search

URL bruteforcing

hashtag
DIRB

dirb <site url> -r -z <delay ms>                    #non recursive
dirb <site or internal folder url> -z <delay>       #full scan / folder recursive scan
dirb <site or internal folder url> -w               #ignore warnings (to use when not logged in)

hashtag
With dictionary

dirb <site url> <dictionary>

hashtag
Detailed scan

Fine tune + case insensitive

dirb <site url> <dict> -if

hashtag
Gobuster

gobuster dir -u <domain> -w <path to dict> -s '<http codes i.e. 200,403>' -ek
gobuster dir -u <domain> -w <path to dict> -s '<http codes i.e. 200,403>' -x <file extension> -ek

hashtag
Common search patterns

Search generic

gobuster dir -u <domain> -w <path to dict> -ek

Search config files

Search pages

Exclude results based on response length (useful to detect redirects to standard error pages)

Work via proxy (only SOCKS 5 is supported)

hashtag
Interesting HTTP codes:

  • 200 204 OK

  • 301 302 307 Redirect (can be ignored for more refined results)

  • 401 Login required (can be bruteforced)

  • 403 Forbidden (can be used to locate admin pages)

  • 500 Server error

hashtag
WFUZZ

Will replace any instance of the string FUZZ with an entry from a specified dictionary. Can be used to bruteforce pages, script arguments and search for RFI or SQLi vulnerable arguments. The FUZZ keyword can be inserted in every part of the URL or even concatenated with argument strings.

hashtag
Directory traversal

If the server has a custom message for 404 code, you can use the length of the error message as a parameter to distinguish from missing pages and existing ones even if the server always returns 200 as response.

hashtag
GET bruteforce

hashtag
Bruteforce argument name

hashtag
Bruteforce GET login

hashtag
POST bruteforce

hashtag
bruteforce argument

hashtag
POST form bruteforce

hashtag

PreviousEnumerationNextAPIs and Fields

Last updated