๐Ÿ‘จโ€๐Ÿซ
Mosse CyberSec Institute.
  • Preface
  • ๐Ÿ‘ฉโ€๐Ÿ’ปInternet Searching
    • Using Elicit, search through Academic Papers
    • Use Google To Identify Open FTP Servers That Hold Confidential Materials Available For Download
    • Use Bing To Find Cybersecurity Feeds In A Specific Language
    • Use Google's Cache Capability to Retrieve Deleted Web Pages
    • Use Web Archives to View Old Versions of Websites.
    • Use Advangle To Generate Complex Google Search Queries
  • ๐ŸงTechnical Concepts
    • Research The Top Penetration Testing Tools
    • Research The Cyber Kill Chain Model And The MITRE Matrix
      • Lockheed Martin Kill Chain
      • MITRE ATT&CK MATRIX
    • Research The Major Types Of Enterprise Security Software
    • Research The Most Common Network Protocols
  • ๐Ÿ•ต๏ธPassive Network Reconnaissance
    • Use Dnsdumpster.com To Passively Map An Organization's External Facing Assets
    • Use Shodan.io To Passively Map An Organization's External Facing Assets
    • Use Crt.Sh To Identify Domains And Sub-Domains That Belong To An Organization
    • Search For Information Leaks On Github Using Grep.App
  • ๐ŸงจDiscovering Attack Campaigns
    • Detect Typo Squatting And Phishing With Dnstwist.it
    • Use Urlscan.Io To Identify Phishing And Spear-Phishing Websites
  • ๐Ÿ”Security Tools
    • Use sslscan To Assess The SSL Configuration Settings Of HTTPS Websites
    • NMAP SCANS
    • Brute Force Web Directories And Files Using DIRB/WFUZZ
  • Penetration Testing with Tools
  • Digital Investigations
  • Malware Development
Powered by GitBook
On this page
  • Background
  • Exercise
  • Example:
  1. Security Tools

Brute Force Web Directories And Files Using DIRB/WFUZZ

Using DIRB to find webpages that may have been unknown.

PreviousNMAP SCANSNextPenetration Testing with Tools

Last updated 1 year ago

Background

The WFUZZ/Dirbuster tools are used for brute forcing directories. They can be configured to use a variety of methods for guessing the names of directories, including dictionary attacks and brute force attacks. This makes them powerful tools for discovering hidden files and directories on a system.

This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.

Exercise

Brute force web directories and files using DIRB.

Example:

dirb [HOST_ADDR] -r

These hidden directories can often be used to exploit the server if they are not well protected/secured.

wfuzz -w [WORDLIST] [WEBPAGE] is the basic command. I had used grep in order to filter the results to only the 200 responses meaning it was a successful connection.

๐Ÿ”
Shows the multiple hidden directories on this server
The WFUZZ in action