Directory scanning/busting more effectively

r0j0

Hey folks,

Newbie here. Had a quick question about directory scans/busting. I often find myself getting stuck on machines because my directory scans aren't picking up the directories essential to a foothold. I try and use multiple tools including dirsearch, gubuster, dirbuster, nikto, etc but I still find myself not getting all the essential directories.

Any tips to make scanning directories more effective? Thanks!

svenkali

The lists you use are often more important. The tools don't generally matter that much, although it is wise to try alternates if one doesn't work.

Sometimes you can get results with big lists like the rockyou lists, other times you might need a more specific list. As an example, If you think the box has as its objective a web shell you are supposed to find, using a word list specifically for that might yield quicker/better results.

I tend to also build a word list from the target pages, where practical.

As an additional note, when your fuzzing doesn't find a directory that you later learn about, it can be prudent to check if the directory exists in the list you used. If it does in fact exist, then your tool isn't configured properly (hostname, etc.).

erv1

On that note, I suggest downloading SecLists (https://github.com/danielmiessler/SecLists). It has a large collection of general and service-specific wordlists for enumerating directories among other useful things.

acidbat

Type your comment> @erv1 said:

On that note, I suggest downloading SecLists (https://github.com/danielmiessler/SecLists). It has a large collection of general and service-specific wordlists for enumerating directories among other useful things.

I also think seclist comes with any newer version of kali now by default..
Default location being:
/usr/share/seclists/

Wordlist I like to use depends but usually is (for web directories):
directory-list-2.3-medium.txt
big.txt
And for subdomains

subdomains-top1million-110000.txt

hunt67241

Which program for directory scanning is the fastest? I find dirbuster to be pretty slow...

acidbat

Type your comment> @hunt67241 said:

Which program for directory scanning is the fastest? I find dirbuster to be pretty slow...

ffuf (apt install ffuf on kali) or feroxbuster (https://github.com/epi052/feroxbuster) which is made by @epi
gobuster is pretty neat as well

epi

Hey there, thanks for the shout out! Ffuf, gobuster, and feroxbuster are all roughly equivalent as far as speed (when given the same level of concurrency).

My personal workflow is feroxbuster for enumeration followed by targeted fuzzing where appropriate with ffuf.

I'd suggest using feroxbuster with -e, which will comb through the response bodies and extract additional links for further scanning. It's a built-in way to increase coverage that a wordlist on its own may miss.

The next release will add something similar, except it will automatically grab robots.txt and parse that as well.

I'm obviously biased, but ffuf, feroxbuster, and gobuster are all great choices.

If you have any suggestions for additional features or questions/issues, just open up an issue on GitHub.

svenkali

Type your comment> @hunt67241 said:

Which program for directory scanning is the fastest? I find dirbuster to be pretty slow...

Don't forget to play with the amount of threads your chosen tool uses. Don't go too crazy with it, but the defaults are usually set very very low.

In dirbuster it is a slider, in gobuster it is the -t option and so on.

r0j0

Thanks everyone for all the help!