feroxbuster - new forced browsing/directory busting tool

Type your comment> @sparkla said:

Hey man, first time checking out your great tool tonight, but I get a ton of errors:

ERR 4.010 Error while making request: error sending request for url (https://europacorp.htb/144941): error trying to connect: dns error: No file descriptors available (os error 24)

Maybe related:
dns.lookup() documentation error code · Issue #27604 · nodejs/node · GitHub

Would be great if you could take a look for a quick fix, maybe just suppress that message, idk.

Looking forward to make this my go-to buster :slight_smile:

Thanks for checking it out! Can you try rescanning with a lower concurrency level and see if you get the same error? Also, what kind of box are you using to scan?

./feroxbuster -t 25 ...

Also, @sparkla can you run the following command and paste the results?

ulimit -a

Im wondering if your limit on open files is low. I can look later once I’m home what kali uses

yea, on my kali install, i see the following

ulimit -n 
---------
1024

I’d recommend upping the limit for open files to w/e you’re comfortable with given your specs by adding the entry below.

/etc/security/limits.conf
-------------------------
...
*               soft    nofile            8192
...

@sparkla

a quick answer to #2:

You can use the ferox-config.toml to specify a default set of extensions, if that’s your preference.

~/.config/feroxbuster/ferox-config.toml
---------------------------------------

extensions = ["php", "html", "js"]

I understand it’s not exactly what you asked for, but it might be good enough for now.

Also, if you want different default extensions based on what you’re scanning, you can drop a config file in a directory and scan from there for it to take effect. ferox-config.toml docs

~/targets/linux-targets/ferox-config.toml
---------------------------------------------

extensions = ["php", "html", "js"]
~/targets/windows-targets/ferox-config.toml
-----------------------------------------------

extensions = ["asp", "aspx"]

number 1 is a quick fix, I’ll add an issue today/tomorrow to track it.

I’m considering adding an issue that sets the open file limit on the user’s behalf if it’s too low.

number 3 would require some tinkering, but i’ll add it and see what it would take to accomplish.

Thanks for your feedback, i really appreciate it!

number 1 is fixed, just need to upload new build version

Type your comment> @sparkla said:

You seem do have dealt a lot with dirbusting, I waste so much time there sometimes, trying to figure the right wordlist / extension combo. After busting like 24h on the same box again, I thought like “why now make an uber wordlist that contains it all”? I think it wouldn’t be much longer than dir-2.3-big, that’s one of the longest and last time I checked these wordlists have quite a few common entries. What’s your opinion about this? No I’m not suggesting to build the wordlist into your tool…

I suppose it depends on the target. For bugbounty, I use a relatively small list in addition to crawling and some other strategies. Essentially, I don’t solely rely on dir busting, so the time spent using a huge wordlist doesn’t really fit with my workflow.

For a CTF/HTB though, I think grabbing the top 5-10 most common wordlists and cat’ing/uniq’ing them in order to get past the ‘guess the wordlist’ boxes might be ok.

Along these lines, I’m currently working on a feature that extracts links from the body of valid responses. You can check it out here if you’re interested. It should definitely increase coverage, as your wordlist will find unlinked content while the --extract-links option will find linked content.

But about ferox again: You mentioned config files, could you imagine to have config files that allow for different rules, lists and extensions for subdirs? Like, map out the subdirs in a first run an then like “in /JavaScript/ only search for .js extension”…

A friend of mine and I have talked about something very similar, though I see it as more of a companion tool instead of functionality included in feroxbuster.

If you guys want to be able to use it from any directory I have found the line of code for that. “sudo cp feroxbuster /usr/local/bin/feroxbuster” ; That will move feroxbust to your bin so you can just put feroxbuster into the command promt and it pop up instead of finding it on your computer.

If you guys want to be able to use it from any directory I have found the line of code for that. “sudo cp feroxbuster /usr/local/bin/feroxbuster” ; That will move feroxbust to your bin so you can just put feroxbuster into the command promt and it pop up instead of finding it on your computer.

@DancinHype you’re correct. In fact, if you use the .deb file and install through apt, that will be handled for you. Additionally, an example config file will get placed in /etc/feroxbuster/

Install instructions for apt are GitHub - epi052/feroxbuster: A fast, simple, recursive content discovery tool written in Rust.

DNS resolution is provided by a library. It’s nothing I manage directly. I can hop on and test.

Can you re run your command with -vvvv -o trace.log and host it somewhere that I can get it?

Not gonna lie, it sounds like your environment, and not the tool, just as a heads up ?

I’ll be able to check it out this evening.

Sense worked fine:

ulimit -n 4096
./feroxbuster -u https://10.129.24.102 -k -w /usr/share/dirb/wordlists/common.txt

enterprise with /etc/hosts entry worked as well

./feroxbuster -u http://enterprise.htb -w /usr/share/dirb/wordlists/common.txt -d 2

Both were scanned with v1.0.5 of feroxbuster using pwnbox

Coming back to say I really have been enjoying this. Used it on a couple boxes, works like a charm and far superior to other tools.

Occasionally I’ll get errors like mentioned by @sparkla but it seems like you all discovered a fix. Thanks for making this i really love it.

Edit: One thing I’d like to see added is the ability to hide certain response codes. Currently you can choose a list of ones you would like to show, but for instance if I just wanted to hide 404 it would be nice to have a --hide flag and not have to type out every code I wanted to see.

Love the speed of this :slight_smile:

Haven’t checked out the new version yet but how about subdomain scanning?

Type your comment> @sparkla said:

Found the solution in the meantime - seems we’re just going too fast here:

See top answer:
networking - Increasing the maximum number of TCP/IP connections in Linux - Stack Overflow

sudo sysctl net.ipv4.ip_local_port_range=“15000 61000”
sudo sysctl net.ipv4.tcp_fin_timeout=30

nice find! I hadn’t considered increasing ephemeral port range, that’s pretty clever. I also like the TIME_WAIT reuse setting as another option. I’m going to add something like an FAQ/Wiki to document some of the OS level things like this that can be tweaked.

@LMAY75 said:
Coming back to say I really have been enjoying this. Used it on a couple boxes, works like a charm and far superior to other tools.

Glad to hear it!

Occasionally I’ll get errors like mentioned by @sparkla but it seems like you all discovered a fix. Thanks for making this i really love it.

Edit: One thing I’d like to see added is the ability to hide certain response codes. Currently you can choose a list of ones you would like to show, but for instance if I just wanted to hide 404 it would be nice to have a --hide flag and not have to type out every code I wanted to see.

Would you mind filing a feature request regarding the status code blacklist?

I love the fast feedback from this thread, but it’s not exactly the best place for me to track issues, lol.

@acidbat said:
Love the speed of this :slight_smile:

Thank you!

Haven’t checked out the new version yet but how about subdomain scanning?

I really don’t intend to branch out into other scanning areas. I’d prefer to keep making the busting functionality better rather than split time on a completely separate scanner (even if it’s housed in the same tool).

@epi said:

Would you mind filing a feature request regarding the status code blacklist?

Done :slight_smile:

Type your comment> @epi said:

@acidbat said:
Love the speed of this :slight_smile:

Thank you!

Haven’t checked out the new version yet but how about subdomain scanning?

I really don’t intend to branch out into other scanning areas. I’d prefer to keep making the busting functionality better rather than split time on a completely separate scanner (even if it’s housed in the same tool).

No worries mate :slight_smile:
End of the day it is your project after all :slight_smile: