Brute Force Web Directories And Files Using DIRB/WFUZZ

Using DIRB to find webpages that may have been unknown.

Background

The WFUZZ/Dirbuster tools are used for brute forcing directories. They can be configured to use a variety of methods for guessing the names of directories, including dictionary attacks and brute force attacks. This makes them powerful tools for discovering hidden files and directories on a system.

This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.

Exercise

Brute force web directories and files using DIRB.

Example:

dirb [HOST_ADDR] -r

Shows the multiple hidden directories on this server

These hidden directories can often be used to exploit the server if they are not well protected/secured.

wfuzz -w [WORDLIST] [WEBPAGE] is the basic command. I had used grep in order to filter the results to only the 200 responses meaning it was a successful connection.

The WFUZZ in action