قالب وردپرس درنا توس
Home / Tips and Tricks / How To Search Gobuster Sites For Interesting Directories And Files «Null Bytes :: WonderHowTo

How To Search Gobuster Sites For Interesting Directories And Files «Null Bytes :: WonderHowTo



One of the first steps in attacking a web application is to list hidden directories and files. This can often lead to valuable information that facilitates the execution of a precise attack and leaves less room for error and waste of time. There are many tools available for this, but not all of them were created equally. Gobuster, a directory scanner written in Go, is worth exploring in any case.

Traditional directory brute force scanners such as DirBuster and DIRB work well, but they can often be slow and error prone. Gobuster is a go implementation of these tools and is offered in a convenient command-line format.

The main advantage of Gobuster over other directory scanners is speed. As a programming language, Go is known to be fast. It also provides excellent support for parallelism, allowing Gobuster to use multiple threads for faster processing.

The only drawback to Gobuster, however, is the lack of a recursive directory lookup. For directories that are more than one level deep, unfortunately, another scan is required. Often, this is not a big deal, and other scanners may fill in the gaps for Gobuster in this area.

Gobuster provides a simple command line interface that works just fine. There are some useful options, but not so many that it is easy to get lost in the details. All in all, it is a great tool that is effective and fast. In this tutorial, we will examine it with DVWA (Damn Vulnerable Web App) as the target and Kali Linux as the attack engine. You can follow this or use a similar test configuration.

Step 1
: Install Gobuster

First, we can create a working directory to keep things clean and then change it. [19659008] ~ # mkdir gobuster
~ # cd gobuster /

Next we need to install Gobuster, as it is not included in Kali by default.

  ~ / gobuster # apt-get install gobuster

Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following NEW packages will be installed:
Gobuster
0 updated, 1 reinstalled, 0 removed and 0 not updated.
Requires 0 B / 1,532 kB of archives.
After this process, 4,963 KB of additional space is used.
Selection of a previously unselected package gob pattern.
(Database is being read ... 412624 Files and directories are currently installed.)
Preparing to unpack ... / gobuster_2.0.1-1_amd64.deb ...
Gobuster (2.0.1-1) is unpacked ...
Setting up Gobuster (2.0.1-1) ...
Processing trigger for man-db (2.8.5-2) ... 

Then simply enter gobuster into the terminal to run the tool.

  ~ / gobuster # gobuster

2019/05/06 11:43:08 [!] 2 errors have occurred:
* WordList (-w): Must be specified (use `-w -` for stdin)
* URL / Domain (-u): Must be specified 

We can see that there are some mistakes. At least two parameters ( -u for the URL and -w for the word list) are required to execute properly. We can also display the help menu with the flag -h .

  ~ / gobuster # gobuster -h

Use of Gobuster:
-P string
Basic authentication password (in directory mode only)
-U string
Basic authentication user name (in directory mode only)
- a thread
Set the user agent string (Dir mode only)
-c string
Cookies to use for requests (only in directory mode)
cn
Show CNAME records (DNS mode only, can not be used with the option & # 39; -i & # 39 ;;)
-e Advanced mode, print full URLs
-f Append a slash to each directory request (only in directory mode)
-FW
Force continued operation if wildcards are found
-i Display IP addresses (DNS mode only)
-k Skip SSL certificate validation
-l Include the length of the body in the output (only in dir mode)
-m string
Directory / File Mode (Directory) or DNS Mode (DNS) (Default "Directory")
-n Does not output status codes
np
Do not show progress
-o string
Output file into which the results are to be written (stdout by default)
-p string
Proxy to use for requests [http(s)://host:port] (Dir mode only)
-q Do not print the banner and other sounds
follow redirects
-s string
Positive status codes (Dir mode only) (default 200.204.301.302.307.403)
-t int
Number of concurrent threads (default 10)
-for duration
HTTP timeout in seconds (only in Dir mode) (default 10s)
-u string
The destination URL or domain
-v verbose output (error)
-w string
Path to the word list
-x string
File extension (s) to search for (only in directory mode) 

Step 2: Install additional word lists

Word lists on Kali are in the / usr / share / wordlists directory.

  ~ / gobuster # ls / usr / share / wordlists /

dirb dirbuster dnsmap.txt fasttrack.txt remote wifi metasploit nmap.lst rockyou.txt.gz sqlmap.txt wfuzz 

The dirb and dirbuster are fine, but there is another wordlist that I like for brute forcing of directories. On GitHub there are quite a few useful word lists called SecLists.

The word list "common.txt" contains a good number of common directory names.

We can download the raw file with the utility wget into our current directory.

  ~ / gobuster # wget https: //raw.githubusercontent. DE / danielmiessler / SecLists / master / Discovery / Web Content / common.txt

--2019-05-06 11: 46: 40-- https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt
Raw.githubusercontent.com is resolved (raw.githubusercontent.com) ... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... connected.
HTTP request sent, response expected ... 200 OK
Length: 35744 (35K) [text/plain]
Save in: "common.txt"

common.txt 100% [======================================================================================================================>] 34.91 KB / s in 0.03 s

2019-05-06 11:46:40 (1.24 MB / s) - & # 39; common.txt & # 39; saved [35744/35744] 

Alternatively, we can install the entire SecLists repository via the package manager.

  ~ / gobuster # apt-get install seclists

Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following NEW packages will be installed:
seclists
0 updated, 1 reinstalled, 0 removed and 0 not updated.
Requires 0 B / 221 MB of archives.
After this process, 795 MB of additional space will be used.
Selection of previously unselected package lists.
(Database is being read ... 412629 Files and directories are currently installed.)
Preparing to unpack ... / seclists_2019.1-0kali1_all.deb ...
Unpack Seclists (2019.1-0kali1) ...
Setting up Seclists (2019.1-0kali1) ... 

This will install all SecLists in the / usr / share directory. It contains a ton of content, and if you're looking for a collection of word lists, SecLists are probably the last thing you'll ever need.

  / usr / share / seclists # ls

Discovery Fuzzing IOCs Different Passwords Pattern Matching Payloads README.md Username Web Shells 

Step 3: Scan Directories and Files

Now that everything is set up and installed, we can use Gobuster. Let's do it with the default parameters on our target.

  ~ / gobuster # gobuster -u http://10.10.0.50/dvwa/ -w common.txt

====================================== ===
Gobuster v2.0.1 OJ Reeves (@TheColonial)
====================================== ===
[+] Mode: you
[+] URL / Domain: http://10.10.0.50/dvwa/
[+] Topics: 10
[+] Wordlist: common.txt
[+] Status codes: 200,204,301,302,307,403
[+] Timeout: 10s
====================================== ===
2019/05/06 11:50:25 Gobuster is launched
====================================== ===
/.htaccess (status: 403)
/.htpasswd (status: 403)
/.hta (status: 403)
/ README (status: 200)
/ config (status: 301)
/ docs (status: 301)
/ about (status: 302)
/ external (status: 301)
/favicon.ico (status: 200)
/ cmd (status: 200)
/ index (status: 302)
/index.php (status: 302)
/php.ini (status: 200)
/ Instructions (status: 302)
/ logout (status: 302)
/ Robot (status: 200)
/robots.txt (status: 200)
/ login (status: 200)
/ phpinfo (status: 302)
/phpinfo.php (status: 302)
/ setup (status: 200)
/ Security (status: 302)
====================================== ===
2019/05/06 11:50:38 Finished
======================================= == = 

We can see that it gives us some information about the tool in the banner and then starts the directory discovery process. It returns the names of the directories and files as well as their status codes.

We can return the length of the body with the flag -l which may be useful for enumeration. [19659008] ~ / gobuster # gobuster -u http://10.10.0.50/dvwa/ -w common.txt -l

====================================== ===
Gobuster v2.0.1 OJ Reeves (@TheColonial)
====================================== ===
[+] Mode: you
[+] URL / Domain: http://10.10.0.50/dvwa/
[+] Topics: 10
[+] Wordlist: common.txt
[+] Status codes: 200,204,301,302,307,403
[+] Show length: true
[+] Timeout: 10s
====================================== ===
2019/05/06 11:52:41 Gobuster is launched
====================================== ===
/.hta (status: 403) [Size: 292] /.htaccess (status: 403) [Size: 297] /.htpasswd (status: 403) [Size: 297] / README (Status: 200) [Size: 4934] / config (status: 301) [Size: 319] / docs (status: 301) [Size: 317] / external (status: 301) [Size: 321] /favicon.ico (Status: 200) [Size: 1406] 2019/05/06 11:52:52 [!] http://10.10.0.50/dvwa/about: net / http: request aborted (Client.Timeout exceeded while waiting for headers)
/php.ini (status: 200) [Size: 148] 2019/05/06 11:52:54 [!] Get http://10.10.0.50/dvwa/cmd: net / http: request aborted (Client.Timeout exceeded while waiting for headers)
/ Robot (Status: 200) [Size: 26] /robots.txt (status: 200) [Size: 26] 2019/05/06 11:52:59 [!] http://10.10.0.50/dvwa/index: net / http: request aborted (Client.Timeout exceeded while waiting for headers)
2019/05/06 11:52:59 [!] http://10.10.0.50/dvwa/index.php get: net / http: request aborted (Client.Timeout exceeded while waiting for header)
2019/05/06 11:52:59 [!] http://10.10.0.50/dvwa/instructions get: net / http: request aborted (Client.Timeout exceeded while waiting for header)
2019/05/06 11:53:00 [!] http://10.10.0.50/dvwa/login: net / http: request aborted (Client.Timeout exceeded while waiting for headers)
2019/05/06 11:53:00 [!] http://10.10.0.50/dvwa/logout retrieve: net / http: request aborted (Client.Timeout exceeded while waiting for header)
/phpinfo.php (status: 302) [Size: 0] / phpinfo (status: 302) [Size: 0] / Security (Status: 302) [Size: 0] / setup (status: 200) [Size: 3549] ====================================== ===
2019/05/06 11:53:01 Finished
======================================= == =

