Skip to content

DirBuster Cheat Sheet

DirBuster is a Java-based web content discovery tool used to brute-force directories and files on web servers. It helps uncover hidden paths, admin panels, backups, and misconfigurations.


Start DirBuster

dirbuster

Requires Java (openjdk).


Target Configuration

  • Target URL: http://example.com
  • Port: 80 / 443
  • Protocol: HTTP / HTTPS

Wordlists

Common wordlist locations: - /usr/share/wordlists/dirbuster/ - /usr/share/seclists/Discovery/Web-Content/

Tip

Smaller wordlists are faster and often sufficient.


File Extensions

Specify extensions to discover files:

php,asp,aspx,js,txt,bak

Scan Types

  • List based brute force
  • Pure brute force (slow, rarely used)

Recursive Scanning

Enable recursion to: - Scan discovered directories - Perform deeper enumeration


Threads Configuration

  • Increase threads for speed
  • Reduce threads to avoid detection

Warning

High thread counts may crash unstable servers.


Status Codes

Common responses: - 200 → Found - 301 / 302 → Redirect - 403 → Forbidden (interesting) - 404 → Not found


Start Scan Workflow

Set Target → Select Wordlist → Choose Extensions → Start

Analyze Results

Look for: - Admin panels - Backup files (.bak, .old) - Config files - Upload directories


Typical Use Case

Recon → Directory brute force → Analyze responses → Pivot attacks

Common Issues

Java not found

Install Java:

sudo apt install default-jre

Too slow

Use gobuster or ffuf for faster CLI-based scanning.


DirBuster vs Gobuster

Tool Interface Speed
DirBuster GUI Medium
Gobuster CLI Fast

  • gobuster
  • ffuf
  • wfuzz
  • burpsuite

Danger

Perform directory brute forcing only on authorized targets.