DirBuster is a multi threaded
Java based application designed to brute force directories and files
names on web/application servers. During Web Application Pentesting finding the
sensitive directories
files and folders is always a quite tough work.
Now a days we often don't see those default installation
files/directories as in the olden days and finding out the sensitive
pages really gets challenging. In such cases, DirBuster helps in
finding those unknown and sensitive file names and directories. This
can prove to be a great information to start with in a real web
penetration testing.
In action with
DirBuster
Now i will be showing you how easy it is to use
Dirbuster to find those sensitive directories and files on webservers.
Here for the demo purpose I will be using Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts
That Implement The OWASP Top 10.
Once you start the Dirbuster it will appear as shown in the
screenshot below
Now browse and select the 'directory bruteforce lists' from the
DirBuster folder (example: directory-list-1.0.txt) as
shown below
Now run the start button and you will see Dirbuster
starting bruteforcing the filenames & directories on the webserver as
shown below. In the black window you can see all the filenames and
directories discovered by Dirbuster.
One of the discovered file '../passwords/accounts.txt'
looks interesting. On opening you will see that it has the
passwords related to webserver accounts.
Conclusion
Finding out those hidden files and directories on the webserver is a
tedious task for anyone involved in web application pentesting.
DirBuster makes that task much simpler and faster with its easy to use
GUI interface.
Even the webserver owners can easily use this
tool to remove any of the sensitive files/directories from their
webservers and taking it one step further in securing their servers.
