DirBuster

What is DirBuster?

DirBuster is a multi-threaded Java application developed by OWASP for brute-forcing directories and files on web servers. It attempts to discover hidden paths — admin panels, backup files, configuration pages, and upload directories — by requesting entries from a wordlist and recording which ones return valid HTTP responses. It includes a GUI for ease of use and ships with several built-in wordlists. Note: for faster CLI-based scanning, many professionals now prefer gobuster or ffuf.

Installation

# Update packages
sudo apt update

# Install DirBuster (requires Java)
sudo apt install dirbuster -y

# Ensure Java is installed
sudo apt install default-jre -y

# Launch GUI
dirbuster

# OR launch headless (CLI mode)
java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar \
  -H -u http://example.com/ \
  -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

GUI Workflow

# 1. Launch DirBuster
dirbuster

# 2. Set the target URL:
#    e.g. http://example.com:80/

# 3. Choose scan type:
#    - List based brute force (recommended — use a wordlist)
#    - Pure brute force (slower, generates all combinations)

# 4. Select a wordlist:
#    /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

# 5. Set file extensions to search for:
#    e.g. php,html,txt,bak,zip

# 6. Set number of threads (20-50 is reasonable)

# 7. Click Start and monitor results in the Results tab

Built-in Wordlists

• directory-list-2.3-small.txt — ~87k entries, fast
• directory-list-2.3-medium.txt — ~220k entries, recommended
• directory-list-2.3-big.txt — ~1.2M entries, thorough but slow
• directory-list-lowercase-2.3-medium.txt — case-insensitive targets

Common Use Cases

• Authorized penetration testing engagements
• CTF (Capture The Flag) web challenges
• Internal security audits
• Bug bounty reconnaissance and hidden endpoint discovery

Further Reading

Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs. Always read the official documentation before using in a live engagement.