Brute force directories and files names on web application

OWASP DirBuster is a multi threaded java application designed to brute force directories and files names on web application servers. DirBuster will attempt to find hidden pages and directories with a web application. Comes with a total of 9 different lists and it is extremely effective at finding hidden files and directories. It also has the option to perform a pure brute force.

The following lists are included with DirBuster:

  • directory-list-2.3-small.txt – (87650 words) – Directories/files that where found on at least 3 different hosts
  • directory-list-2.3-medium.txt – (220546 words) – Directories/files that where found on at least 2 different hosts
  • directory-list-2.3-big.txt – (1273819 words) – All directories/files that where found
  • directory-list-lowercase-2.3-small.txt – (81629 words) – Case insensitive version of directory-list-2.3-small.txt
  • directory-list-lowercase-2.3-medium.txt – (207629 words) – Case insensitive version of directory-list-2.3-medium.txt
  • directory-list-lowercase-2.3-big.txt – (1185240 words) – Case insensitive version of directory-list-2.3-big.txt
  • directory-list-1.0.txt – (141694 words) – Original unordered list
  • apache-user-enum-1.0.txt – (8916 usernames) – Used for guessing system users on apache with the userdir module enabled, based on a username list I had lying around (unordered)
  • apache-user-enum-2.0.txt – (10341 usernames) – Used for guessing system users on apache with the userdir module enabled, based on ~XXXXX found during list generation (Ordered)

DirBuster Home page

Download DirBuster

 

%d bloggers like this: