TOOLS | August 27, 2009

DirBuster – Brute force a web server for interesting things

You would be surprised at what people leave unprotected on a web server.

What is Dirbuster

DirBuster is a project by OWASP that will brute force web directories and filenames on a web server / virtual host. This can often reveal unprotected web applications, scripts, old configuration files and many other interesting things that should not be available to the public.

It runs against a dictionary file of known filenames / directories and you are able to specify the dictionary you are hoping to use.

Wordlist location

In kali, wordlists are located /usr/share/wordlists/dirbuster

apache-user-enum-1.0.txt  apache-user-enum-2.0.txt 
directory-list-1.0.txt  
directory-list-2.3-small.txt
directory-list-2.3-medium.txt  
directory-list-lowercase-2.3-small.txt
directory-list-lowercase-2.3-medium.txt
directories.jbrofuzz

NOTE: Dirbuster retired by OWASP. Although, still available to use on Kali, it is no longer updated. The OWASP ZAP : Forced Browse option is based on the code from the OWASP Dirbuster Project. Read the OWASP documentation here

PREVIOUS
rkhunter, chkrootkit and OSSEC Rootcheck

NEXT
Maltego – Open Source Intelligence Gathering