feroxbuster - new forced browsing/directory busting tool

Type your comment> @epi said:

Good morning all!

I recently released my new project, feroxbuster!

feroxbuster is a forced browsing tool akin to gobuster/ffuf. It’s written in Rust using async/await for concurrency. Notable differences are SOCKS support, works in a command pipeline (targets in, discovered files/folders out), has recursion and auto-filtered wildcards turned on by default, and is incredibly configurable (global, per-user, per-target).

Builds are available for linux, mac, and windows. There’s also a .deb installer with a .rpm in the works. Pre-built binaries are available on the releases page of the repo.

I’m looking forward to any/all feedback you may have, enjoy!

GitHub - epi052/feroxbuster: A fast, simple, recursive content discovery tool written in Rust.

Installed and up and running (super easy and nice instructions on your site) :slight_smile:
It’s super fast mate, very cool and i like the interface of collating your results at the bottom.

Haven’t tried file types yet (will soon)
Was going to suggest support for SSL but you had already covered that with the -k switch :slight_smile:

Currently at school so I won’t be able to try it out right now, but from first impressions from the GitHub repository, it looks absolutely AMAZING! The output is also super fancy :stuck_out_tongue: I’ll let you know more when I come home.

Thank you both!

@acidbat said:
Was going to suggest support for SSL but you had already covered that with the -k switch :slight_smile:

By default it will reject insecure connections. The -k|--insecure option is there for when you want to suppress that behavior. This should feel very similar to gobuster/curl/etc…

I tried to keep the options/args as close to what other popular tools already used, for familiarity.

Thanks again for taking the time to check it out!

Type your comment> @sparkla said:

… gobusters disability to deal with recursion and extensions properly forced me to juggle with different programs, lists and extensions. …

I’m not certain you won’t run into the same problem here. However, if you do, open up an issue describing what currently happens and what you’d like to happen instead. We can discuss whether adjusting the tool’s behavior makes sense or not. Thank you!

Type your comment> @sparkla said:

Hey man, first time checking out your great tool tonight, but I get a ton of errors:

ERR 4.010 Error while making request: error sending request for url (https://europacorp.htb/144941): error trying to connect: dns error: No file descriptors available (os error 24)

Maybe related:
dns.lookup() documentation error code · Issue #27604 · nodejs/node · GitHub

Would be great if you could take a look for a quick fix, maybe just suppress that message, idk.

Looking forward to make this my go-to buster :slight_smile:

Thanks for checking it out! Can you try rescanning with a lower concurrency level and see if you get the same error? Also, what kind of box are you using to scan?

./feroxbuster -t 25 ...

Also, @sparkla can you run the following command and paste the results?

ulimit -a

Im wondering if your limit on open files is low. I can look later once I’m home what kali uses

yea, on my kali install, i see the following

ulimit -n 
---------
1024

I’d recommend upping the limit for open files to w/e you’re comfortable with given your specs by adding the entry below.

/etc/security/limits.conf
-------------------------
...
*               soft    nofile            8192
...

@sparkla

a quick answer to #2:

You can use the ferox-config.toml to specify a default set of extensions, if that’s your preference.

~/.config/feroxbuster/ferox-config.toml
---------------------------------------

extensions = ["php", "html", "js"]

I understand it’s not exactly what you asked for, but it might be good enough for now.

Also, if you want different default extensions based on what you’re scanning, you can drop a config file in a directory and scan from there for it to take effect. ferox-config.toml docs

~/targets/linux-targets/ferox-config.toml
---------------------------------------------

extensions = ["php", "html", "js"]
~/targets/windows-targets/ferox-config.toml
-----------------------------------------------

extensions = ["asp", "aspx"]

number 1 is a quick fix, I’ll add an issue today/tomorrow to track it.

I’m considering adding an issue that sets the open file limit on the user’s behalf if it’s too low.

number 3 would require some tinkering, but i’ll add it and see what it would take to accomplish.

Thanks for your feedback, i really appreciate it!

number 1 is fixed, just need to upload new build version

Type your comment> @sparkla said:

You seem do have dealt a lot with dirbusting, I waste so much time there sometimes, trying to figure the right wordlist / extension combo. After busting like 24h on the same box again, I thought like “why now make an uber wordlist that contains it all”? I think it wouldn’t be much longer than dir-2.3-big, that’s one of the longest and last time I checked these wordlists have quite a few common entries. What’s your opinion about this? No I’m not suggesting to build the wordlist into your tool…

I suppose it depends on the target. For bugbounty, I use a relatively small list in addition to crawling and some other strategies. Essentially, I don’t solely rely on dir busting, so the time spent using a huge wordlist doesn’t really fit with my workflow.

For a CTF/HTB though, I think grabbing the top 5-10 most common wordlists and cat’ing/uniq’ing them in order to get past the ‘guess the wordlist’ boxes might be ok.

Along these lines, I’m currently working on a feature that extracts links from the body of valid responses. You can check it out here if you’re interested. It should definitely increase coverage, as your wordlist will find unlinked content while the --extract-links option will find linked content.

But about ferox again: You mentioned config files, could you imagine to have config files that allow for different rules, lists and extensions for subdirs? Like, map out the subdirs in a first run an then like “in /JavaScript/ only search for .js extension”…

A friend of mine and I have talked about something very similar, though I see it as more of a companion tool instead of functionality included in feroxbuster.

If you guys want to be able to use it from any directory I have found the line of code for that. “sudo cp feroxbuster /usr/local/bin/feroxbuster” ; That will move feroxbust to your bin so you can just put feroxbuster into the command promt and it pop up instead of finding it on your computer.

If you guys want to be able to use it from any directory I have found the line of code for that. “sudo cp feroxbuster /usr/local/bin/feroxbuster” ; That will move feroxbust to your bin so you can just put feroxbuster into the command promt and it pop up instead of finding it on your computer.

@DancinHype you’re correct. In fact, if you use the .deb file and install through apt, that will be handled for you. Additionally, an example config file will get placed in /etc/feroxbuster/

Install instructions for apt are GitHub - epi052/feroxbuster: A fast, simple, recursive content discovery tool written in Rust.

DNS resolution is provided by a library. It’s nothing I manage directly. I can hop on and test.

Can you re run your command with -vvvv -o trace.log and host it somewhere that I can get it?

Not gonna lie, it sounds like your environment, and not the tool, just as a heads up ?

I’ll be able to check it out this evening.

Sense worked fine:

ulimit -n 4096
./feroxbuster -u https://10.129.24.102 -k -w /usr/share/dirb/wordlists/common.txt

enterprise with /etc/hosts entry worked as well

./feroxbuster -u http://enterprise.htb -w /usr/share/dirb/wordlists/common.txt -d 2

Both were scanned with v1.0.5 of feroxbuster using pwnbox

Coming back to say I really have been enjoying this. Used it on a couple boxes, works like a charm and far superior to other tools.

Occasionally I’ll get errors like mentioned by @sparkla but it seems like you all discovered a fix. Thanks for making this i really love it.

Edit: One thing I’d like to see added is the ability to hide certain response codes. Currently you can choose a list of ones you would like to show, but for instance if I just wanted to hide 404 it would be nice to have a --hide flag and not have to type out every code I wanted to see.

Love the speed of this :slight_smile:

Haven’t checked out the new version yet but how about subdomain scanning?

Type your comment> @sparkla said:

Found the solution in the meantime - seems we’re just going too fast here:

See top answer:
networking - Increasing the maximum number of TCP/IP connections in Linux - Stack Overflow

sudo sysctl net.ipv4.ip_local_port_range=“15000 61000”
sudo sysctl net.ipv4.tcp_fin_timeout=30

nice find! I hadn’t considered increasing ephemeral port range, that’s pretty clever. I also like the TIME_WAIT reuse setting as another option. I’m going to add something like an FAQ/Wiki to document some of the OS level things like this that can be tweaked.