DirBuster Vulnerability Scanner: The Basics
DirBuster Vulnerability Scanner
The course is part of this learning path
This course covers the basics of using DirBuster, the directory buster. Dirbuster is used once you have scanned an IP address and found any vulnerabilities. DirBuster will help you map out the application. Building a directory of the target site is useful in finding as many potential points of entry to the target. This could be done manually, by going through the website and making a note of every page on the site. However, there is a potential for a high error rate; site directories could be wrongly taken down, or missed altogether. DirBuster automates this process, and builds a map of the site for you, and finds any potential hidden sites.
In this video guide, we’ll be covering the basics of Durbet Directory Buster, also known as DirBuster, or Dirb. DirBuster is used after a site has been scanned to find any potential vulnerabilities, with an application like Nikto, to Spider the target website. Spidering is used to go through all of the pages associated to a website, and create a map of the application, with all of the points of access, known as gates. Dirbuster automates this process and avoids having to manually go through an application or website to find these gates.
In this demonstration, we’ll go through the basics of Dirbuster in 2 steps:
Step 1: Launching a DirBuster Spider In this walkthrough, we’ll be looking at a test environment with the IP Address 10.1.1.102. To launch Dirb, open the terminal, and type in Dirb, and the IP Address of the site you’re going to spider. Dirb will begin showing you information as it finds it.
Step 2: Understanding the Spider Dirbuster has now gone through the IP address assessed each page associated with it and has found a lot of files. The first thing of note is a dot Bash history file. A Bash history file keeps a log of all of the executed commands written on the web user account. If we’re able to read the Bash history file, we may be able to find the usernames and passwords, allowing us to get past the site's security. We can see that the webapp uses the Drupal content management framework, so we know that the webapp is written using PHP. We can also see the admin directories that are listable, meaning that we could go to that part of the web app on a regular browser and find all the information we need. Using the basics of Dirb to spider the webapp has allowed us to find a lot of information about the webapp we’re probing. We can use the information to do further investigation, which we can then use to exploit weaknesses in the webapp.
In this video guide, we’ve covered how to launch a spider within Dirb and seen some of the basic information that Dirb finds as a result of its spidering.