feroxbuster - new forced browsing/directory busting tool

Good morning all!

I recently released my new project, feroxbuster!

feroxbuster is a forced browsing tool akin to gobuster/ffuf. It's written in Rust using async/await for concurrency. Notable differences are SOCKS support, works in a command pipeline (targets in, discovered files/folders out), has recursion and auto-filtered wildcards turned on by default, and is incredibly configurable (global, per-user, per-target).

Builds are available for linux, mac, and windows. There's also a .deb installer with a .rpm in the works. Pre-built binaries are available on the releases page of the repo.

I'm looking forward to any/all feedback you may have, enjoy!

https://github.com/epi052/feroxbuster

«1

Comments

  • Looks interesting, how fast does it run?

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • If you set the concurrency level equal across gobuster/ffuf/feroxbuster, they're all roughly equivalent.

    In short, it's fast, lol.

  • Type your comment> @epi said:

    If you set the concurrency level equal across gobuster/ffuf/feroxbuster, they're all roughly equivalent.

    In short, it's fast, lol.

    Cool cool. In all honesty, I still use dirbuster *gasp* yea yea i know its slow asf but the file tree display is really convenient and clicking the files opens a browser page to them. I know I should switch to something that actually works faster than a turtle but I never have. Might give this project a shot, seems really nice. If you were to include a file tree like dirbuster I would absolutely switch and never look back :lol:

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • haha, no shame in using dirbuster, that was the first tool i used for this type of scan!

    I don't have any plans for a file tree at the moment. However, in all the terminals I use, you can click the URL and it'll open a browser pointing directly at that page.

    Also, if you use the -o|--output option, the final output is sorted by directory, so that may be an option that fits your workflow as well. It's not visually a tree, but is still structured.

  • @epi said:
    haha, no shame in using dirbuster, that was the first tool i used for this type of scan!

    I don't have any plans for a file tree at the moment. However, in all the terminals I use, you can click the URL and it'll open a browser pointing directly at that page.

    Also, if you use the -o|--output option, the final output is sorted by directory, so that may be an option that fits your workflow as well. It's not visually a tree, but is still structured.

    Oh sick yea I'll check this out

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • edited October 7

    Just installed, will test out on Reel2 after I finish the box I'm on
    Looks good so far

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • Awesome! I'd love to hear what you think once you give it a try
  • Type your comment> @epi said:

    Good morning all!

    I recently released my new project, feroxbuster!

    feroxbuster is a forced browsing tool akin to gobuster/ffuf. It's written in Rust using async/await for concurrency. Notable differences are SOCKS support, works in a command pipeline (targets in, discovered files/folders out), has recursion and auto-filtered wildcards turned on by default, and is incredibly configurable (global, per-user, per-target).

    Builds are available for linux, mac, and windows. There's also a .deb installer with a .rpm in the works. Pre-built binaries are available on the releases page of the repo.

    I'm looking forward to any/all feedback you may have, enjoy!

    https://github.com/epi052/feroxbuster

    Installed and up and running (super easy and nice instructions on your site) :)
    It's super fast mate, very cool and i like the interface of collating your results at the bottom.

    Haven't tried file types yet (will soon)
    Was going to suggest support for SSL but you had already covered that with the -k switch :)

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • Currently at school so I won't be able to try it out right now, but from first impressions from the GitHub repository, it looks absolutely AMAZING! The output is also super fancy :P I'll let you know more when I come home.

  • Thank you both!

    @acidbat said:
    Was going to suggest support for SSL but you had already covered that with the -k switch :)

    By default it will reject insecure connections. The -k|--insecure option is there for when you want to suppress that behavior. This should feel very similar to gobuster/curl/etc...

    I tried to keep the options/args as close to what other popular tools already used, for familiarity.

    Thanks again for taking the time to check it out!

  • edited October 8
    Great gonna check it out. Always on the lookout for some speed advantage and gobusters disability to deal with recursion and extensions properly forced me to juggle with different programs, lists and extensions. Yeah I know there's -x in gobuster but it failed me quite often, I think when the wordlist already had extensions and when using multiple extensions like .tar.gz

    Hack The Box

  • Type your comment> @sparkla said:

    ... gobusters disability to deal with recursion and extensions properly forced me to juggle with different programs, lists and extensions. ...

