The Hacker Recipes
GitHubTwitterExegolTools
Search…
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
HTTP response headers
Comments and metadata
Error messages
Site crawling
Directory fuzzing
Subdomains enumeration
Virtual host fuzzing
Web Application Firewall (WAF)
Content Management System (CMS)
Other technologies
Known vulnerabilities
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ mobile apps
Android
iOS
Powered By GitBook
Directory fuzzing

Theory

While Crawling allows testers to build the indexed architecture of website, this technique can't find directories and files that are not referenced. Directory fuzzing (a.k.a. directory bruteforcing) is a technique that can find some of those "hidden" paths. Dictionaries of common paths are used to request the web app for each path until exhaustion of the list. This technique relies on the attacker using a dictionnary/wordlist. A request is made for every line of the wordlist to differentiate pages that exist and pages that don't

Practice

Fuzzing tools

Tools like dirb (C), dirbuster (Java), gobuster (Go), wfuzz (Python), ffuf (Go) and feroxbuster (Rust) can do directory fuzzing/bruteforcing. Burp Suite can do it too. Depending on the web application, one will be better suited than another and additional options will be needed.
1
gobuster dir --useragent "PENTEST" --wordlist "/path/to/wordlist.txt" --url $URL
Copied!
1
wfuzz --hc 404,403 -H "User-Agent: PENTEST" -c -z file,"/path/to/wordlist.txt" $URL/FUZZ
Copied!
ffuf (Go) and feroxbuster (Rust) are two awesome alternatives that can do recursive fuzzing unlike gobuster (Go) and wfuzz (Python) mentioned above.
1
ffuf -H "User-Agent: PENTEST" -c -w "/path/to/wordlist.txt" -maxtime-job 60 -recursion -recursion-depth 2 -u $URL/FUZZ
Copied!
1
feroxbuster -H "User-Agent: PENTEST" -w "/path/to/wordlist.txt" -u http://192.168.10.10/
Copied!
Directory fuzzing needs to be slowed down when testing production instances as it could lead to an unintended denial of service, especially when using feroxbuster, a tool known for it's high speed.

Wordlists

In order to fuzz more accurately, there are many dictionaries adapted for many situations, most of which can be downloaded from SecLists. SecLists can be installed (apt install seclists or downloaded directly from the GitHub repo).
The ultimate combo is ffuf + fzf + seclists.
In the following command, fzf is used to print a file fuzzer prompt allowing the user to quickly choose the perfect wordlist for content discovery.
1
feroxbuster -H "User-Agent: PENTEST" -w `fzf-wordlists` -u http://192.168.10.10/
Copied!
In this case, fzf-wordlists is an alias to the following command using fzf and find to fuzz wordlists from specific directories.
1
find /usr/share/seclists /usr/share/wordlists /usr/share/dirbuster /usr/share/wfuzz /usr/share/dirb -type f | fzf
Copied!
Previous
Site crawling
Next
Subdomains enumeration
Last modified 5mo ago
Copy link
Contents
Theory
Practice
Fuzzing tools
Wordlists