If you’ve used OWASP’s DirBuster, you know it’s a great directory buster. Its speed and reliability make it one of the best directory busters currently available. However, it has one big limitation: it can only scan one target at a time.
This is fine if you’re only attacking one target, but if you are attacking an entire network, then directory busting becomes a very manual process with a lot of downtime between scans. AutoDirbuster attempts to automate that process and eliminate downtime between scans.
AutoDirbuster is essentially a Python wrapper for launching DirBuster. The user provides a list of targets, denoted as “IP:port” and AutoDirbuster automatically launches DirBuster for each target. However, AutoDirbuster does additional checks to ensure that the proper target is passed to DirBuster.
The workflow is as follows:
A list of targets is provided
A TCP connect scan is done on the target port to test if it’s open
If it’s open, HTTP and HTTPS requests are sent to determine if the service is HTTP-based and whether it requires TLS
If the service is HTTP, a check is done to determine if a previous report file is in the same directory
Dirbuster is run using Python’s subprocess.Popen(). If a timeout is specified, then after the timeout period, a SIGINT signal is sent to Dirbuster so it can safely shut down and write results to disk. A note is added to the report indicating that the scan timed out.
The next IP:port goes through the same process (TCP connect, HTTP service query, dirbust)
What’s really useful about this workflow is that a target with a closed port or non-HTTP based services running can still be provided to AutoDirbuster. The advantage of this is that Nmap scan results can be directly provided to AutoDirbuster. In fact, there’s an option just for that: provide an Nmap Gnmap results file as a list of targets.
The installation process is straightforward:
Clone the repository with git
Navigate to the repository on your machine and install dependencies
Run AutoDirbuster. If you see the usage output, the installation was a success and you’re ready to use AutoDirbuster.
Copy and paste the commands below to install AutoDirbuster:
As the pentest progresses, periodically review the dirbust results using the included DirBuster pretty printing script dirbust_read.py, which will ignore all DirBuster error lines and only print the found directories and files
Directory busting is an important part of a penetration test but can be a painful manual process on its own. Using AutoDirbuster makes directory busting painless, efficient, and very fast. Give it a shot and see if you find it useful.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.