📂Directory Scanning

Gobuster Scan

#gobuster

Big List

gobuster dir -u http://192.168.120.14/cms/api -w /usr/share/wordlists/dirb/big.txt

gobuster dir -u http://192.168.120.13:81 -w /usr/share/wordlists/dirb/big.txt -x php

exclude 403 codes from results

gobuster dir -u http://auto.lab.io -w /usr/share/wordlists/dirb/big.txt -b 403,404

exclude length 4856 and ignore TLS certs

gobuster dir -u https://lab:20000 -w /usr/share/wordlists/dirb/big.txt -k --exclude-length 4856

Megabeast List

gobuster dir -u http://192.168.10.14/ -w /usr/share/wfuzz/wordlist/general/megabeast.txt

Common List

gobuster dir -u http://auto.lab.io -w /usr/share/wordlists/dirb/common.txt -b 403,404

Wordlist for things like (.git, .env)

gobuster dir -u http://192.168.7.10:8080/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt

Wordlist for Directories:

feroxbuster -u http://192.168.1.6/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

feroxbuster -u http://sub.domain.lab/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

A wordlist for things like (README.md)

feroxbuster -u http://192.168.12.46/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt

Exclude response codes

feroxbuster -u http://usage.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -C 503

With Authentication

with basic authentication

gobuster dir -u http://192.168.22.20 -w /usr/share/wordlists/dirb/big.txt -U user -P 'Password123!'

API Scan

Create a simple pattern file

echo  {GOBUSTER}/v1 > pattern
echo  {GOBUSTER}/v2 >> pattern

Look for other APIs with that pattern

gobuster dir -u http://192.168.23.150:8080/ -w /usr/share/wordlists/dirb/big.txt -p pattern

Feroxbuster

#feroxbuster

Without -r, it only recurses into redirected directories (301)

feroxbuster -u http://192.168.120.143 -w /usr/share/wordlists/dirb/big.txt

Recursive scanning to find subdirectories, With -r, it will brute-force all directories it finds, not just ones redirected to.

feroxbuster -u http://192.168.136.225:8090 -w /usr/share/wordlists/dirb/common.txt -r -t 40

With Authentication

feroxbuster -u http://192.168.22.20 -w /usr/share/wordlists/dirb/big.txt -H "Authorization: Basic $(echo -n 'User:Password123!' | base64)"

ffuf

#ffuf

basic url fuzzing

ffuf -u http://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt

Allows fuzzing on insecure SSL/TLS connections.

ffuf -u https://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -k

Filter our 404 responses

ffuf -u http://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -fc 404

Enables recursive fuzzing up to 2 directory levels.

ffuf -u http://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -r -recursion-depth 2

With Authentication

#ffuf_authenticated

Adds an Authorization header to the requests.

ffuf -u http://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -H "Authorization: Bearer token"

Sends the cookie session=abc123 with each request

ffuf -u http://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -b "session=abc123"

base64 basic authentication

ffuf -u http://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -H "Authorization: Basic dLNlcm5hbmU6cGFlc32vcmQ="

Or

ffuf -u http://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -H "Authorization: Basic $(echo -n 'username:password' | base64)"

Post data fuzzing

ffuf -u http://192.168.212.220/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -X POST -d "username=admin\&password=FUZZ"