feroxbuster - new forced browsing/directory busting tool

Good morning all!

I recently released my new project, feroxbuster!

feroxbuster is a forced browsing tool akin to gobuster/ffuf. It's written in Rust using async/await for concurrency. Notable differences are SOCKS support, works in a command pipeline (targets in, discovered files/folders out), has recursion and auto-filtered wildcards turned on by default, and is incredibly configurable (global, per-user, per-target).

Builds are available for linux, mac, and windows. There's also a .deb installer with a .rpm in the works. Pre-built binaries are available on the releases page of the repo.

I'm looking forward to any/all feedback you may have, enjoy!

https://github.com/epi052/feroxbuster

«1

Comments

  • Looks interesting, how fast does it run?

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • If you set the concurrency level equal across gobuster/ffuf/feroxbuster, they're all roughly equivalent.

    In short, it's fast, lol.

  • Type your comment> @epi said:

    If you set the concurrency level equal across gobuster/ffuf/feroxbuster, they're all roughly equivalent.

    In short, it's fast, lol.

    Cool cool. In all honesty, I still use dirbuster *gasp* yea yea i know its slow asf but the file tree display is really convenient and clicking the files opens a browser page to them. I know I should switch to something that actually works faster than a turtle but I never have. Might give this project a shot, seems really nice. If you were to include a file tree like dirbuster I would absolutely switch and never look back :lol:

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • haha, no shame in using dirbuster, that was the first tool i used for this type of scan!

    I don't have any plans for a file tree at the moment. However, in all the terminals I use, you can click the URL and it'll open a browser pointing directly at that page.

    Also, if you use the -o|--output option, the final output is sorted by directory, so that may be an option that fits your workflow as well. It's not visually a tree, but is still structured.

  • @epi said:
    haha, no shame in using dirbuster, that was the first tool i used for this type of scan!

    I don't have any plans for a file tree at the moment. However, in all the terminals I use, you can click the URL and it'll open a browser pointing directly at that page.

    Also, if you use the -o|--output option, the final output is sorted by directory, so that may be an option that fits your workflow as well. It's not visually a tree, but is still structured.

    Oh sick yea I'll check this out

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • edited October 2020

    Just installed, will test out on Reel2 after I finish the box I'm on
    Looks good so far

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • Awesome! I'd love to hear what you think once you give it a try
  • Type your comment> @epi said:

    Good morning all!

    I recently released my new project, feroxbuster!

    feroxbuster is a forced browsing tool akin to gobuster/ffuf. It's written in Rust using async/await for concurrency. Notable differences are SOCKS support, works in a command pipeline (targets in, discovered files/folders out), has recursion and auto-filtered wildcards turned on by default, and is incredibly configurable (global, per-user, per-target).

    Builds are available for linux, mac, and windows. There's also a .deb installer with a .rpm in the works. Pre-built binaries are available on the releases page of the repo.

    I'm looking forward to any/all feedback you may have, enjoy!

    https://github.com/epi052/feroxbuster

    Installed and up and running (super easy and nice instructions on your site) :)
    It's super fast mate, very cool and i like the interface of collating your results at the bottom.

    Haven't tried file types yet (will soon)
    Was going to suggest support for SSL but you had already covered that with the -k switch :)

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • Currently at school so I won't be able to try it out right now, but from first impressions from the GitHub repository, it looks absolutely AMAZING! The output is also super fancy :P I'll let you know more when I come home.

    Feel free to PM me, but please ask good questions: https://www.shorturl.at/fmAX6

  • Thank you both!

    @acidbat said:
    Was going to suggest support for SSL but you had already covered that with the -k switch :)

    By default it will reject insecure connections. The -k|--insecure option is there for when you want to suppress that behavior. This should feel very similar to gobuster/curl/etc...

    I tried to keep the options/args as close to what other popular tools already used, for familiarity.

    Thanks again for taking the time to check it out!

