Basics
A web server is the main part of a website. we store all file here. some links on a website redirect you to the files which are stored on that web server. but we are talking about those files which are not shown by the web-developer.
in that case, there must be a reason to hide those file. it might be in developing progress or something else.
we can just manually add random file names to the URL like:
<website>/random.php
but this can take a lot of time of a Hacker. so there are some tools that can help you to solve this problem.
for this tutorial, I am using Dirb and Dirbuster.
for the advanced user, I suggest you read wfuzz article. because wfuzz can also be used to find Dirs in webservers.
Uses Of Dirb
Dirb is a command line interface tool. it is slow but helpful. I think Dirb is the easier than Dirbuster to use. Dirb gives you a default wordlist, in case you don’t enter.
remember the basic syntax:
dirb <url_base> [<wordlist_file(s)>] [options]
start a simple brute-force on the web server
type this command:
dirb http://<website-ip/domain>:<port>
this is a simple command that will start to find dirs and files on the server. if you do not mention the wordlist path, it will automatically use the default wordlist(which is stored in usr/share/dirb/wordlist/common.txt). you can leave the port if you are performing the attack on port 80.
Advance Uses
type this command:
dirb http://<website-ip/domain>:<port> /usr/share/SecLists/tree/master/Discovery/Web-Content/Apache.fuzz.txt -N 404 -z 150 -r
so in this command, we have added some flags and tried to use a different word list. the -N is to avoid the 404 response code. -z key stands for wait for another request of 150 milliseconds and -r stands for not to search recursively.
Uses Of Dirbuster
if you are a beginner and you don’t like to use the command line interface, the Dirbuster is made for you. Dirbuster comes pre-installed in Kali Linux. dirbuster looks like this from inside:
simple dir brute force
step.1
enter the website URL in the place of target URL.
step.2
select the wordlist with browse option.
step.3
change the extension (if you know what kinda page website has)
step.4
click start, it will start to find hidden dirs. and it will show you find dirs tree.
thanks for visiting