During Web Application Pentest finding the Sensitive directories files and folders is always  a quite tough  work.

what is DirBuster

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

now i will be showing how to use Dirbuster to find sensitive directories and files in a web application , for the demo i will be using Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10.

  1. cd /pentest/web/dirbuster
  2. root@punter:/pentest/web/dirbuster# java -jar DirBuster-0.12.jar -u http://192.168.0.103/mutillidae/

now browse and select the directory bruteforce lists ex: directory-list-1.0.txt.

now run the start button u will see Dirbuster will start bruteforcing the dir and files.

see the results it has found /mutillidae/passwords/accounts.txt