Directory brute-forcing (Fuzzing web directories)

what is directory brute-forcing?

is a method employed by pentesters, malicious actors, etc. To discover hidden or unlinked directories or files within a web server. In this type of attack, the individual would normally make use of a automated tool (gobuster, feroxbuster, ffuf, etc). The individual's intent is to widen the initial attack landscape, discover senesitive information, etc.

Tools

feroxbuster

feroxbuster -u http://zipping.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs_http.txt -x php

-u: this specifies the target URL
-w: specifies the wordlist to be used
-o: specified the output file (save our output)
-x: specifies an file extentions we want to look for

gobuster

gobuster dir -u http://zipping.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -o dirs_http.txt

same process as above

PreviousSMTP NextFuzzing Subdomains and Virtual hosts

Last updated 1 year ago