In this video guide, we’ll be covering the basics of Durbet Directory Buster, also known as DirBuster, or Dirb. DirBuster is used after a site has been scanned to find any potential vulnerabilities, with an application like Nikto, to Spider the target website. Spidering is used to go through all of the pages associated to a website, and create a map of the application, with all of the points of access, known as gates. Dirbuster automates this process and avoids having to manually go through an application or website to find these gates.

In this demonstration, we’ll go through the basics of Dirbuster in 2 steps:

Step 1: Launching a DirBuster Spider In this walkthrough, we’ll be looking at a test environment with the IP Address 10.1.1.102. To launch Dirb, open the terminal, and type in Dirb, and the IP Address of the site you’re going to spider. Dirb will begin showing you information as it finds it.

Step 2: Understanding the Spider Dirbuster has now gone through the IP address assessed each page associated with it and has found a lot of files. The first thing of note is a dot Bash history file. A Bash history file keeps a log of all of the executed commands written on the web user account. If we’re able to read the Bash history file, we may be able to find the usernames and passwords, allowing us to get past the site's security. We can see that the webapp uses the Drupal content management framework, so we know that the webapp is written using PHP. We can also see the admin directories that are listable, meaning that we could go to that part of the web app on a regular browser and find all the information we need. Using the basics of Dirb to spider the webapp has allowed us to find a lot of information about the webapp we’re probing. We can use the information to do further investigation, which we can then use to exploit weaknesses in the webapp.

In this video guide, we’ve covered how to launch a spider within Dirb and seen some of the basic information that Dirb finds as a result of its spidering.