If something is zero bytes, it's usually not even worth investigating. This can save a lot of time, especially when editing a large website or a large number of directories. If only certain status codes are to be displayed, you can do this with the flag -s followed by the desired code.

  ~ / gobuster # gobuster -u http://10.10.0.50 / dvwa / -w common.txt -s 200

====================================== ===
Gobuster v2.0.1 OJ Reeves (@TheColonial)
====================================== ===
[+] Mode: you
[+] URL / Domain: http://10.10.0.50/dvwa/
[+] Topics: 10
[+] Wordlist: common.txt
[+] Status codes: 200
[+] Timeout: 10s
====================================== ===
2019/05/06 11:54:16 Gobuster is launched
====================================== ===
/ README (status: 200)
/favicon.ico (status: 200)
/ cmd (status: 200)
/php.ini (status: 200)
/ login (status: 200)
/ Robot (status: 200)
/robots.txt (status: 200)
/ setup (status: 200)
====================================== ===
2019/05/06 11:54:27 finished
======================================= == = 

Use commas to specify multiple codes.

  ~ / gobuster # gobuster -u http://10.10.0.50/dvwa/ -w common.txt -s 200,301

====================================== ===
Gobuster v2.0.1 OJ Reeves (@TheColonial)
====================================== ===
[+] Mode: you
[+] URL / Domain: http://10.10.0.50/dvwa/
[+] Topics: 10
[+] Wordlist: common.txt
[+] Status codes: 200,301
[+] Timeout: 10s
====================================== ===
2019/05/06 11:54:58 Gobuster is launched
====================================== ===
/ README (status: 200)
/ config (status: 301)
/ docs (status: 301)
/ external (status: 301)
/favicon.ico (status: 200)
/ cmd (status: 200)
/php.ini (status: 200)
/ login (status: 200)
/ Robot (status: 200)
/robots.txt (status: 200)
/ setup (status: 200)
====================================== ===
2019/05/06 11:55:10 finished
====================================== === 

Let's say we just wanted a quick way to view the directories without the extra noise of the banner and status codes. Use the -q flag to hide the banner and hide the -n flag to remove the status codes.

  ~ / gobuster # gobuster -u http://10.10.0.50 / dvwa / -w common.txt -q -n

/.hta
/.htpasswd
/.htaccess
/ README
/ config
/ docs
/ external
/favicon.ico
/Over
/ cmd
/php.ini
/Index
/index.php
/Manual
Log in / out
/ Robot
/robots.txt
/Registration
/phpinfo.php
/ phpinfo
/Configuration
/ security 

Another useful feature is the ability to save the results to a file. Use the flag -o to specify the output file.

  ~ / gobuster # gobuster -u http://10.10.0.50/dvwa/ -w common.txt -o results 

Now the results are saved and can be viewed at a later time.

  ~ / gobuster # cat results

/.hta (status: 403)
/.htaccess (status: 403)
/.htpasswd (status: 403)
/ README (status: 200)
/ config (status: 301)
/ docs (status: 301)
/ external (status: 301)
/favicon.ico (status: 200)
/ about (status: 302)
/ cmd (status: 200)
/php.ini (status: 200)
/ Instructions (status: 302)
/ index (status: 302)
/ logout (status: 302)
/index.php (status: 302)
/ login (status: 200)
/ Robot (status: 200)
/robots.txt (status: 200)
/ phpinfo (status: 302)
/phpinfo.php (status: 302)
/ Security (status: 302)
/ setup (Status: 200) 

Summary

In this tutorial, we learned about Gobuster, a directory brute force scanner written in the Go programming language . First, we learned how to install the tool and some useful word lists that are not included in Kali by default. Next, we did it against our target and examined some of the different options it comes with. Bottom Line: Gobuster is a fast and powerful directory scanner that should be an integral part of any hacker's repertoire, and now you know how to use it. Come on!

Do not Miss: Punchabunch Just Made SSH Local Redirect Bld Easy

Cover image of Pixabay / Pexels; Screenshots of drd_ / zero byte

Source link