This is the second installment of our series comprehensive guide on dirsearch. In the first part of this series, we have discussed some basic command on dirsearch. If you haven’t checked the first part yet you can learn these features from here. In this part we will try to explore some more option of this command line tool dirsearch.
Table of content
·
URL Attack
·
Full URL
·
Exclude
Status Codes
·
Minimal
Size
·
Maximal
Size
·
Random
Agent
·
Include
Status Code
·
Suffixes
·
Prefixes
·
Threads
·
Only
Selected
·
Remove
Extensions
·
Upper Case
Directories
·
Lower Case
Directories
·
Capital Letter
Directories
·
Exclude
Text
·
Exclude
Sizes
URL Attack
Firstly, we are taking the reference for simple URL attack.
With the help of the [-u] parameter, we can use our web content scanner on a
particular targeted URL. To get the required results, we need to ensure that
this command is accompanied by an authenticated URL to get the desired results.
./dirsearch.py -u http://testphp.vulnweb.com/
As we can see we got some web directories and web pages. In this
screenshot, we have highlighted few things. Like default extensions [php, aspx,
jsp, html, js], default HTTP method [GET], default Threads [30] and default
wordlist size [10832]. These things act very crucially in our directories
attack and we are tacking these as a reference time to time in our attack.
Full URL
Sometimes these directories attack results can be confusing. To solve
these confusions, we have a separated parameter called [--full-url]. This
parameter helps us to gone through these results with ease.
./dirsearch.py -u http://testphp.vulnweb.com/
--full-url
As we can see these results, we have got full url details now.
Exclude Status Code
We know that, in five groups or divisions, all HTTP response status
codes are segregated. The first digit of the status code determines the answer
class, while there is no classifying or categorizing function for the last two
digits.
There
are five classes defined by their standards.
We can exclude these status code with our parameter called [-x]. Through
this feature we can remove the unwanted codes and get our desired results, get
only those status which we wanted in our attack schedule.
./dirsearch.py -u
http://testphp.vulnweb.com/ -x 301
We can also exclude more than one status code by separating them with
comma [,].
./dirsearch.py -u
http://testphp.vulnweb.com/ -x 301,302,403
As we can see our results for this attack, we only get successful one
due to our parameter.
Minimal Size
Sometime some web pages have lots of small size files. These files have
no use for us in offensive purposes so this tool provide us power to eliminate
them with [--minimal] parameter. We just need to specifies the size in bytes,
which we don’t want in our results.
./dirsearch.py -u
http://testphp.vulnweb.com/ -x 301,302,403 --minimal=2048
As we can see in results it is showing only the successful results [due
to -x parameter] with minimal size set by us which is 2kb or 2048 bytes.
Maximal Size
Wise versa of minimal size, maximal size is use set upper limit of the
results. The parameter we use to achieve this is [--maximal]. We just need to
specifies the size in bytes, which we don’t want in our results.
./dirsearch.py -u
http://testphp.vulnweb.com/ -x 301,302,403 --maximal=5120
We can also provide both minimal and maximal size together, this provides
us a proper range through which we can get a proper scope finding a particular
size file.
./dirsearch.py -u
http://testphp.vulnweb.com/ -x 301,302,403 --minimal=2048 --maximal=5120
Random Agent
We all recognize that a user agent in computing is a program (a software
agent) that operates on behalf of a user, such as a web browser that
"retrieves, renders, and facilitates interaction with web content by
end-users."
We can use the random user agent to break the default schedules and get
our data results in brand new order.
./dirsearch.py -u
http://testphp.vulnweb.com/ -x 301,302,403 --random-agent
Include status code
As we earlier performed exclude status code which would remove the
unwanted status code. Include code is just like wise versa in this parameter we
include any status code, which we want in our results.
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200
We can include more than one status code, by just following this
command.
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200,301,302
As we can observe these results,
it only shows these codes [200, 301, 302].
Suffixes
The grammatically meaning of a suffix. It is a letter or group of
letters inserted at the end of a word that creates a new word. This parameter
helps us to search only those specific result, which match our provided suffix
to the attack. To get these results in our attack.
./dirsearch.py -u
http://testphp.vulnweb.com/ --suffixes=.php
As we can see these results, we successfully got all those results
related through our provided suffix.
Prefixes
The grammatically meaning of a prefix. It is a letter or group of
letters inserted at the start of a word that creates a new word. This parameter
helps us to search only those specific result, which match our provided prefix
to the attack. To get these results in our attack.
./dirsearch.py -u
http://testphp.vulnweb.com/ --prefixes=index
As we can see these results, it is only showing those results which have
our prefixes.
Threads
We can increase or decrease the number of threads. This will increase or
decrease the speed of our attack depending upon the number of threads provided
by us. As we see earlier in URL attack the by default number threads are set
on 30.
As we want to increase the speed of attack so we change it to 100 with
the help of [-t] parameter.
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200 -t 100
Only selected
In this parameter called [--only-selected], we got a focused directories
wordlist through which only got selected web pages and directories. This can be
very useful to find out some great results through attack.
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200 --only-selected
As we can see in the banner of this tool our wordlist got shorter size 10832
to 7608.
Remove Extension
We all know the definition of the extension, a file extension (or simply
"extension") is the suffix at the end of a file name that specifies
what sort of file it is. We can remove extension files from our results. To get
this kind of results we can use our parameter called [--remove-extensions].
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200 --remove-extensions
As we can see the it removes all the extensions.
Upper Case Directories
It is just act like a filter, which only let’s go the upper-case
directories with the help of parameter [-U]. we can apply this filter by using
this command.
./dirsearch.py -u
http://testphp.vulnweb.com/ -U
Lower Case Directories
Similarly, as above it is just like a filter. Which only let’s go the
lower-case directories with the help of parameter [-L]. we can apply this
filter by using this command.
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200 -L
Capital Letter Directories
It acts as a filter, which only let’s go the first letter capital
directories with the help of parameter [-C]. we can apply this filter by using
this command.
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200 -C
Exclude Text
As earlier we have removed or exclude the unwanted status codes, we can
also exclude some text from our results as per our need. By using this
parameter called [--exclude-texts].
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200 --exclude-texts=index
As we can see this result and compare it without filtered results, we
can observe that it has exclude index text from its results.
Exclude sizes
As earlier we have removed or exclude the unwanted text, we can also
exclude some file sizes from our results as per our need. By using this
parameter called [--exclude-sizes].
./dirsearch.py -u
http://testphp.vulnweb.com/ -i 200 --exclude-sizes=5KB
As we can see this result and compare it without filtered results, we
can observe that it has exclude files sizes have 5KB from its results.
Author: Shubham Sharma is a passionate Cybersecurity Researcher, contact LinkedIn and Twitter.
0 comments:
Post a Comment