What is Directory Bruteforcing?
Directory bruteforcing is the technique of systematically probing a web server for hidden or unlinked directories and files. This is often used in the reconnaissance or vulnerability discovery phases of penetration testing to reveal administrative panels, backups, login pages, APIs, or configuration files not meant to be public.
๐ Why is it Important?
- Uncovers sensitive files (e.g.,
.git,backup.zip,admin.php) - Reveals misconfigurations like directory listing enabled
- Helps map the application surface area for further exploitation
๐ ๏ธ Popular Tools
- Gobuster โ Written in Go, fast and efficient for web directory fuzzing
- Dirsearch โ Python-based tool with built-in recursive scanning
- FFUF (Fuzz Faster U Fool) โ Extremely fast fuzzing with flexible options
- Burp Suite โ Professional version includes an Intruder tool for fuzzing paths
๐งญ Step-by-Step Guide
Step 1: Choose Your Wordlist
Select an appropriate wordlist depending on the target and your goals.
/usr/share/wordlists/dirbuster/- SecLists (Community curated)
Step 2: Run Gobuster (Basic)
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtStep 3: Customize with Extensions
gobuster dir -u https://target.com -w wordlist.txt -x php,txt,htmlThis tells Gobuster to try extensions like .php and .html on each directory or file name.
Step 4: Enable Recursive Bruteforce (Dirsearch)
python3 dirsearch.py -u https://target.com -e php,html -rDirsearch supports recursion into discovered directories automatically using -r.
๐ Real-World Use Case
During a test on https://example.org, a hidden path /admin_old/ was discovered using Gobuster:
Found: https://example.org/admin_old/ (Status: 200)Visiting the directory revealed an outdated admin panel with no authentication โ leading to full control over the web app.
๐ก Pro Tips & Best Practices
- Always respect rate limits โ use
-toption in tools to adjust threads - Start with smaller wordlists to find low-hanging fruit quickly
- Don't ignore 403 or 401 responses โ they often indicate something valuable
- Use User-Agent spoofing or proxy tools like Burp Suite when needed
๐งพ HTTP Response Codes to Watch
- 200 OK: Valid path or file
- 301/302: Redirect โ often used on login portals
- 403 Forbidden: Exists, but access is denied (interesting!)
- 404 Not Found: Does not exist