A Guide to Dirb Tool

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.

DIRB main purpose is to help in professional web application auditing. Especially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerable.

For our test we’re going to use http://webscantest.com is a site for testing purposes:

dirb http://webscantest.com /usr/share/dirb/wordlists/big.txt

In this example we specified the wordlist /usr/share/dirb/wordlists/big.txt, the default would be common.txt if we don’t specify one.

If we want to brute force specific extension we can add the flag “-X” with the extension .php or .txt

Ignoring specific codes like the 302 or 404 can be done by using the flag “–N” with the code 302 or 404.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s