  • Type your comment> @sparkla said:

    ... gobusters disability to deal with recursion and extensions properly forced me to juggle with different programs, lists and extensions. ...

    I'm not certain you won't run into the same problem here. However, if you do, open up an issue describing what currently happens and what you'd like to happen instead. We can discuss whether adjusting the tool's behavior makes sense or not. Thank you!

  • Type your comment> @sparkla said:

    Hey man, first time checking out your great tool tonight, but I get a ton of errors:

    ERR 4.010 Error while making request: error sending request for url (https://europacorp.htb/144941): error trying to connect: dns error: No file descriptors available (os error 24)

    Maybe related:
    https://github.com/nodejs/node/issues/27604

    Would be great if you could take a look for a quick fix, maybe just suppress that message, idk.

    Looking forward to make this my go-to buster :)

    Thanks for checking it out! Can you try rescanning with a lower concurrency level and see if you get the same error? Also, what kind of box are you using to scan?

    ./feroxbuster -t 25 ...

  • Also, @sparkla can you run the following command and paste the results?

    ulimit -a
    
  • Im wondering if your limit on open files is low. I can look later once I'm home what kali uses
  • epiepi
    edited October 2020

    yea, on my kali install, i see the following

    ulimit -n 
    ---------
    1024
    

    I'd recommend upping the limit for open files to w/e you're comfortable with given your specs by adding the entry below.

    /etc/security/limits.conf
    -------------------------
    ...
    *               soft    nofile            8192
    ...
    
  • epiepi
    edited October 2020

    @sparkla

    a quick answer to #2:

    You can use the ferox-config.toml to specify a default set of extensions, if that's your preference.

    ~/.config/feroxbuster/ferox-config.toml
    ---------------------------------------
    
    extensions = ["php", "html", "js"]
    

    I understand it's not exactly what you asked for, but it might be good enough for now.

    Also, if you want different default extensions based on what you're scanning, you can drop a config file in a directory and scan from there for it to take effect. ferox-config.toml docs

    ~/targets/linux-targets/ferox-config.toml
    ---------------------------------------------
    
    extensions = ["php", "html", "js"]
    
    ~/targets/windows-targets/ferox-config.toml
    -----------------------------------------------
    
    extensions = ["asp", "aspx"]
    

    number 1 is a quick fix, I'll add an issue today/tomorrow to track it.

    I'm considering adding an issue that sets the open file limit on the user's behalf if it's too low.

    number 3 would require some tinkering, but i'll add it and see what it would take to accomplish.

    Thanks for your feedback, i really appreciate it!

  • number 1 is fixed, just need to upload new build version

  • Type your comment> @sparkla said:

    You seem do have dealt a lot with dirbusting, I waste so much time there sometimes, trying to figure the right wordlist / extension combo. After busting like 24h on the same box again, I thought like "why now make an uber wordlist that contains it all"? I think it wouldn't be much longer than dir-2.3-big, that's one of the longest and last time I checked these wordlists have quite a few common entries. What's your opinion about this? No I'm not suggesting to build the wordlist into your tool...

    I suppose it depends on the target. For bugbounty, I use a relatively small list in addition to crawling and some other strategies. Essentially, I don't solely rely on dir busting, so the time spent using a huge wordlist doesn't really fit with my workflow.

    For a CTF/HTB though, I think grabbing the top 5-10 most common wordlists and cat'ing/uniq'ing them in order to get past the 'guess the wordlist' boxes might be ok.

    Along these lines, I'm currently working on a feature that extracts links from the body of valid responses. You can check it out here if you're interested. It should definitely increase coverage, as your wordlist will find unlinked content while the --extract-links option will find linked content.

    But about ferox again: You mentioned config files, could you imagine to have config files that allow for different rules, lists and extensions for subdirs? Like, map out the subdirs in a first run an then like "in /JavaScript/ only search for .js extension"...

    A friend of mine and I have talked about something very similar, though I see it as more of a companion tool instead of functionality included in feroxbuster.

