dirbuster Lab

FacebookTwitterGoogle+LinkedInEmail
Description
[toggle_content title="Transcript"] Hi Leo Dregier here. I want to talk about a tool that I use when I do web application pen testing that I actually run on the country operating system called directory buster. It comes out of a OS project and it is a pretty good tool. It is really straight forward and really easy to use. You can find the tool by going to carrylinux menu. Going over to web applications and poking around in here and one place to find - is the web crawlers section and you can see directory buster right there. So once you open up the OS project you basically - go right to the target URL and go ahead and put in the target we are going to use http://www.linuxwarrior.com and you can :80 or not. It will work just fine without it but just make sure that you will actually incorporate the http in there as well or else I will tell you to put it in. You can use just get get request or switch between header and get request you can throttle the number of threads. Ten is relatively slow - so I recommend going a little bit faster since I only control this server and you should be testing this out on servers that you own and control. You can go much much faster but clearly if you have an intrusion detection system on the system and you are doing 200/400 threads a minute. It will get really, really, really aggressive really, really quick. Next you can go to scanning type and you have list based force or pure brute force. Be pure then all of the - great alp or you can go to list based brute force and before we do this I want to kind of have exactly this is working. You can go into list information here and this tells you the default list that are included within your buster application and so one easy way to find these is basically just to search for this different lists in here and so one way I would like to do this is to actually just search for a directory list. So to prove something real quick let us do locate space directory - list and this will prove that there are a whole bunch of directory lists in which you can choose from. Otherwise what I recommend is just of highlighting this doing it with Ctrl C - copy it close out and then pasting that in your list type or you can specifically browse for them if you want to. But again you live where exactly in your hard drive these are well then that is where you do the locate command. Now to find it for you - you can brute force directories. You can brute force files you can give a cursor or not. You can start at a particular directory if you know which one you are working with and you can choose specific backend database system applications like PHP or ASP, ASPX and things like that and then basically set it and then forget it. Go ahead and kick on start and it looks we do tear a little bit so I can open the file with directory list in here and basically the quick reason why is, let us do locate directory list and let us go and find it exactly where they are and you can see that they are in user shared. They are directory buster so actually in word list and then put that in. Otherwise what you can do is just browse through it if you really want to take the easy way out. This is a user in this version of caveats in user share - if you hit D here it will take your directory to the D and then you go find directory buster not too far behind. So here we go directory buster click on icons not on names - go your word list and then go ahead and take it up. Since this is a UNIX system well then I am actually testing and I already know that. I am just going to go with lower case and we are just going to small - I am really arbitrarily picking anything right now just to prove that this works and what I am proving here is they will actually give you the full path - I could have just pasted this in here. If I wanted to but otherwise I would browser through it and you can get to right length. Most people give up right here when they don't know where to find a word list. But that is - you should not stop just there because you can't find something you have to learn how to find it. So like I said I showed you that with the locate command - locate directory - list and that will tell you user shared etc. Then go ahead and kick start and now let us set it and forget it. This is where you go get a cup of coffee you take a break and you come back a Couple of hours late here. Because it will take some time to finish and I am already pooling directories from here. So I found index.php wp_content I found the mailman piper mailed or press includes this is a WordPress site and the cgi bin there could be variance there and more importantly it also tells you the response here and these responses are pretty important. Because like a great example here is index.php this is - we have got a bunch of pop ups here. So let us go back so we got the response here - so these three are ones or redirects where there are four or three it is going to be like permission denied. So each one of these actually means something and you can could easily google these in terms of what is a 404 error. i guess just for posterity let us do that real quick so I will go there go to Google and do a what is a 403 error and then it will tell you 403 forbidden error in http status quo. Which means that access in the page a resource is forbidden in long and short here because the permissions on the file or directory do not allow you to do it. If you didn't know what 301 is you could go right back switch 403 to 301 and basically move permanently - etc. So that is how you research those and get familiar with those and it will tell you the size of the file as well. So it tells you some basic stuff – I found 18 files or 10 directories 400 some odd files it tells you that type right here. If you want the sword – directory or file types it will actually tell you - also you can see something like index.php is there. So if you wanted to try SQL injections from there you could do an index.php? ID=1 and try poking prodding or other site that way. I wanted to go to WordPress content post. I could try going after the back end architect for the php right there and it is telling you the speed down here, the parked queue the total request and generally the time that it is actually going to finish the take and as you can see. Gaining a lot here this is going to run for some time. So I am going to wait for this program to run just because literally this video might be a couple of hours long. See the compulsory program run the program again - look at it. You can do preview I kind of liked this a little bit better because of the hierarchal nature of the directory structure. So you can see something like students or academics or even if you found something like log in, username. Certain things are going to pop out of the rule a little bit more than others. So you can become familiar with what is popular and what is not. Also you can go to errors. So you can get an idea of how this thing is actually being threaded as it goes through so a lot of time outs here lot of time outs here and that is mostly because of how it is trying things in the word lists and guessing things. You can pay attention to airs - I have got 430 in just a couple of minutes here. That is trying to go sky rocket. Especially if you are doing something like brute force but definition you are just trying all possible combinations to get somewhere. So I expect to have basically 99.99% errors and then one match - errors are good in that sense. Just let them run then at the very end you can stop at the letter run etc and then you can go back to the scan information over here. You can see if you want to pick it up from a particular directory or not. So it will tell you the percent complete etc So this is a great way to kind of learn about the destination target that you have and really kind of take your intimacy with the web applications to the next level. Just like anything they are very well be force positives here and you would want to quantify that. But I will tell you if you really want to learn directory structures there is no better way to use a directory brute forcing tool like "directory buster". Because there is only 59 million possible combinations that this is going to try in. How many do you have learn before you get the idea? And then at the very, very end once the tall word in theory complete running then you can get a report here. You can get a text based report you can save it with the XML, comma separated value, or choose the location that you want to save the report to and then of course. So if we do something like desktop and then generate your report. It will go ahead and save that report there and then you can get an idea of what is in it. So here is your full text you have sample lists XML and comma separated value and that is really it. That is by the far the easiest way to start learning how these directories are built on the different types of systems and the more you do this the more experience you would get with what looks normal and you know what becomes an anomaly and the more anomalies you see the more things start popping out at you. So literally time on the console here is highly. Hope you enjoyed the video don't forget to check us out on Facebook, LinkedIn, YouTube & Twitter. [/toggle_content] The first simulation lab in the Hacking Web Server module introduces you to dirBuster. dirBuster is an excellent tool for doing web application testing to target HTTP directories.  It runs on the Kali Linux system. In this lab, you’ll learn the mechanics behind targeted Brute Force application testing, how to define specific guest/header request, and observe a demonstration of why you must include “HTTP” in your query setup syntax as part of this penetration testing task. You’ll also learn target sources for controlled Brute Force testing, and how to locate the specific file or directory path target.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel