+++ title = 'HowTo dirbust' date = 2024-12-04 image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia.tenor.com%2FitzjDO82OoMAAAAM%2Fsoldier-kick.gif&f=1&nofb=1&ipt=b79054f30ab3b1a5aad40a4ee346329aaeb3aa762c007749ac97f301ac771bd6&ipo=images' +++ ![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia.tenor.com%2FitzjDO82OoMAAAAM%2Fsoldier-kick.gif&f=1&nofb=1&ipt=b79054f30ab3b1a5aad40a4ee346329aaeb3aa762c007749ac97f301ac771bd6&ipo=images) ## Tools We have 2 good options: ### [ffuf](https://github.com/ffuf/ffuf) `ffuf -r -sf -ac -w ./wordlist.txt -u http://scanme.sh/FUZZ ` pros: - have great `-ac` which automatically filters potential false-positives - `-sf` stop when > 95% of responses return 403 Forbidden - `-enc` can encode wordlist with URL/base64 encoder - you can specify multiple wordlists - `-mode` can specify multiple wordlists and multiple FUZZ words (like in burp suite) - you can specify rate limit - more matching options - have recursive scan - better UI (+ have some interactive mode) cons: - you need to hack your way around to get it working as Go library - you muist specify `FUZZ` in url ### [gobuster](https://github.com/OJ/gobuster) `gobuster dir -r -k -w ./wordlist.txt -u "http://scanme.sh/" --exclude-length 2 ` `gobuster fuzz -r -k -w ./wordlist.txt -u "http://scanme.sh/FUZZ" --exclude-length 2 ` pros: - for some of my tests it made less false-positives - I've made GoLang lib - [gobuster-lib](/hacking/howto_dirb_golang_library/) - have options to find backup files (`.bak`,`.1`...) - can randomize user-agent cons: - annoying false-positive - don't automatically set `--exclude-length` if got 404 page with HTTP response 200 (try scan http://scanme.sh/) - you can't specify rate limit, but you can specify threads (1 thread roughly 6-8pps) ## Wordlists Rockyou for web dirs - [six2dez/OneListForAll](https://github.com/six2dez/OneListForAll) [Wordlists post](/hacking/listof_wordlists/)