  • If you guys want to be able to use it from any directory I have found the line of code for that. "sudo cp feroxbuster /usr/local/bin/feroxbuster" ; That will move feroxbust to your bin so you can just put feroxbuster into the command promt and it pop up instead of finding it on your computer.

    Hack The Box

  • epiepi
    edited October 2020
    > If you guys want to be able to use it from any directory I have found the line of code for that. "sudo cp feroxbuster /usr/local/bin/feroxbuster" ; That will move feroxbust to your bin so you can just put feroxbuster into the command promt and it pop up instead of finding it on your computer.

    @DancinHype you're correct. In fact, if you use the .deb file and install through apt, that will be handled for you. Additionally, an example config file will get placed in /etc/feroxbuster/

    Install instructions for apt are https://github.com/epi052/feroxbuster/#apt-install
  • DNS resolution is provided by a library. It's nothing I manage directly. I can hop on and test.

    Can you re run your command with -vvvv -o trace.log and host it somewhere that I can get it?

  • Not gonna lie, it sounds like your environment, and not the tool, just as a heads up 😁

  • I'll be able to check it out this evening.
  • Sense worked fine:

    ulimit -n 4096
    ./feroxbuster -u https://10.129.24.102 -k -w /usr/share/dirb/wordlists/common.txt
    

    enterprise with /etc/hosts entry worked as well

    ./feroxbuster -u http://enterprise.htb -w /usr/share/dirb/wordlists/common.txt -d 2
    

    Both were scanned with v1.0.5 of feroxbuster using pwnbox

  • edited October 2020

    Coming back to say I really have been enjoying this. Used it on a couple boxes, works like a charm and far superior to other tools.

    Occasionally I'll get errors like mentioned by @sparkla but it seems like you all discovered a fix. Thanks for making this i really love it.

    Edit: One thing I'd like to see added is the ability to hide certain response codes. Currently you can choose a list of ones you would like to show, but for instance if I just wanted to hide 404 it would be nice to have a --hide flag and not have to type out every code I wanted to see.

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • Love the speed of this :)

    Haven't checked out the new version yet but how about subdomain scanning?

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • Type your comment> @sparkla said:

    Found the solution in the meantime - seems we're just going too fast here:

    See top answer:
    https://stackoverflow.com/questions/410616/increasing-the-maximum-number-of-tcp-ip-connections-in-linux

    sudo sysctl net.ipv4.ip_local_port_range="15000 61000"
    sudo sysctl net.ipv4.tcp_fin_timeout=30

    nice find! I hadn't considered increasing ephemeral port range, that's pretty clever. I also like the TIME_WAIT reuse setting as another option. I'm going to add something like an FAQ/Wiki to document some of the OS level things like this that can be tweaked.

  • @LMAY75 said:
    Coming back to say I really have been enjoying this. Used it on a couple boxes, works like a charm and far superior to other tools.

    Glad to hear it!

    Occasionally I'll get errors like mentioned by @sparkla but it seems like you all discovered a fix. Thanks for making this i really love it.

    Edit: One thing I'd like to see added is the ability to hide certain response codes. Currently you can choose a list of ones you would like to show, but for instance if I just wanted to hide 404 it would be nice to have a --hide flag and not have to type out every code I wanted to see.

    Would you mind filing a feature request regarding the status code blacklist?

    https://github.com/epi052/feroxbuster/issues

    I love the fast feedback from this thread, but it's not exactly the best place for me to track issues, lol.

  • @acidbat said:
    Love the speed of this :)

    Thank you!

    Haven't checked out the new version yet but how about subdomain scanning?

    I really don't intend to branch out into other scanning areas. I'd prefer to keep making the busting functionality better rather than split time on a completely separate scanner (even if it's housed in the same tool).

  • edited October 2020

    @epi said:

    Would you mind filing a feature request regarding the status code blacklist?

    Done :)

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

Sign In to comment.