Directory Brute Force Tools
Directory Brute Force Tools
Comprehensive collection of directory and file brute force tools for web application security testing.
Gobuster
Basic Directory Brute Force
# Basic directory enumeration
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt
# With custom wordlist
gobuster dir -u http://TARGET_URL -w /path/to/wordlist.txt
# With extensions
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -x php,html,js,txt
# With specific status codes
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -s 200,204,301,302,307,401,403
# With threads
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -t 50
# With delay
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -d 1s
# With cookies
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -c "PHPSESSID=abc123"
# With headers
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: CustomAgent"
# With proxy
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -p http://127.0.0.1:8080
# With authentication
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -U admin -P password
Advanced Gobuster Options
# Recursive directory enumeration
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -r
# With specific status codes to ignore
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -b 404,500
# With custom user agent
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -a "Mozilla/5.0"
# With follow redirects
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -r
# With timeout
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -t 10
# With output file
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -o results.txt
# With quiet mode
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -q
# With verbose mode
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/common.txt -v
Dirb
Basic Directory Brute Force
# Basic directory enumeration
dirb http://TARGET_URL
# With custom wordlist
dirb http://TARGET_URL /path/to/wordlist.txt
# With extensions
dirb http://TARGET_URL -X .php,.html,.js,.txt
# With specific status codes
dirb http://TARGET_URL -S 200,204,301,302,307,401,403
# With threads
dirb http://TARGET_URL -T 50
# With delay
dirb http://TARGET_URL -D 1
# With cookies
dirb http://TARGET_URL -c "PHPSESSID=abc123"
# With headers
dirb http://TARGET_URL -H "User-Agent: CustomAgent"
# With proxy
dirb http://TARGET_URL -p http://127.0.0.1:8080
# With authentication
dirb http://TARGET_URL -u admin:password
Advanced Dirb Options
# Recursive directory enumeration
dirb http://TARGET_URL -r
# With specific status codes to ignore
dirb http://TARGET_URL -b 404,500
# With custom user agent
dirb http://TARGET_URL -a "Mozilla/5.0"
# With follow redirects
dirb http://TARGET_URL -r
# With timeout
dirb http://TARGET_URL -t 10
# With output file
dirb http://TARGET_URL -o results.txt
# With quiet mode
dirb http://TARGET_URL -q
# With verbose mode
dirb http://TARGET_URL -v
Dirbuster
GUI-based Directory Brute Force
# Launch Dirbuster
dirbuster
# Command line usage
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt
# With extensions
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -e php,html,js,txt
# With threads
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -t 50
# With delay
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -d 1000
# With cookies
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -c "PHPSESSID=abc123"
# With headers
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -H "User-Agent: CustomAgent"
# With proxy
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080
# With authentication
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://TARGET_URL -l /usr/share/wordlists/dirb/common.txt -u admin:password
FFuF (Fuzz Faster U Fool)
Basic Directory Brute Force
# Basic directory enumeration
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ
# With custom wordlist
ffuf -w /path/to/wordlist.txt -u http://TARGET_URL/FUZZ
# With extensions
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -e .php,.html,.js,.txt
# With specific status codes
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -sc 200,204,301,302,307,401,403
# With threads
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -t 50
# With delay
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -d 1s
# With cookies
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -b "PHPSESSID=abc123"
# With headers
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -H "User-Agent: CustomAgent"
# With proxy
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -p http://127.0.0.1:8080
# With authentication
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -u admin:password
Advanced FFuF Options
# Recursive directory enumeration
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -recursion
# With specific status codes to ignore
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -fs 404,500
# With custom user agent
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -a "Mozilla/5.0"
# With follow redirects
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -r
# With timeout
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -t 10
# With output file
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -o results.txt
# With quiet mode
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -q
# With verbose mode
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://TARGET_URL/FUZZ -v
Wfuzz
Basic Directory Brute Force
# Basic directory enumeration
wfuzz -w /usr/share/wordlists/dirb/common.txt http://TARGET_URL/FUZZ
