Dirbuster

Spider tool to scan websites for hidden pages/directories.

OSCP: Officially allowed during the exam according to the OSCP Exam Guide

Scan website for hidden pages

Word list should be updated to add the current year.

nano /usr/share/dirb/wordlists/common.txt
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024

Use a proxy

  • Options -> Advanced Options
  • Http Options tab.
  • Check the ‘Run Through a Proxy’ checkbox and set the ‘Host’ to localhost and the ‘Port’ to 8118.
  • Click on OK, then run DirBuster as normal.

Search for directories listed in common.txt on website URL

URL=x.x.x.x/mutillidae
WL=/usr/share/dirb/wordlists/common.txt
EXT=".asp,.aspx,.bat,.c,.cfm,.cgi,.com,.dll,.exe,.htm,.html,.inc,.jhtml,.jsa,.jsp,.log,.mdb,.nsf,.php,.phtml,.pl,.reg,.sh,.shtml,.sql,.txt,.xml,/"
dirbuster -u $URL -l $WL -e $EXT

Find web backup files

URL=x.x.x.x/mutillidae
WL=/usr/share/dirb/wordlists/common.txt
EXT="~,copy.asp,.1,.~1~,.zip,.tar.gz,.sql,.old,.bak,.txt"
dirbuster -u $URL -l $WL -e $EXT