Casual_blog/content/hacking/HowTo_dirb.md
2024-11-27 00:13:09 +03:00

2.1 KiB

+++ title = 'HowTo dirbust' date = 2024-12-04 image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia.tenor.com%2FitzjDO82OoMAAAAM%2Fsoldier-kick.gif&f=1&nofb=1&ipt=b79054f30ab3b1a5aad40a4ee346329aaeb3aa762c007749ac97f301ac771bd6&ipo=images' +++

Tools

We have 2 good options:

ffuf

ffuf -r -sf -ac -w ./wordlist.txt -u http://scanme.sh/FUZZ

pros:

  • have great -ac which automatically filters potential false-positives
  • -sf stop when > 95% of responses return 403 Forbidden
  • -enc can encode wordlist with URL/base64 encoder
  • you can specify multiple wordlists
  • -mode can specify multiple wordlists and multiple FUZZ words (like in burp suite)
  • you can specify rate limit
  • more matching options
  • have recursive scan
  • better UI (+ have some interactive mode)

cons:

  • you need to hack your way around to get it working as Go library
  • you muist specify FUZZ in url

gobuster

gobuster dir -r -k -w ./wordlist.txt -u "http://scanme.sh/" --exclude-length 2
gobuster fuzz -r -k -w ./wordlist.txt -u "http://scanme.sh/FUZZ" --exclude-length 2

pros:

  • for some of my tests it made less false-positives
  • I've made GoLang lib - gobuster-lib
  • have options to find backup files (.bak,.1...)
  • can randomize user-agent

cons:

  • annoying false-positive - don't automatically set --exclude-length if got 404 page with HTTP response 200 (try scan http://scanme.sh/)
  • you can't specify rate limit, but you can specify threads (1 thread roughly 6-8pps)

Wordlists

Rockyou for web dirs - six2dez/OneListForAll

Wordlists post