    I'm not certain you won't run into the same problem here. However, if you do, open up an issue describing what currently happens and what you'd like to happen instead. We can discuss whether adjusting the tool's behavior makes sense or not. Thank you!

  • Hey man, first time checking out your great tool tonight, but I get a ton of errors:

    ERR 4.010 Error while making request: error sending request for url (https://europacorp.htb/144941): error trying to connect: dns error: No file descriptors available (os error 24)

    Maybe related:
    https://github.com/nodejs/node/issues/27604

    Would be great if you could take a look for a quick fix, maybe just suppress that message, idk.

    Looking forward to make this my go-to buster :)

    Hack The Box

  • Type your comment> @sparkla said:

    Hey man, first time checking out your great tool tonight, but I get a ton of errors:

    ERR 4.010 Error while making request: error sending request for url (https://europacorp.htb/144941): error trying to connect: dns error: No file descriptors available (os error 24)

    Maybe related:
    https://github.com/nodejs/node/issues/27604

    Would be great if you could take a look for a quick fix, maybe just suppress that message, idk.

    Looking forward to make this my go-to buster :)

    Thanks for checking it out! Can you try rescanning with a lower concurrency level and see if you get the same error? Also, what kind of box are you using to scan?

    ./feroxbuster -t 25 ...

  • Also, @sparkla can you run the following command and paste the results?

    ulimit -a
    
  • What limit value are looking for? Should be all Kali default, not at a PC atm.

    I did some tests, it works ok till 30 threads but then it's slow.. using no -t switch (default) gives me errors all over the place.

    Hack The Box

  • Im wondering if your limit on open files is low. I can look later once I'm home what kali uses
  • epiepi
    edited October 17

    yea, on my kali install, i see the following

    ulimit -n 
    ---------
    1024
    

    I'd recommend upping the limit for open files to w/e you're comfortable with given your specs by adding the entry below.

    /etc/security/limits.conf
    -------------------------
    ...
    *               soft    nofile            8192
    ...
    
  • I looked it up in the meantime, I solved this now by setting the filedescriptor limit dynamically via a bash script to something like 100.000 - system resources are the only thing that's plenty here.

    It seems like some finetuning is necessary when using feroxbuster, I kinda tweaked my system for 5 or 10% more performance many times before, so no problem with that.But I think it would be great if feroxbuster just told us what to do / what the issue is, instead of outputting the same rather unclear error message 1000 times.

    I also found a few more things, I hope you can take a look at:
    1.) Many wordlists contain a long comment section, usually starting with a # like this:

    directory-list-blahblah created by master xenon the allmighty..

    ...

    and ferox tries to bust these lines. Most other busters ignore them

    2.) It would be great if there where built-in extensions and / or if we could pass a list of extensions (file). Seclists has an extension list I think, I used it before, not sure if I created it myself or if it's in there by default.

    3.) Finding the right thread count is a matter of finetuning, going above 100 I found it goes slower again. I'm aware it depends on the webserver but I wonder if feroxbuster could run a quick test to find the optimum performance.

    Again, awesome new tool, my new standard. Thanks mate.

    Hack The Box

  • epiepi
    edited October 17

    @sparkla

    a quick answer to #2:

    You can use the ferox-config.toml to specify a default set of extensions, if that's your preference.

    ~/.config/feroxbuster/ferox-config.toml
    ---------------------------------------
    
    extensions = ["php", "html", "js"]
    

    I understand it's not exactly what you asked for, but it might be good enough for now.

    Also, if you want different default extensions based on what you're scanning, you can drop a config file in a directory and scan from there for it to take effect. ferox-config.toml docs

    ~/targets/linux-targets/ferox-config.toml
    ---------------------------------------------
    
    extensions = ["php", "html", "js"]
    
    ~/targets/windows-targets/ferox-config.toml
    -----------------------------------------------
    
    extensions = ["asp", "aspx"]
    

    number 1 is a quick fix, I'll add an issue today/tomorrow to track it.

    I'm considering adding an issue that sets the open file limit on the user's behalf if it's too low.

    number 3 would require some tinkering, but i'll add it and see what it would take to accomplish.

    Thanks for your feedback, i really appreciate it!

  • number 1 is fixed, just need to upload new build version

  • Wow that was fast :D Great, thanks man.

