Explaining DirBuster

What is DirBuster?

DirBuster is a file/directory penetration testing tool with a Graphic User Interface (GUI) that is used to brute force directories and file names on web application servers.

DirBuster is written in Java and programmed by the members of the OWASP community.

DirBuster is pre-installed into Kali Linux, so as long as you have your Kali system set up, you should be good to go.

How to Use DirBuster?

Step 1 Run DirBuster

Let’s start by opening Kali and then opening DirBuster. We can find DirBuster at Applications -> Kali Linux -> Web Applications -> Web Crawlers -> dirbuster.

Step 2 Set Target

The first step is to type in the name of the website we want to scan. Let’s go back to our friends at SANS, one of the world’s leading IT security training and consulting firms. Simply type in the URL of the site you want to scan and the port number (usually 80 for HTTP and 443 for HTTPS). In this case, we will scan port 80.

Step 3 Choose the word list

go to root > user > share > wordlist > dirbuster
then choose one of the wordlists

Step 3 Start!

In the final step, we simply click on the “Start” button. When we do so, DirBuster will start generating GET requests and sending them to our selected URL with a request for each file and directory listing in our wordlist.

the scan we start and you will see the following tabs

1- Scan Information

2- Results list view: contains found directories and files in the list.

3- Results Tree view: contains found directories and files in the tree view.

DirBuster Options

Work Method

The default “Auto Switch” mode is probably best for the majority of cases. DirBuster will first try to see if it can get sensible results from HEAD requests, the reason being that the responses will be smaller. Even though it makes a GET request on 200 responses, this will save time when the 404 message (or equivalent) is relatively large.

Number Of Threads

Running DirBuster with a high number of threads can slow down the target server, which may not go down too well if you’re testing a live site. You’ll probably find the default (10) to be a little over-enthusiastic.

Dictionary

Assuming you opt for “List based brute force” you’ll now need to choose a dictionary — and for this, you need to know whether or not your directories are case sensitive. Although you can often guess this from the server in use, e.g. IIS isn’t case sensitive, it’s always best to check.

Starting options

The “Standard start point” will assume directories end with / and files end with whatever you configure underneath. The “URL Fuzz” option allows you to insert the dictionary entries into the URL in a non-standard way.

The remaining options are self-explanatory but there are still a few things to consider. Obviously the more options you tick the longer the scan will take. So look first at the style of URL the website uses.

if you enable the “Be Recursive” option, remember that DirBuster’s multi-threaded approach means that all those queues of work will be competing for a limited set of Workers.

Thank you for reading my article

And if you like it give me a follow.

https://www.instagram.com/coder_kumar/