THE CU
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
  • Land A Job
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Finance Resources
    • CTFs and Cons
    • Training
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers

 

Feroxbuster to the Rescue

9/28/2021

0 Comments

 
​This morning I was in TryHackMe trying out the Wonderland series for the first time. I came across a common use case with web enumeration and thought that it would make a great blog post. Directory bruteforcing is what I’m talking about. It’s a common task we come across when testing web applications. But how many times have you been like I wish I could do this recursively? I know I feel this way every time I use my favorite tool, GoBuster. The tool is just so fast I can’t imagine using anything else. Well the good news is there are a couple of other tools on the block you should consider. In this post I will be talking about Feroxbuster. 

Background Story

Honestly, I don’t I don’t look at web applications often anymore but when I do I instantly remember GoBuster is going to hurt my feelings by not doing recursion. If you haven’t heard the term, what I mean is that when it discovers a new directory, the tool will scan that directory as well. And depending on the settings, could continue down the directory rabbit hole into infinity. See what I did there. Wonderland? Rabbit hole?

Anyways back on topic. If you do not use recursion, and the tool finds a directory, the tool reports the directory, but does not scan it. You would need to kick off another scan to bruteforce that directory as well. Obviously, there is a big limitation with that. I can’t think of any real-world application that only has a depth of one.
​
I keep going back to my friend gobuster because I like it. I mean gobuster has been around since 2015 surely it has recursion by now. But when I checked, I was sadly disappointed. Don’t silently judge me for not updating my toolset. Some of you are probably still using dirb. But luck would have it that epi052 released feroxbuster.

Installation

Ferox buster pretty much does everything gobuster does but more and it is built on rust. If you want to see a comparison check out this link from securityonline where they compare feroxbuster, gobuster, and ffuf. I can’t remember why I decided not to use ffuf when I tested it a while back. Maybe I will try it again and make some notes.
​
Install is pretty straight forward if you are on Ubuntu (that is what’s on TryHackMe’s Attack Boxes). Simply install snap and then install feroxbuster with snap. Kali install is pretty easy as well now that the tool is in the repo. Just use apt to install. For other installs, check out feroxbuster’s documentation.  
Install Commands

    

Standard Usage

I simply used it for directory bruteforcing in a CTF environment that was pretty responsive. Therefore, I didn’t need to deal with timeouts, delays, or lack of responsiveness. In the real-world you may need to consider these issues when building your command.
Base Feroxbuster Command

    
My command provides a url, wordlist, and says to do an infinite depth. Pretty straight forward. Sometimes status codes cause some issues for me with web applications. If that’s the cause for you, just at the -s filter and provide a list of status codes you want to see.
​
If you need a wordlist for directories, check out SecLists. They have a ton of great wordlists under the Web-Content. 

Conclusion

Yup that’s it. Feroxbuster is pretty solid. I will check out ffuf next time I need a directory bruteforce tool and let you know my thoughts. If you have any other tools you would recommend for directory bruteforcing let me know!
 
Happy Hacking!
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Silverbits
    - Infosec Enthusiast
    - Traveler
    - Future AT Thru-Hiker
    - CTFer
    - Red and Blue Teamer

      signup!

    Subscribe to Newsletter

    Categories

    All
    Book Review
    Certifications
    Coding
    Conferences
    Course Review
    Cracking
    Defense
    Finance
    Fire
    Forensics
    Hacking
    Hashes
    Incident Response
    Job Hunting
    Malware
    Mindset
    OSCP
    Pen Testing
    Tools
    Travel
    Updates
    Web Hacking

    Archives

    January 2023
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    May 2018
    April 2018

    RSS Feed

Home      Blogs    Disclaimers    Copyright Notice   Cookie Policy ​
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
  • Land A Job
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Finance Resources
    • CTFs and Cons
    • Training
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers