options](uploads/cf8b488ade7a37aafd79f29d481c47d0/example-options.png)
Used max threads as there's no reason to be sneaky, if connection gets limited there's not much of an issue for purposes of the example.
Used max threads and AUTO Switch to increase speed.
Used the smallest list that came with DirBuster since no extensive search is needed.
Used Standard Start Point from the default directory `/`, and searched for directories and files with .php and .jpg extensions.
### Example Running
![example-running](uploads/4ddcbc6dc846edcbc9363391a0e3bc14/example-running.png)
The other views can be seen in [Results - List View](#results---list-view-dirs-x-files-y) and [Results - Tree View](#results---tree-view) as they were from this same example!
### Connection Refused
Target eventually blocked connection temporarily due to the influx of traffic.
![refused-connection](uploads/b5d12dafad2a8747167f8d87dd21ba04/refused-connection.png)
### Example Reports
Same reports as in [Reports](#reports)!
\ No newline at end of file