Bruteforcing directories and files names on Webapplication servers using DirBuster
During Web Application Pentest finding the Sensitive directories files and folders is always a quite tough work.
what is DirBuster
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
now i will be showing how to use Dirbuster to find sensitive directories and files in a web application , for the demo i will be using Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10.
- cd /pentest/web/dirbuster
- [email protected]:/pentest/web/dirbuster# java -jar DirBuster-0.12.jar -u http://192.168.0.103/mutillidae/
now browse and select the directory bruteforce lists ex: directory-list-1.0.txt.
now run the start button u will see Dirbuster will start bruteforcing the dir and files.
see the results it has found /mutillidae/passwords/accounts.txt