Web Application Analysiswebbrute-forcedirectoryenumerationjava

DirBuster

DirBuster is a multi-threaded Java application designed to brute force directory and file names on web servers. It uses custom-generated wordlists from real developer usage and supports pure brute force to uncover hidden content.

Description

DirBuster is a web server directory brute-forcer that reveals hidden pages and applications on servers that appear to be in a default installation state. It excels at finding concealed directories and files that standard installations might not expose.

The tool's effectiveness stems from its nine custom wordlists generated by crawling the Internet and collecting directories and files actually used by developers, rather than generic lists. This real-world data makes DirBuster particularly adept at discovering hidden resources.

Additionally, DirBuster offers a pure brute force mode, ensuring no hidden directories or files can evade detection. It supports multi-threaded operations for efficiency.

How It Works

DirBuster operates as a multi-threaded Java application that sends HTTP requests to brute force directories and files on target web servers. It uses customizable wordlists for list-based attacks or pure brute force, with configurable threads, GET-only requests, file extensions, and starting points. The tool processes responses to identify valid hidden resources, leveraging nine specialized lists derived from Internet-crawled developer usage data.

Installation

bash
sudo apt install dirbuster

Flags

-hDisplay this help message
-HStart DirBuster in headless mode (no gui), report will be auto saved on exit
-l <Word list to use>The Word list to use for the list based brute force. Default: /home/kali/kali-www/bin/kali-tools/tool-output/dirbuster/directory-list-2.3-small.txt
-gOnly use GET requests. Default Not Set
-e <File Extention list>File Extention list eg asp,aspx. Default: php
-t <Number of Threads>Number of connection threads to use. Default: 10
-s <Start point>Start point of the scan. Default: /
-vVerbose output, Default: Not set

Examples

Run DirBuster in headless mode
java -jar DirBuster-1.0-RC1.jar -H -u https://www.target.com/
Start GUI with target prepopulated
java -jar DirBuster-1.0-RC1.jar -u https://www.target.com/
Basic usage with target URL
java -jar DirBuster-1.0-RC1 -u http://example.com/
Use custom wordlist for brute force
java -jar DirBuster-1.0-RC1 -u http://example.com/ -l /path/to/wordlist.txt
Set number of threads to 20
java -jar DirBuster-1.0-RC1 -u http://example.com/ -t 20
Specify file extensions asp and aspx
java -jar DirBuster-1.0-RC1 -u http://example.com/ -e asp,aspx
Use only GET requests
java -jar DirBuster-1.0-RC1 -u http://example.com/ -g
Updated 2026-04-16kali.org ↗