• Subscribe to the low volume list for updates.

DirBuster – Brute force a web server for interesting things

You would be surprised at what people leave unprotected on a web server. DirBuster is a java application that will brute force web directories and filenames on a web server / virtual host. This can often reveal unprotected web applications, scripts, old configuration files and many other interesting things that should not
be available to the public.

It runs against a dictionary file of known filenames / directories and you are able to specify the dictionary you are hoping to use.

Plenty of documentation on the website over at owasp.

For a quick install guide (you need Java 1.6 or higher), this will work on Linux (Ubuntu / Fedora / Suse) and Windows:

  1. Unzip or untar the download
  2. cd into the program directory
  3. To run the program java -jar DirBuster-0.10.jar (Windows uses should be able to just double click on the jar)
  4. Recommended list to use is directory-list-2.3-medium.txt (a number of different word lists come with the package)

You can also test this out on the excellent Samurai Web Application Security Testing LiveCD.