One of the core competencies of AWARE7 GmbH is penetration testing. In these tests, the aim is to find security holes in e.g. web applications. In such tests various pentest tools are used to find security holes or other vulnerabilities. In our new blog series we will present a tool every week which we use in our pentest. Our Pentest tool #1 is dirbuster.
Pentest Tools #1 – dirbuster
The start of the new series is made by a tool that is mainly used when it comes to web applications. The organization OWASP, which is well known for its Juice Shop, has developed dirbuster as an open source project. The source code for this pentest tool, which is already installed in the Kali-Linux version, can be found on GitHub.
Web applications have it in itself that there are several subpages, which e.g. show the imprint or provide a content subpage. The most obvious subpages are usually linked on the homepage, e.g. on the AWARE7 homepage the subpage of the live hacking events is linked. However, the majority of the subpages are not linked on the homepage and therefore cannot be found at first glance.
This is exactly where dirbuster comes in, because dirbuster tries to find the subpages that are actually located on the current webserver with a long list of common subpages. This process is similar to an attack against a login of a user. With a given email address the password is tried, but a list of the most common passwords worldwide is used. The lists that are used for dirbuster are preinstalled on Kali Linux in the directory /usr/share/wordlists/dirbuster.
Examples from this list are the subpages /wp-admin, or /etc. Technically speaking, dirbuster asks the webserver if a certain subpage is accessible. If an answer is given, the program knows that a subpage is located there. If no answer is returned or an error message is displayed, dirbuster knows that the subpage does not exist.
With the help of dirbuster all subpages can be found. In our past pentests we often found subpages that were badly protected due to the fact that they were forgotten by the company. Many subpages contain sensitive information, so it is worth to have a look at the results of dirbuster.
dirbuster in practice
In the following we will take a look at dirbuster in practice. The program starts with the simple command “dirbuster”, which has to be entered in the terminal. Afterwards an interface opens, where we can now enter our destination address, in our example “https://aware7.de”. We can set various settings that will cause different scans, detailed instructions can be found on the Kali website for this tool.
For our example the default settings with a word list from the above mentioned directory are sufficient, the only change we make is that we only want to search for Dirs (Directories) and only use GET methods.
After running the tool we can see all subpages that dirbuster found on the webserver of AWARE7 GmbH. Among them are also some pages that could not have been found by linking.
This post is also available in: Deutsch (German)