Directory Brute Force Tools
Directory Brute Force Tools Comprehensive collection of directory and file brute force tools for web application security testing. Gobuster Basic Directory Brute Force # Basic directory enumeration gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt # With custom wordlist gobuster dir -u http://TARGET_URL -w /path/to/wordlist.txt # With extensions gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -x php,html,js,txt # With specific status codes gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -s 200,204,301,302,307,401,403 # With threads gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -t 50 # With delay gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -d 1s # With cookies gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -c "PHPSESSID=abc123" # With headers gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: CustomAgent" # With proxy gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -p http://127.0.0.1:8080 # With authentication gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -U admin -P password Advanced Gobuster Options # Recursive directory enumeration gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -r # With specific status codes to ignore gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -b 404,500 # With custom user agent gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -a "Mozilla/5.0" # With follow redirects gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -r # With timeout gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -t 10 # With output file gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -o results.txt # With quiet mode gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -q # With verbose mode gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -v Dirb Basic Directory Brute Force # Basic directory enumeration dirb http://TARGET_URL # With custom wordlist dirb http://TARGET_URL /path/to/wordlist.txt # With extensions dirb http://TARGET_URL -X .php,.html,.js,.txt # With specific status codes dirb http://TARGET_URL -S 200,204,301,302,307,401,403 # With threads dirb http://TARGET_URL -T 50 # With delay dirb http://TARGET_URL -D 1 # With cookies dirb http://TARGET_URL -c "PHPSESSID=abc123" # With headers dirb http://TARGET_URL -H "User-Agent: CustomAgent" # With proxy dirb http://TARGET_URL -p http://127.0.0.1:8080 # With authentication dirb http://TARGET_URL -u admin:password Advanced Dirb Options # Recursive directory enumeration dirb http://TARGET_URL -r # With specific status codes to ignore dirb http://TARGET_URL -b 404,500 # With custom user agent dirb http://TARGET_URL -a "Mozilla/5.0" # With follow redirects dirb http://TARGET_URL -r # With timeout dirb http://TARGET_URL -t 10 # With output file dirb http://TARGET_URL -o results.txt # With quiet mode dirb http://TARGET_URL -q # With verbose mode dirb http://TARGET_URL -v Dirbuster GUI-based Directory Brute Force # Launch Dirbuster dirbuster # Command line usage java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt # With extensions java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -e php,html,js,txt # With threads java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -t 50 # With delay java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -d 1000 # With cookies java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -c "PHPSESSID=abc123" # With headers java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -H "User-Agent: CustomAgent" # With proxy java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 # With authentication java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -u admin:password FFuF (Fuzz Faster U Fool) Basic Directory Brute Force # Basic directory enumeration ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ # With custom wordlist ffuf -w /path/to/wordlist.txt -u http://TARGET_URL/FUZZ # With extensions ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -e .php,.html,.js,.txt # With specific status codes ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -sc 200,204,301,302,307,401,403 # With threads ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -t 50 # With delay ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -d 1s # With cookies ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -b "PHPSESSID=abc123" # With headers ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -H "User-Agent: CustomAgent" # With proxy ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -p http://127.0.0.1:8080 # With authentication ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -u admin:password Advanced FFuF Options # Recursive directory enumeration ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -recursion # With specific status codes to ignore ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -fs 404,500 # With custom user agent ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -a "Mozilla/5.0" # With follow redirects ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -r # With timeout ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -t 10 # With output file ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -o results.txt # With quiet mode ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -q # With verbose mode ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -v Wfuzz Basic Directory Brute Force # Basic directory enumeration wfuzz -w /usr/share/wordlists/dirb/common.txt http://TARGET_URL/FUZZ # With custom wordlist wfuzz -w /path/to/wordlist.txt http://TARGET_URL/FUZZ # With extensions wfuzz -w /usr/share/wordlists/dirb/common.txt -z list,.php,.html,.js,.txt http://TARGET_URL/FUZZ # With specific status codes wfuzz -w /usr/share/wordlists/dirb/common.txt --sc 200,204,301,302,307,401,403 http://TARGET_URL/FUZZ # With threads wfuzz -w /usr/share/wordlists/dirb/common.txt -t 50 http://TARGET_URL/FUZZ # With delay wfuzz -w /usr/share/wordlists/dirb/common.txt -d 1 http://TARGET_URL/FUZZ # With cookies wfuzz -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123" http://TARGET_URL/FUZZ # With headers wfuzz -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: CustomAgent" http://TARGET_URL/FUZZ # With proxy wfuzz -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 http://TARGET_URL/FUZZ # With authentication wfuzz -w /usr/share/wordlists/dirb/common.txt -u admin:password http://TARGET_URL/FUZZ Custom Scripts Python Directory Brute Force import requests import threading import queue import time def directory_brute_force(url, wordlist, threads=10, delay=0): def worker(): while True: try: path = wordlist.get() if path is None: break full_url = url.rstrip('/') + '/' + path.strip() response = requests.get(full_url, timeout=10) if response.status_code == 200: print(f"[200] {full_url}") elif response.status_code == 301 or response.status_code == 302: print(f"[{response.status_code}] {full_url} -> {response.headers.get('Location', 'N/A')}") elif response.status_code == 403: print(f"[403] {full_url}") elif response.status_code == 401: print(f"[401] {full_url}") time.sleep(delay) except Exception as e: pass finally: wordlist.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add paths to queue with open(wordlist_file, 'r') as f: for line in f: wordlist.put(line.strip()) # Wait for completion wordlist.join() # Usage url = "http://TARGET_URL" wordlist_file = "/usr/share/wordlists/dirb/common.txt" wordlist = queue.Queue() directory_brute_force(url, wordlist, threads=20, delay=0.1) Bash Directory Brute Force #!/bin/bash TARGET_URL="http://TARGET_URL" WORDLIST="/usr/share/wordlists/dirb/common.txt" THREADS=10 # Function to check directory check_directory() { local path=$1 local full_url="${TARGET_URL}/${path}" response=$(curl -s -o /dev/null -w "%{http_code}" "$full_url") case $response in 200) echo "[200] $full_url" ;; 301|302) echo "[$response] $full_url" ;; 403) echo "[403] $full_url" ;; 401) echo "[401] $full_url" ;; esac } # Export function for parallel export -f check_directory export TARGET_URL # Run parallel directory check cat "$WORDLIST" | parallel -j "$THREADS" check_directory {} Wordlists Common Wordlists # Dirb wordlists /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt /usr/share/wordlists/dirb/small.txt /usr/share/wordlists/dirb/extensions_common.txt # SecLists wordlists /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt # Custom wordlists /usr/share/wordlists/custom/web-directories.txt /usr/share/wordlists/custom/api-endpoints.txt /usr/share/wordlists/custom/admin-panels.txt Creating Custom Wordlists # Extract directories from robots.txt curl -s http://TARGET_URL/robots.txt | grep -E '^Disallow:' | cut -d' ' -f2 | sed 's/^\///' > custom_wordlist.txt # Extract directories from sitemap.xml curl -s http://TARGET_URL/sitemap.xml | grep -oP '<loc>\K[^<]*' | sed 's|http://[^/]*/||' > custom_wordlist.txt # Combine multiple wordlists cat wordlist1.txt wordlist2.txt wordlist3.txt | sort -u > combined_wordlist.txt # Remove empty lines and duplicates grep -v '^$' wordlist.txt | sort -u > clean_wordlist.txt Best Practices Rate Limiting # Add delay between requests gobuster dir -u http://TARGET_URL -w wordlist.txt -d 1s # Use fewer threads gobuster dir -u http://TARGET_URL -w wordlist.txt -t 10 # Use proxy rotation gobuster dir -u http://TARGET_URL -w wordlist.txt -p http://proxy1:8080 Stealth Mode # Use random user agents gobuster dir -u http://TARGET_URL -w wordlist.txt -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # Use realistic delays gobuster dir -u http://TARGET_URL -w wordlist.txt -d 2s # Use smaller wordlists gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/small.txt Output Analysis # Save results to file gobuster dir -u http://TARGET_URL -w wordlist.txt -o results.txt # Filter by status code grep "200" results.txt grep "403" results.txt grep "301\|302" results.txt # Sort by response size sort -k3 -n results.txt Troubleshooting Common Issues # Connection timeout gobuster dir -u http://TARGET_URL -w wordlist.txt -t 5 # Too many requests gobuster dir -u http://TARGET_URL -w wordlist.txt -d 2s # Invalid SSL certificate gobuster dir -u http://TARGET_URL -w wordlist.txt -k # Authentication required gobuster dir -u http://TARGET_URL -w wordlist.txt -U admin -P password Performance Optimization # Use appropriate thread count gobuster dir -u http://TARGET_URL -w wordlist.txt -t 20 # Use smaller wordlists for initial scan gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/small.txt # Use specific extensions gobuster dir -u http://TARGET_URL -w wordlist.txt -x php,html,js Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate wordlists for the target Document findings properly Follow responsible disclosure practices