Basics

A web server is the main part of a website. we store all file here. some links on a website redirect you to the files which are stored on that web server. but we are talking about those files which are not shown by the web-developer.

in that case, there must be a reason to hide those file. it might be in developing progress or something else.

we can just manually add random file names to the URL like:

<website>/random.php

but this can take a lot of time of a Hacker. so there are some tools that can help you to solve this problem.

for this tutorial, I am using Dirb and Dirbuster.

for the advanced user, I suggest you read wfuzz article. because wfuzz can also be used to find Dirs in webservers.

Uses Of Dirb

Dirb is a command line interface tool. it is slow but helpful. I think Dirb is the easier than Dirbuster to use. Dirb gives you a default wordlist, in case you don’t enter.

remember the basic syntax:

dirb <url_base> [<wordlist_file(s)>] [options]

 

start a simple brute-force on the web server

type this command:

dirb http://<website-ip/domain>:<port>

this is a simple command that will start to find dirs and files on the server. if you do not mention the wordlist path, it will automatically use the default wordlist(which is stored in usr/share/dirb/wordlist/common.txt). you can leave the port if you are performing the attack on port 80.

Advance Uses

type this command:

dirb http://<website-ip/domain>:<port> /usr/share/SecLists/tree/master/Discovery/Web-Content/Apache.fuzz.txt -N 404 -z 150 -r

so in this command, we have added some flags and tried to use a different word list. the -N is to avoid the 404 response code. -z key stands for wait for another request of 150 milliseconds and -r stands for not to search recursively.

Uses Of Dirbuster

if you are a beginner and you don’t like to use the command line interface, the Dirbuster is made for you. Dirbuster comes pre-installed in Kali Linux. dirbuster looks like this from inside:

 

simple dir brute force

step.1

enter the website URL in the place of target URL.

step.2

select the wordlist with browse option.

step.3

change the extension (if you know what kinda page website has)

step.4

click start, it will start to find hidden dirs. and it will show you find dirs tree.

 

 

thanks for visiting

 

 



  

LEAVE A REPLY

Please enter your comment!
Please enter your name here