Dirb is a command line tool you can use to fuzz web sites or web apps. Dirb finds files and directories on your target site that are not directly linked from a publicly accessible page on the site or from the Internet. This means Dirb can map out your target beyond what you may find by just browsing the site yourself.
Often, web developers consider that web pages under construction that have no links pointing to them are safe from prying eyes and this may lead them to leave behind some valuable data that you could potentially use as a pentester (like developer or admin credentials). Dirb helps you find these pages.
Dirb performs directory and file enumeration using wordlists. Based on the http response code it gets back from each request, Dirb displays all the matching URLs.
If you’re using Kali Linux, you will find Dirb preinstalled. Otherwise, you can get it here.
Basic Dirb syntax
The basic syntax, using Dirb’s default wordlist is:
Dirb also works with IP addresses:
If you want to use a specific wordlist, type a space then the path to the wordlist:
dirb http://yourtargetsite.com /usr/share/dirb/wordlists/small.txt
A number of wordlists are supplied in:
The default wordlist is:
You can also use external wordlists like Daniel Miessler’s SecLists.
If you want to stop a scan that’s taking too long, just type
-r flag makes the scan non-recursive. This means when Dirb discovers a directory, it will not try to fuzz its sub-directories as well. It will just list the first level directories of the main URL that was specified in the command.
-z flag introduces a delay (in milliseconds) between requests. This will let you throttle down and fly under the radar in case the web app uses a web application firewall that spots (and blocks) a flow of requests that come in too fast:
dirb http://yourtargetsite.com -z 1000
This decreases the speed to 1 request per second (1000 milliseconds)
-s flag is for silent mode. This hides the display of the stream of sent requests and only displays items found.
-X flag lets you specify a list of comma separated extensions to scan for:
dirb http://yourtargetsite.com -X ".php,.bak"
Every word in the wordlist will be appended with each of theses extensions.
-x flag lets you specify the path to a text file that contains a list of extensions to use:
dirb http://yourtargetsite.com -x extensions.txt
Such a list can be:
-o flag lets you save the output to a text file:
dirb http://yourtargetsite.com -x extensions.txt -o youroutputfile.txt
-a flag lets you set a custom user agent, to make it look like the request is coming from a regular browser.
If you need this, go to useragentstring.com to copy a custom user agent (i.e. browser) and paste it into the Dirb command, in double quotes:
dirb http://yourtargetsite.com -a "Mozilla/5.0 (X11; Linux i686; rv:64.0) Gecko/20100101 Firefox/64.0"
-p flag lets you direct the traffic to a proxy.
This can be helpful if you want to display Dirb’s traffic in Burp Suite (I’ll go deeper into that in another post).
dirb http://yourtargetsite.com -p http://127.0.0.1:8080
Note that the proxy specified in the Dirb command must be Burp’s proxy listener
http://127.0.0.1:8080 usually, unless you set it otherwise).
-c flag lets you specify a cookie in the http request:
dirb http://yourtargetsite.com -p http://127.0.0.1:8080 -c "COOKIE:ABC"
-u flag lets you specify a username and password, if the pages you are fuzzing require authentification:
dirb http://yourtargetsite.com -p http://127.0.0.1:8080 -u "username:password"Dirb will include the
username:password string encoded in base64.
-H switch lets you add a custom header to the http request:
dirb http://yourtargetsite.com -p http://127.0.0.1:8080 -H "Myheader:Mycontent"
Why use Dirb over FFUF?
FFUF is a fuzzing tool that has gained a lot of traction in the community (more on this in a later post).
The main advantage of Dirb over FFUF is that is very simple and straightforward to use. Also, for a beginner, the output may be easier to read.
But (and that’s a major but), it’s a lot slower. On a test scan I ran on the same target using the same wordlist, Dirb took just under 11 minutes where FFUF performed the same recursive scan in less than a minute and even found an extra end point.
My advice: Dirb is great to get started in web app fuzzing. But as soon as you get the hang of it, I suggest you move on to FFUF.