DirBuster Cheat Sheet
DirBuster is a Java-based web content discovery tool used to brute-force directories and files on web servers. It helps uncover hidden paths, admin panels, backups, and misconfigurations.
Start DirBuster
dirbuster
Requires Java (openjdk).
Target Configuration
- Target URL:
http://example.com - Port:
80/443 - Protocol: HTTP / HTTPS
Wordlists
Common wordlist locations:
- /usr/share/wordlists/dirbuster/
- /usr/share/seclists/Discovery/Web-Content/
Tip
Smaller wordlists are faster and often sufficient.
File Extensions
Specify extensions to discover files:
php,asp,aspx,js,txt,bak
Scan Types
- List based brute force
- Pure brute force (slow, rarely used)
Recursive Scanning
Enable recursion to: - Scan discovered directories - Perform deeper enumeration
Threads Configuration
- Increase threads for speed
- Reduce threads to avoid detection
Warning
High thread counts may crash unstable servers.
Status Codes
Common responses:
- 200 → Found
- 301 / 302 → Redirect
- 403 → Forbidden (interesting)
- 404 → Not found
Start Scan Workflow
Set Target → Select Wordlist → Choose Extensions → Start
Analyze Results
Look for:
- Admin panels
- Backup files (.bak, .old)
- Config files
- Upload directories
Typical Use Case
Recon → Directory brute force → Analyze responses → Pivot attacks
Common Issues
Java not found
Install Java:
sudo apt install default-jre
Too slow
Use gobuster or ffuf for faster CLI-based scanning.
DirBuster vs Gobuster
| Tool | Interface | Speed |
|---|---|---|
| DirBuster | GUI | Medium |
| Gobuster | CLI | Fast |
Related Tools
gobusterffufwfuzzburpsuite
Legal Notice
Danger
Perform directory brute forcing only on authorized targets.