{"id":487,"date":"2019-09-23T09:43:53","date_gmt":"2019-09-23T07:43:53","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=487"},"modified":"2026-05-26T13:13:01","modified_gmt":"2026-05-26T11:13:01","slug":"gobuster","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=487","title":{"rendered":"Web brute&nbsp;force"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Crawling<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Before using brute force, con\u00adsid\u00ader just crawling:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"http:\/\/$target\" | hakrawler -u<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Directory enumeration<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Hints<em>:<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add <em>\u2013inse\u00adcuressl<\/em> when deal\u00ading with <strong><span class=\"caps\">HTTPS<\/span><\/strong>.<\/li>\n\n\n\n<li>Don\u2019t for\u00adget to search for exploits for stan\u00addard cgi&nbsp;files!<\/li>\n\n\n\n<li>Use dir\u00adbuster (<span class=\"caps\">UI<\/span>) as well. Why&nbsp;not\u2026<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">General search<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">nikto -host $victim\ngobuster dir -u http:\/\/$target\/ -a 'Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0' -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/common.txt -t 60\ngobuster dir -u http:\/\/$target\/ -a 'Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0' -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 60\n\ngobuster dir -u http:\/\/$target\/ -p socks5:\/\/127.0.0.1:9991 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 60\nHTTP_PROXY=\"socks4:\/\/127.0.0.1:9990\/\" gobuster dir -u http:\/\/$target\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 60<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If there is the error \u201c<em>Error: error on pars\u00ading argu\u00adments: sta\u00adtus-codes (\u201c200\u201d) and sta\u00adtus-codes-black\u00adlist (\u201c404\u201d) are both set \u2014 please set only one. sta\u00adtus-codes-black\u00adlist is set by default so you might want to dis\u00adable it by sup\u00adply\u00ading an emp\u00adty string.<\/em>\u201d, use the \u2011b&nbsp;flag:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">gobuster dir -u http:\/\/$target\/ -a 'Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0' -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/common.txt -b 301<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive with <a href=\"https:\/\/github.com\/maurosoria\/dirsearch\">dirsearch<\/a>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">python3 \/opt\/dirsearch\/dirsearch.py -u http:\/\/$target\/ --random-agent -e php,html,sql -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/common.txt,\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -r [--header \"Authorization: Basic b2Zmc2VjOmVsaXRl\"]<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span style=\"color: #800080;\"><span class=\"has-inline-color has-black-color\">Searching for file suffixes<\/span><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">proxychains4 -q dirb http:\/\/$target\/index \/opt\/wfuzz\/wordlist\/general\/extensions_common.txt -t\ngobuster dir -u http:\/\/$target -t 40 -w \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt -x .php,.html,.bak,.txt,.sql,.zip,.xml,.db,.sh<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Search for cgi-bin related things<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">gobuster dir -u http:\/\/$target\/ -a 'Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0' -w \/usr\/share\/seclists\/Discovery\/Web-Content\/CGIs.txt -s '200,204,301,302,307,403,500' -e\ngobuster dir -u http:\/\/$target\/ -a 'Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0' -w \/usr\/share\/seclists\/Discovery\/Web-Content\/CGIs.txt -s '200' -e<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Search within parameters<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Assume, there is an <span class=\"caps\">URL<\/span> like \/index?file=bla.php<\/li>\n\n\n\n<li>Then, use Gob\u00aduster  with the length para\u00adme\u00adter and note the size of the error doc\u00adu\u00adment:<br><code>gobuster dir -u http:\/\/$target\/blog\/?lang= -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/common.txt -t 60 -l --wildcard<\/code><\/li>\n\n\n\n<li>Per\u00adform the search and remove all lines which have the exact size:<br><code>gobuster dir -u http:\/\/$target\/blog\/?lang= -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/common.txt -t 60 -l --wildcard -x .php,.inc,.htm,.html | grep -v 2720<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Search for endpoints \/&nbsp;URLs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use hakrawler to crawl the site and to return a list of unique end\u00adpoints from this&nbsp;site.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"http:\/\/$target\" | hakrawler -u<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Creating wordlists from documents \/ <span class=\"caps\">HTML<\/span>&nbsp;pages<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">With curl<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">curl http:\/\/$target\/website | grep -oE '\\w+' | sort -u -f | more<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">With Ruby<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use this Ruby script and add your <span class=\"caps\">HTML<\/span> out\u00adput \/ text to extract sig\u00adnif\u00adi\u00adcant words you could try as pass\u00adword or in a gob\u00aduster wordlist.