Network Discovery

80: HTTP - Directory and files bruteforce

Bruteforcer a website consists in testing the presence of accessible pages, such as /register, /register.php, /admin, /upload, /users/login.txt, /admin/password.sav, ... For this there are lists of directories and filenames frequently found on web servers.

Once web server langage/framework is known (php, java, cgi / wordpress, joomla, ...), it is possible to use optimized lists, and search only the appropriate extensions.: php, php4, php5, exe, jsp, ...
It is also possible to search for files with interesting extensions. : cfg, txt, sav, jar, zip, sh, ...


Usual web brute force software :

  • dirb: Command line. To be used for a quick check, with its list 'common.txt'.
  • gobuster: Command line. To be used with the list 'directory-list-2.3-medium.txt' from dirbuster
  • dirbuster: GUI. With a Gui, but not the best choice.

It is crucial to choose the right list of directories/filenames:

  • /usr/share/wordlists/dirb/common.txt: Small well-constructed list
  • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt: Big list. Should covers all CTFs.
  • https://github.com/danielmiessler/SecLists : Once comfortable with the two previous lists, it is possible to find more optimized lists at this address.
  • On Kali and Parrot distributions, the /usr/share/wordlists directory contains links to many lists. Take the time to look at it in detail.


Dirb

Dirb is usually preinstalled on Kali or Parrot. If not:

sudo apt-get install -y dirb

Run a quick scan with dirb, which its default 'common.txt' list:

dirb 10.10.10.11


Gobuster
https://github.com/OJ/gobuster

Download and install in /opt

wget https://github.com/OJ/gobuster/releases/download/v3.0.1/gobuster-linux-amd64.7z
sudo apt install p7zip-full
7z x gobuster-linux-amd64.7z
sudo cp gobuster-linux-amd64/gobuster /opt/gobuster
chmod a+x /opt/gobuster

Bruteforce http://10.10.10.11, with the list 'directory-list-2.3-medium.txt', and file extensions html,php,txt:

/opt/gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.11  -l -x html,php,txt

For an HTTPS url, add the command line option 

-k : skip HTTPS ssl verification