me.mello Posted June 13, 2011 Report Posted June 13, 2011 Author: PunterAbout DirBuster DirBuster https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project is a multi threaded Java based application designed to brute force directories and files names on web/application servers. During Web Application Pentesting finding the sensitive directories files and folders is always a quite tough work.Now a days we often don't see those default installation files/directories as in the olden days and finding out the sensitive pages really gets challenging. In such cases, DirBuster helps in finding those unknown and sensitive file names and directories. This can prove to be a great information to start with in a real web penetration testing.In action with DirBusterNow i will be showing you how easy it is to use Dirbuster to find those sensitive directories and files on webservers. Here for the demo purpose I will be using Mutillidaehttp://www.owasp.org/index.php/Category:OWASP_Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10.Here are the steps to run DirBuster1. cd /pentest/web/dirbuster2. root@punter:/pentest/web/dirbuster# java -jar DirBuster-0.12.jar -u http://192.168.0.103/mutillidae/Once you start the Dirbuster it will appear as shown in the screenshot belowNow browse and select the 'directory bruteforce lists' from the DirBuster folder (example: directory-list-1.0.txt) as shown belowNow run the start button and you will see Dirbuster starting bruteforcing the filenames & directories on the webserver as shown below. In the black window you can see all the filenames and directories discovered by Dirbuster.One of the discovered file '../passwords/accounts.txt' looks interesting. On opening you will see that it has the passwords related to webserver accounts.ConclusionFinding out those hidden files and directories on the webserver is a tedious task for anyone involved in web application pentesting. DirBuster makes that task much simpler and faster with its easy to use GUI interface. Even the webserver owners can easily use this tool to remove any of the sensitive files/directories from their webservers and taking it one step further in securing their servers. Quote