Web Directory Fuzzing Tools
Complete guide to discovering hidden directories and files on web servers by masaudsec
Gobuster
What is Gobuster?
Gobuster is a blazing-fast directory/file brute-forcing tool written in Go. It's a command-line tool that supports multiple modes including directory brute-forcing, DNS subdomain enumeration, and virtual host discovery.
Key Features
- Extremely fast due to Go implementation
- Multiple modes (dir, dns, vhost, s3)
- Simple and consistent syntax
- Support for extensions filtering
- Can output results in different formats
Installation
Install Gobuster with these commands:
# On Kali Linux/Debian:
sudo apt update && sudo apt install gobuster -y
# Using Go (for latest version):
go install github.com/OJ/gobuster/v3@latest
# Add to PATH if installed via Go:
export PATH=$PATH:$(go env GOPATH)/bin
Ready-to-Run Commands
Basic directory brute-forcing with Gobuster:
# Basic directory brute-forcing
gobuster dir -u http://example.com/ -w /usr/share/wordlists/dirb/common.txt -t 50 -o results.txt
# With extensions filter
gobuster dir -u http://example.com/ -w /usr/share/wordlists/dirb/common.txt -x php,html,js -t 50
# DNS subdomain brute-forcing
gobuster dns -d example.com -w /usr/share/wordlists/dns/subdomains-top1million-5000.txt -t 50 -o dns-results.txt
# Common options:
-u: Target URL
-w: Wordlist path
-t: Threads (default: 10)
-o: Output file
-x: File extensions to search for
Feroxbuster
What is Feroxbuster?
Feroxbuster is a fast, recursive content discovery tool written in Rust. It's designed to perform directory brute-forcing with automatic recursion, meaning it will automatically scan any directories it finds.
Key Features
- Automatic recursive scanning by default
- Multiple output formats (JSON, CSV)
- Built-in wordlists
- Configurable recursion depth
- Rate limiting capabilities
Installation
Install Feroxbuster with these commands:
# On Kali Linux/Debian:
sudo apt update && sudo apt install feroxbuster -y
# Using Cargo (Rust package manager):
cargo install feroxbuster
# For other Linux systems:
curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash
# On macOS (with Homebrew):
brew install feroxbuster
Ready-to-Run Commands
Basic usage of Feroxbuster:
# Basic scan with recursion
feroxbuster -u http://example.com/ -w /usr/share/wordlists/raft-medium-directories.txt -o ferox-results.txt
# With extensions filter
feroxbuster -u http://example.com/ -w /usr/share/wordlists/raft-medium-directories.txt -x php,html,js
# JSON output
feroxbuster -u http://example.com/ -w /usr/share/wordlists/raft-medium-directories.txt --json -o results.json
# Common options:
-u: Target URL
-w: Wordlist path
-t: Threads (default: 50)
-o: Output file
-x: File extensions to search for
--json: Output in JSON format
--depth: Maximum recursion depth (default: 4)
FFUF (Fuzz Faster U Fool)
What is FFUF?
FFUF is a fast web fuzzer written in Go. It's highly versatile and can be used for directory brute-forcing, virtual host discovery, parameter fuzzing, and more. FFUF stands out for its speed and flexible filtering options.
Key Features
- Extremely fast fuzzing
- Multiple output formats (JSON, HTML, CSV)
- Advanced filtering options
- Support for multiple wordlists
- Can fuzz any part of HTTP requests
Installation
Install FFUF with these commands:
# On Kali Linux/Debian:
sudo apt update && sudo apt install ffuf -y
# Using Go (for latest version):
go install github.com/ffuf/ffuf@latest
# For macOS (with Homebrew):
brew install ffuf
# For Windows (with Scoop):
scoop install ffuf
Ready-to-Run Commands
Basic usage of FFUF:
# Basic directory brute-forcing
ffuf -u http://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50 -o ffuf-results.html
# With extensions filter
ffuf -u http://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.html,.js -t 50
# Filter by response size (exclude 1234 bytes)
ffuf -u http://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -fs 1234
# Virtual host discovery
ffuf -u http://example.com/ -H "Host: FUZZ.example.com" -w /usr/share/wordlists/dns/subdomains-top1million-5000.txt
# Common options:
-u: Target URL (use FUZZ as placeholder)
-w: Wordlist path
-t: Threads (default: 40)
-o: Output file
-of: Output format (html,json,csv)
-e: File extensions
-fs: Filter by response size
-fc: Filter by HTTP status code
Dirb
What is Dirb?
Dirb is a simple, lightweight command-line tool for brute-forcing directories and files on web servers. While not as fast as newer tools, it's reliable and comes pre-installed on many security-focused Linux distributions.
Key Features
- Simple and easy to use
- Lightweight with minimal dependencies
- Comes with built-in wordlists
- Good for quick scans
- Supports basic authentication
Installation
Install Dirb with these commands:
# On Kali Linux/Debian:
sudo apt update && sudo apt install dirb -y
# From source (requires build tools):
wget https://sourceforge.net/projects/dirb/files/dirb/2.22/dirb222.tar.gz
tar -xzf dirb222.tar.gz
cd dirb222
./configure
make
sudo make install
Ready-to-Run Commands
Basic usage of Dirb:
# Basic scan
dirb http://example.com/ /usr/share/wordlists/dirb/common.txt -o dirb-results.txt
# With extensions filter
dirb http://example.com/ /usr/share/wordlists/dirb/common.txt -X .php,.html,.js
# With basic authentication
dirb http://example.com/ /usr/share/wordlists/dirb/common.txt -u admin:password
# Common options:
-o: Output file
-X: File extensions to search for
-u: Username and password for basic auth
-r: Don't search recursively
-N: Don't check for Not Found responses
-S: Silent mode (no progress shown)
-w: Don't stop on warning messages
DirBuster
What is DirBuster?
DirBuster is a Java-based graphical tool designed to brute force directories and files on web servers. It's perfect for beginners who prefer a visual interface over command line tools. DirBuster can handle very large wordlists and perform recursive scanning.
Key Features
- User-friendly GUI interface
- Supports multiple attack methods (GET/POST)
- Can brute force both directories and files
- Built-in reporting functionality
- Works well with Burp Suite integration
Installation
On Kali Linux, DirBuster comes pre-installed. For other systems:
# Install on Debian/Ubuntu
sudo apt update && sudo apt install dirbuster -y
# For manual installation (requires Java):
wget https://sourceforge.net/projects/dirbuster/files/DirBuster%20%28jar%20%2B%20lists%29/1.0-RC1/DirBuster-1.0-RC1.tar.gz
tar -xzf DirBuster-1.0-RC1.tar.gz
cd DirBuster-1.0-RC1
java -jar DirBuster-1.0-RC1.jar
Ready-to-Run Command
After installation, launch DirBuster with this command:
# Launch DirBuster GUI
dirbuster
# Recommended settings:
1. Target URL: http://example.com/
2. Threads: 20-50 (depending on server)
3. Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
4. File extension: php,html,js (as needed)
5. Check "Be Recursive" for deep scanning