56 lines
2.1 KiB
Markdown
56 lines
2.1 KiB
Markdown
|
+++
|
||
|
title = 'HowTo dirbust'
|
||
|
date = 2024-12-04
|
||
|
image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia.tenor.com%2FitzjDO82OoMAAAAM%2Fsoldier-kick.gif&f=1&nofb=1&ipt=b79054f30ab3b1a5aad40a4ee346329aaeb3aa762c007749ac97f301ac771bd6&ipo=images'
|
||
|
+++
|
||
|
|
||
|
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia.tenor.com%2FitzjDO82OoMAAAAM%2Fsoldier-kick.gif&f=1&nofb=1&ipt=b79054f30ab3b1a5aad40a4ee346329aaeb3aa762c007749ac97f301ac771bd6&ipo=images)
|
||
|
|
||
|
<!-- TODO check later if image still available. Also maybe host them here?! Need to add all of them to sources, buh -->
|
||
|
|
||
|
## Tools
|
||
|
|
||
|
We have 2 good options:
|
||
|
|
||
|
### [ffuf](https://github.com/ffuf/ffuf)
|
||
|
|
||
|
`ffuf -r -sf -ac -w ./wordlist.txt -u http://scanme.sh/FUZZ `
|
||
|
|
||
|
pros:
|
||
|
- have great `-ac` which automatically filters potential false-positives
|
||
|
- `-sf` stop when > 95% of responses return 403 Forbidden
|
||
|
- `-enc` can encode wordlist with URL/base64 encoder
|
||
|
- you can specify multiple wordlists
|
||
|
- `-mode` can specify multiple wordlists and multiple FUZZ words (like in burp suite)
|
||
|
- you can specify rate limit
|
||
|
- more matching options
|
||
|
- have recursive scan
|
||
|
- better UI (+ have some interactive mode)
|
||
|
|
||
|
|
||
|
cons:
|
||
|
- you need to hack your way around to get it working as Go library
|
||
|
- you muist specify `FUZZ` in url
|
||
|
|
||
|
### [gobuster](https://github.com/OJ/gobuster)
|
||
|
|
||
|
`gobuster dir -r -k -w ./wordlist.txt -u "http://scanme.sh/" --exclude-length 2 `
|
||
|
`gobuster fuzz -r -k -w ./wordlist.txt -u "http://scanme.sh/FUZZ" --exclude-length 2 `
|
||
|
|
||
|
pros:
|
||
|
- for some of my tests it made less false-positives
|
||
|
- I've made GoLang lib - [gobuster-lib](/hacking/howto_dirb_golang_library/)
|
||
|
- have options to find backup files (`.bak`,`.1`...)
|
||
|
- can randomize user-agent
|
||
|
|
||
|
cons:
|
||
|
- annoying false-positive - don't automatically set `--exclude-length` if got 404 page with HTTP response 200 (try scan http://scanme.sh/)
|
||
|
- you can't specify rate limit, but you can specify threads (1 thread roughly 6-8pps)
|
||
|
|
||
|
## Wordlists
|
||
|
|
||
|
Rockyou for web dirs - [six2dez/OneListForAll](https://github.com/six2dez/OneListForAll)
|
||
|
|
||
|
[Wordlists post](/hacking/listof_wordlists/)
|
||
|
|