DIRB Domain Brute-forcing Tool Kali-Linux 2.0

Follow by Email
Facebook0
Facebook
Google+
https://codingsec.net/2016/05/dirb-domain-brute-forcing-tool-kali-linux-2-0/

Today we will learn how to Enumerate a directory or object of a website or server. It might be an admin panel or a subdirectory that is vulnerable to attack. The key is to find these objects, as they may be hidden. This tool is  available in Kali LInux, that is DIRB. DIRB is a command line based tool to bruteforce any directory based on a wordlists. DIRB will makes an HTTP request and see the HTTP respond code of each request.

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you

DIRB, developed by The Dark Raver, is a tool designed to find these objects, hidden and unhidden. Since it is already included into Kali, there is no need to download and install anything. DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response. DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.

DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerables.

DIRB also comes with GUI version that you can find in:

Kali Rolling Appplication Menu > 03 – Web Application Analysis > Web crawlers & directory bruteforce > dirbuster
dr1
notice that DIRB is a CLI version and DIRBUSTER is a GUI version. But, here we will use the CLI version.

DOWNLOAD DIRB And DIRBUSTER

Donwload Dirb via Github : https://github.com/seifreed/dirb
Download Dirb via Sourceforge : https://sourceforge.net/projects/dirb/
Download Dirbuster : https://sourceforge.net/projects/dirbuster/

DIRB TUTORIAL With Kali Linux

Step 1 : Open Terminal

This is the very first important step of doing every activity with linux. Dont bother it, just open and move to next step. :D

Step 2: 

Now type “dirb” in terminal. If you first time to see DIRB, you might to look and read the available options and guide to start use DIRB.

dr2
dr3
DIRB Options

dr4

Step 3: Know Your Target !!!

Let say, we have a target target.com, then we need to set the specific exploit to target. To do that first you need to know the target. We need help from another tool, “whatweb”. Whatweb will tell us what our target is; like IP, server fingerprinting, etc. Now, type:

http://target.com

dr5

As you can see above, the target responded a code 301, that mean it has redirected to another website (wordpress.target.com) and it has an Apache and WordPress. Nice.. We now know what is our target is.

Step 4: Dirb Wordlists Directory 

DIRB also has a built in wordlists directory, it is located in /usr/share/dirb/wordlists

$ cd /usr/share/dirb/wordlists/
$ ls -l

dr6

Notice that our target running Apache inside. So, we will use apache.txt wordlists to bruteforce the target.

Step 5: Bruteforce The Target Using DIRB

Now, in the terminal type:

$ dirb [Target URL] [Wordlists Path]
$ dirb wordpress.target.com /usr/share/dirb/wordlists/vulns/apache.txt

dr7

Now the result is coming. Our target has a forbidden access (403) directory. that is test-cgi. This common directory on Apache is vulnerable to Shellshock exploit.

That is a tutorial How to use DIRB directory enumeration in Kali Linux. The next step is determine the proper exploit or attack to each Directory or files you found.

DIRBUSTER TUTORIAL With Kali Linux

Step 1 : Open Dirbuster

To open up Dirbuster, you can either reach it from Kali Linux Application Menu I’ve mentioned above or just simply call it from Terminal.

$ dirbuster

dr8

Step 2 : Dirbuster Wordlists

Dirbuster wordlists are located in /usr/share/dirbuster/wordlists

dr9

Step 3 : Configrue Bruteforce Settung in Dirbuster

  • Input Target URL in the Target URL Form. Specify whether using http or https.

 

  • Input Dirbuster Wordlists directory path file. To see the description of each Dirbuster Wordlists, click on “List Info” button. Then click “Browse” to Dirbuster Wordlists directory path, or just enter it manually. Here i used /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

dr10

Press start to launch bruteforce. Then wait until it finished.

dr11

Once you find a hidden files or directories, then identify what are those. If you are lucky you might found an admin backdoor to access admin panel configuration. Dirb Vs Dirbuster; you can use wheter Dirb CLI or Dirbuster GUI.

 

 

 

Follow by Email
Facebook0
Facebook
Google+
https://codingsec.net/2016/05/dirb-domain-brute-forcing-tool-kali-linux-2-0/

Like the article? please consider sharing it. Thank you

Advertisment ad adsense adlogger