# With custom wordlist
wfuzz -w /path/to/wordlist.txt http://TARGET_URL/FUZZ
# With extensions
wfuzz -w /usr/share/wordlists/dirb/common.txt -z list,.php,.html,.js,.txt http://TARGET_URL/FUZZ
# With specific status codes
wfuzz -w /usr/share/wordlists/dirb/common.txt --sc 200,204,301,302,307,401,403 http://TARGET_URL/FUZZ
# With threads
wfuzz -w /usr/share/wordlists/dirb/common.txt -t 50 http://TARGET_URL/FUZZ
# With delay
wfuzz -w /usr/share/wordlists/dirb/common.txt -d 1 http://TARGET_URL/FUZZ
# With cookies
wfuzz -w /usr/share/wordlists/dirb/common.txt -b "PHPSESSID=abc123" http://TARGET_URL/FUZZ
# With headers
wfuzz -w /usr/share/wordlists/dirb/common.txt -H "User-Agent: CustomAgent" http://TARGET_URL/FUZZ
# With proxy
wfuzz -w /usr/share/wordlists/dirb/common.txt -p 127.0.0.1:8080 http://TARGET_URL/FUZZ
# With authentication
wfuzz -w /usr/share/wordlists/dirb/common.txt -u admin:password http://TARGET_URL/FUZZ
Custom Scripts
Python Directory Brute Force
import requests
import threading
import queue
import time
def directory_brute_force(url, wordlist, threads=10, delay=0):
def worker():
while True:
try:
path = wordlist.get()
if path is None:
break
full_url = url.rstrip('/') + '/' + path.strip()
response = requests.get(full_url, timeout=10)
if response.status_code == 200:
print(f"[200] {full_url}")
elif response.status_code == 301 or response.status_code == 302:
print(f"[{response.status_code}] {full_url} -> {response.headers.get('Location', 'N/A')}")
elif response.status_code == 403:
print(f"[403] {full_url}")
elif response.status_code == 401:
print(f"[401] {full_url}")
time.sleep(delay)
except Exception as e:
pass
finally:
wordlist.task_done()
# Start threads
for i in range(threads):
t = threading.Thread(target=worker)
t.daemon = True
t.start()
# Add paths to queue
with open(wordlist_file, 'r') as f:
for line in f:
wordlist.put(line.strip())
# Wait for completion
wordlist.join()
# Usage
url = "http://TARGET_URL"
wordlist_file = "/usr/share/wordlists/dirb/common.txt"
wordlist = queue.Queue()
directory_brute_force(url, wordlist, threads=20, delay=0.1)
Bash Directory Brute Force
#!/bin/bash
TARGET_URL="http://TARGET_URL"
WORDLIST="/usr/share/wordlists/dirb/common.txt"
THREADS=10
# Function to check directory
check_directory() {
local path=$1
local full_url="${TARGET_URL}/${path}"
response=$(curl -s -o /dev/null -w "%{http_code}" "$full_url")
case $response in
200) echo "[200] $full_url" ;;
301|302) echo "[$response] $full_url" ;;
403) echo "[403] $full_url" ;;
401) echo "[401] $full_url" ;;
esac
}
# Export function for parallel
export -f check_directory
export TARGET_URL
# Run parallel directory check
cat "$WORDLIST" | parallel -j "$THREADS" check_directory {}
Wordlists
Common Wordlists
# Dirb wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirb/small.txt
/usr/share/wordlists/dirb/extensions_common.txt
# SecLists wordlists
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
# Custom wordlists
/usr/share/wordlists/custom/web-directories.txt
/usr/share/wordlists/custom/api-endpoints.txt
/usr/share/wordlists/custom/admin-panels.txt
Creating Custom Wordlists
# Extract directories from robots.txt
curl -s http://TARGET_URL/robots.txt | grep -E '^Disallow:' | cut -d' ' -f2 | sed 's/^\///' > custom_wordlist.txt
# Extract directories from sitemap.xml
curl -s http://TARGET_URL/sitemap.xml | grep -oP '<loc>\K[^<]*' | sed 's|http://[^/]*/||' > custom_wordlist.txt
# Combine multiple wordlists
cat wordlist1.txt wordlist2.txt wordlist3.txt | sort -u > combined_wordlist.txt
# Remove empty lines and duplicates
grep -v '^$' wordlist.txt | sort -u > clean_wordlist.txt
Best Practices
Rate Limiting
# Add delay between requests
gobuster dir -u http://TARGET_URL -w wordlist.txt -d 1s
# Use fewer threads
gobuster dir -u http://TARGET_URL -w wordlist.txt -t 10
# Use proxy rotation
gobuster dir -u http://TARGET_URL -w wordlist.txt -p http://proxy1:8080
Stealth Mode
# Use random user agents
gobuster dir -u http://TARGET_URL -w wordlist.txt -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# Use realistic delays
gobuster dir -u http://TARGET_URL -w wordlist.txt -d 2s
# Use smaller wordlists
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/small.txt
Output Analysis
# Save results to file
gobuster dir -u http://TARGET_URL -w wordlist.txt -o results.txt
# Filter by status code
grep "200" results.txt
grep "403" results.txt
grep "301\|302" results.txt
# Sort by response size
sort -k3 -n results.txt
Troubleshooting
Common Issues
# Connection timeout
gobuster dir -u http://TARGET_URL -w wordlist.txt -t 5
# Too many requests
gobuster dir -u http://TARGET_URL -w wordlist.txt -d 2s
# Invalid SSL certificate
gobuster dir -u http://TARGET_URL -w wordlist.txt -k
# Authentication required
gobuster dir -u http://TARGET_URL -w wordlist.txt -U admin -P password
Performance Optimization
# Use appropriate thread count
gobuster dir -u http://TARGET_URL -w wordlist.txt -t 20
# Use smaller wordlists for initial scan
gobuster dir -u http://TARGET_URL -w /usr/share/wordlists/dirb/small.txt
# Use specific extensions
gobuster dir -u http://TARGET_URL -w wordlist.txt -x php,html,js
Legal and Ethical Considerations
- Always obtain proper authorization before testing
- Respect rate limits and server resources
- Use appropriate wordlists for the target
- Document findings properly
- Follow responsible disclosure practices