This morning I was in TryHackMe trying out the Wonderland series for the first time. I came across a common use case with web enumeration and thought that it would make a great blog post. Directory bruteforcing is what I’m talking about. It’s a common task we come across when testing web applications. But how many times have you been like I wish I could do this recursively? I know I feel this way every time I use my favorite tool, GoBuster. The tool is just so fast I can’t imagine using anything else. Well the good news is there are a couple of other tools on the block you should consider. In this post I will be talking about Feroxbuster.
Honestly, I don’t I don’t look at web applications often anymore but when I do I instantly remember GoBuster is going to hurt my feelings by not doing recursion. If you haven’t heard the term, what I mean is that when it discovers a new directory, the tool will scan that directory as well. And depending on the settings, could continue down the directory rabbit hole into infinity. See what I did there. Wonderland? Rabbit hole?
Anyways back on topic. If you do not use recursion, and the tool finds a directory, the tool reports the directory, but does not scan it. You would need to kick off another scan to bruteforce that directory as well. Obviously, there is a big limitation with that. I can’t think of any real-world application that only has a depth of one.
I keep going back to my friend gobuster because I like it. I mean gobuster has been around since 2015 surely it has recursion by now. But when I checked, I was sadly disappointed. Don’t silently judge me for not updating my toolset. Some of you are probably still using dirb. But luck would have it that epi052 released feroxbuster.
Ferox buster pretty much does everything gobuster does but more and it is built on rust. If you want to see a comparison check out this link from securityonline where they compare feroxbuster, gobuster, and ffuf. I can’t remember why I decided not to use ffuf when I tested it a while back. Maybe I will try it again and make some notes.
Install is pretty straight forward if you are on Ubuntu (that is what’s on TryHackMe’s Attack Boxes). Simply install snap and then install feroxbuster with snap. Kali install is pretty easy as well now that the tool is in the repo. Just use apt to install. For other installs, check out feroxbuster’s documentation.
I simply used it for directory bruteforcing in a CTF environment that was pretty responsive. Therefore, I didn’t need to deal with timeouts, delays, or lack of responsiveness. In the real-world you may need to consider these issues when building your command.
Base Feroxbuster Command
My command provides a url, wordlist, and says to do an infinite depth. Pretty straight forward. Sometimes status codes cause some issues for me with web applications. If that’s the cause for you, just at the -s filter and provide a list of status codes you want to see.
If you need a wordlist for directories, check out SecLists. They have a ton of great wordlists under the Web-Content.
Yup that’s it. Feroxbuster is pretty solid. I will check out ffuf next time I need a directory bruteforce tool and let you know my thoughts. If you have any other tools you would recommend for directory bruteforcing let me know!