Jump to content
me.mello

Bruteforcing File Names on Webservers using DirBuster

Recommended Posts

Author: Punter

About DirBuster

DirBuster https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project is a multi threaded Java based application designed to brute force directories and files names on web/application servers. During Web Application Pentesting finding the sensitive directories files and folders is always a quite tough work.

Now a days we often don't see those default installation files/directories as in the olden days and finding out the sensitive pages really gets challenging. In such cases, DirBuster helps in finding those unknown and sensitive file names and directories. This can prove to be a great information to start with in a real web penetration testing.

In action with DirBuster

Now i will be showing you how easy it is to use Dirbuster to find those sensitive directories and files on webservers. Here for the demo purpose I will be using Mutillidaehttp://www.owasp.org/index.php/Category:OWASP_Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10.

Here are the steps to run DirBuster


1. cd /pentest/web/dirbuster
2. root@punter:/pentest/web/dirbuster# java -jar DirBuster-0.12.jar -u http://192.168.0.103/mutillidae/

Once you start the Dirbuster it will appear as shown in the screenshot below

dirbuster1.jpg

Now browse and select the 'directory bruteforce lists' from the DirBuster folder (example: directory-list-1.0.txt) as shown below

dirbuster2.jpg

Now run the start button and you will see Dirbuster starting bruteforcing the filenames & directories on the webserver as shown below. In the black window you can see all the filenames and directories discovered by Dirbuster.

dirbuster3.jpg

One of the discovered file '../passwords/accounts.txt' looks interesting. On opening you will see that it has the passwords related to webserver accounts.

dirbuster4.jpg

Conclusion

Finding out those hidden files and directories on the webserver is a tedious task for anyone involved in web application pentesting. DirBuster makes that task much simpler and faster with its easy to use GUI interface.

Even the webserver owners can easily use this tool to remove any of the sensitive files/directories from their webservers and taking it one step further in securing their servers.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...