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"ruby\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>require 'set'\n\n# Sample stopwords list (add more based on the language you're working with)\nSTOPWORDS = Set.new(%w[the and is in of to for a on that by as with it at from this be an or are])\n\n# Function to extract potential passwords from the text\ndef extract_significant_words(text)\n  # Split the text into words, remove punctuation, and filter out stopwords and short words\n  words = text.scan(\/\\b\\w+\\b\/)\n             .map(&amp;:downcase)  # Normalize to lowercase\n             .reject { |word| word.length &lt;= 4 || STOPWORDS.include?(word) }\n  \n  # Count word frequencies\n  frequency = Hash.new(0)\n  words.each { |word| frequency[word] += 1 }\n\n  # Filter out overly common words (words that occur too many times)\n  threshold = words.size \/ 50  # Adjust this threshold as necessary\n  significant_words = frequency.select { |word, count| count &lt;= threshold }\n  \n  # Return the unique significant words\n  significant_words.keys\nend\n\n# Example usage\ntext = &lt;&lt;-TEXT\nGaara is a character in the Naruto anime. He is a ninja from Sunagakure and became the Kazekage. Gaara fights using sand, controlled by his connection to Shukaku, the tailed beast.\nTEXT\n\n# Extract and print significant words\npassword_candidates = extract_significant_words(text)\nputs password_candidates\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Fuzzing parameters<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">With <a href=\"https:\/\/wfuzz.readthedocs.io\/en\/latest\/user\/basicusage.html\">Wfuzz<\/a>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wfuzz -z range,0-10 --hl 97 http:\/\/$target\/sator.php?p1=FUZZ<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exclud\u00ading con\u00adtent: This makes requests from 0\u2013100 for the post para\u00adme\u00adter id_no and excludes all respones where the response body does\u00adn\u2019t con\u00adfirm to the reg\u00adexp \u2014 here just a&nbsp;3..<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wfuzz -z range,0-100 -d \"id_no=FUZZ\" --hs 3 \"http:\/\/faculty.htb\/admin\/ajax.php?action=login_faculty\"<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Interesting files<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/awesomehackers.org\/2018\/05\/11\/path-traversal-cheat-sheet\/\">Cheat sheet&nbsp;1<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/tree\/master\/Directory%20Traversal\">List<\/a><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Vhost enumeration<\/h1>\n\n\n\n<pre class=\"wp-block-preformatted\">ffuf -u http:\/\/linkvortex.htb\/ -w subdomains.txt -H \"Host: FUZZ.linkvortex.htb\" -mc 200<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">gobuster <span class=\"author-a-fsz75zgz68zgvz81zrz70zoyqz75zz88zz90z\">vhost<\/span> -u http:\/\/$VICTIM_DOMAIN\/ --append-domain -w  \/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/bitquark-subdomains-top100000.txt -t 60<br><br>Alternative:<br><br>dnsrecon -d domain.com -D vhost_names.txt -t brt<br><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Oth\u00ader techniques<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use local file inclu\u00adsion (<span class=\"caps\">LFI<\/span>)\n<ul class=\"wp-block-list\">\n<li>Try to change a file\u00adname to read\/parse a local&nbsp;file.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Use remote file inclu\u00adsion (<span class=\"caps\">RFI<\/span>)\n<ul class=\"wp-block-list\">\n<li>Try to add a pro\u00adto\u00adcol like http:\/\/ to include a file from anoth\u00ader serv\u00ader (my)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Crawl\u00ading Before using brute force, con\u00adsid\u00ader just crawl\u00ading: Direc\u00adto\u00adry enu\u00admer\u00ada\u00adtion Hints: Gen\u00ader\u00adal search nik\u00adto \u2011host $vic\u00adtim gob\u00aduster dir \u2011u http:\/\/$target\/ \u2011a \u2018Mozilla\/5.0 (<span class=\"caps\">X11<\/span>; Lin\u00adux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0\u2032 \u2011w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/common.txt \u2011t 60 gob\u00aduster dir \u2011u http:\/\/$target\/ \u2011a \u2018Mozilla\/5.0 (<span class=\"caps\">X11<\/span>; Lin\u00adux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0\u2019 \u2011w \/usr\/share\/wordlists\/dirbuster\/directory-list\u20112.3\u2011medium.txt \u2011t 60 gob\u00aduster dir \u2011u http:\/\/$target\/ \u2011p socks5:\/\/127.0.0.1:9991 \u2011w [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470],"tags":[263,264,50,137,174,116,3],"class_list":["post-487","post","type-post","status-publish","format-standard","hentry","category-active-enum","tag-dirb","tag-dirbuster","tag-enumeration","tag-gobuster","tag-virtual-host","tag-web-server","tag-webserver"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=487"}],"version-history":[{"count":50,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/487\/revisions"}],"predecessor-version":[{"id":4951,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/487\/revisions\/4951"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}