    You seem do have dealt a lot with dirbusting, I waste so much time there sometimes, trying to figure the right wordlist / extension combo. After busting like 24h on the same box again, I thought like "why now make an uber wordlist that contains it all"? I think it wouldn't be much longer than dir-2.3-big, that's one of the longest and last time I checked these wordlists have quite a few common entries. What's your opinion about this? No I'm not suggesting to build the wordlist into your tool...

    But about ferox again: You mentioned config files, could you imagine to have config files that allow for different rules, lists and extensions for subdirs? Like, map out the subdirs in a first run an then like "in /JavaScript/ only search for .js extension"...

    Hack The Box

  • Type your comment> @sparkla said:

    You seem do have dealt a lot with dirbusting, I waste so much time there sometimes, trying to figure the right wordlist / extension combo. After busting like 24h on the same box again, I thought like "why now make an uber wordlist that contains it all"? I think it wouldn't be much longer than dir-2.3-big, that's one of the longest and last time I checked these wordlists have quite a few common entries. What's your opinion about this? No I'm not suggesting to build the wordlist into your tool...

    I suppose it depends on the target. For bugbounty, I use a relatively small list in addition to crawling and some other strategies. Essentially, I don't solely rely on dir busting, so the time spent using a huge wordlist doesn't really fit with my workflow.

    For a CTF/HTB though, I think grabbing the top 5-10 most common wordlists and cat'ing/uniq'ing them in order to get past the 'guess the wordlist' boxes might be ok.

    Along these lines, I'm currently working on a feature that extracts links from the body of valid responses. You can check it out here if you're interested. It should definitely increase coverage, as your wordlist will find unlinked content while the --extract-links option will find linked content.

    But about ferox again: You mentioned config files, could you imagine to have config files that allow for different rules, lists and extensions for subdirs? Like, map out the subdirs in a first run an then like "in /JavaScript/ only search for .js extension"...

    A friend of mine and I have talked about something very similar, though I see it as more of a companion tool instead of functionality included in feroxbuster.

  • If you guys want to be able to use it from any directory I have found the line of code for that. "sudo cp feroxbuster /usr/local/bin/feroxbuster" ; That will move feroxbust to your bin so you can just put feroxbuster into the command promt and it pop up instead of finding it on your computer.

    Hack The Box

  • epiepi
    edited October 19
    > If you guys want to be able to use it from any directory I have found the line of code for that. "sudo cp feroxbuster /usr/local/bin/feroxbuster" ; That will move feroxbust to your bin so you can just put feroxbuster into the command promt and it pop up instead of finding it on your computer.

    @DancinHype you're correct. In fact, if you use the .deb file and install through apt, that will be handled for you. Additionally, an example config file will get placed in /etc/feroxbuster/

    Install instructions for apt are https://github.com/epi052/feroxbuster/#apt-install
  • Got some new issues, not sure where they suddenly came from:

    ERROR heuristics::connectivity_test Could not connect to any target provided

    and in the output

    ERR 0.048 Error while making request: error sending request for url (http://enterprise.htb/): error trying to connect: dns error: failed to lookup address information: Name does not resolve

    Url is definitely correct and in my / etc / hosts so I don't know what other DNS resolution you have implemented, but I got this error on all machines I tried this morning... may it be cause I run multiple instances of ferox at the same time (different targets)?

    Hope to get some insights, 4 days left till my exam and I really wanted to use this as my secret weapon ;)

    Hack The Box

  • DNS resolution is provided by a library. It's nothing I manage directly. I can hop on and test.

    Can you re run your command with -vvvv -o trace.log and host it somewhere that I can get it?

  • Not gonna lie, it sounds like your environment, and not the tool, just as a heads up 😁

  • No, I'm now getting the filedescriptors error again, even though I increased the limit to the max (~1000000) . Can it be that ferox doesn't close the files? Why does it need to be able to open 1000000 descriptors?

    I have no clue of GO programming, so.. I don't know but I never had that issue before. My box is pretty beefy. Disk space is always rare cause I try to keep the VMs as small as possible but right now that doesn't seem the issue. I bet if I reboot the error will go away.

    Hack The Box

  • Enterprise is up right now, try it out there, please. Ferox is definitely struggeling with slower responses and outputs a lot of errors, maybe that's the root cause. Would be great if there was a switch to prevent that output, also that going into the output file is counter productive. Files get huge quickly, that's also the reason I can't send you the verbose output, it's just a ton of stuff and my disk is full before I reach the part where it starts to error.

    Hack The Box

Sign In to comment.