/dirsearch

Web path scanner

Primary LanguagePython

dirsearch

Current Release: v0.3.9 (2019.11.26)

Overview

dirsearch is an advanced command line tool designed to brute force directories and files in webservers.

Installation & Usage

git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION>

you can also use this alias to send directly to proxy python3 /path/to/dirsearch/dirsearch.py --http-proxy=localhost:8080

Options

Options:
  -h, --help            show this help message and exit

  Mandatory:
    -u URL, --url=URL   URL target
    -l URLLIST, --url-list=URLLIST
                        URL list target
    -e EXTENSIONS, --extensions=EXTENSIONS
                        Extensions list separated by comma (Example: php,asp)
    -E, --extensions-list
                        Use predefined list of common extensions
    -X EXCLUDEEXTENSIONS, --exclude-extensions=EXCLUDEEXTENSIONS
                        Exclude extensions list, separated by comma (Example:
                        asp,jsp)

  Dictionary Settings:
    -w WORDLIST, --wordlist=WORDLIST
                        Customize wordlist (separated by comma)
    --pref=PREFIXES, --prefixes=PREFIXES
                        Add custom prefixes to all entries (separated by
                        comma)
    --suff=SUFFIXES, --suffixes=SUFFIXES
                        Add custom suffixes to all entries, ignores
                        directories (separated by comma)
    -f, --force-extensions
                        Force extensions for every wordlist entry. Add
                        %NOFORCE% at the end of the entry that you do not want
                        to force in the wordlist
    --nd, --no-dot-extensions
                        Don't add a '.' character before extensions
    -L, --lowercase
    -U, --uppercase

  General Settings:
    -d DATA, --data=DATA
                        HTTP request data (POST, PUT, ... body)
    -s DELAY, --delay=DELAY
                        Delay between requests (float number)
    -r, --recursive     Bruteforce recursively
    -R RECURSIVE_LEVEL_MAX, --recursive-level-max=RECURSIVE_LEVEL_MAX
                        Max recursion level (subdirs) (Default: 1 [only
                        rootdir + 1 dir])
    --suppress-empty, --suppress-empty
    --min=MINIMUMRESPONSESIZE
                        Minimal response length
    --max=MAXIMUMRESPONSESIZE
                        Maximal response length
    --scan-subdir=SCANSUBDIRS, --scan-subdirs=SCANSUBDIRS
                        Scan subdirectories of the given -u|--url (separated
                        by comma)
    --exclude-subdir=EXCLUDESUBDIRS, --exclude-subdirs=EXCLUDESUBDIRS
                        Exclude the following subdirectories during recursive
                        scan (separated by comma)
    -t THREADSCOUNT, --threads=THREADSCOUNT
                        Number of Threads
    -i INCLUDESTATUSCODES, --include-status=INCLUDESTATUSCODES
                        Show only included status codes, separated by comma
                        (example: 301, 500)
    -x EXCLUDESTATUSCODES, --exclude-status=EXCLUDESTATUSCODES
                        Exclude status code, separated by comma (example: 301,
                        500)
    --exclude-texts=EXCLUDETEXTS
                        Exclude responses by texts, separated by comma
                        (example: "Not found", "Error")
    --exclude-regexps=EXCLUDEREGEXPS
                        Exclude responses by regexps, separated by comma
                        (example: "Not foun[a-z]{1}", "^Error$")
    -c COOKIE, --cookie=COOKIE
    --ua=USERAGENT, --user-agent=USERAGENT
    -F, --follow-redirects
    -H HEADERS, --header=HEADERS
                        Headers to add (example: --header "Referer:
                        example.com" --header "User-Agent: IE")
    --random-agents, --random-user-agents
    --clean-view, --clean-view
    --full-url, --full-url

  Connection Settings:
    --timeout=TIMEOUT   Connection timeout
    --ip=IP             Resolve name to IP address
    --proxy=HTTPPROXY, --http-proxy=HTTPPROXY
                        Http Proxy (example: localhost:8080)
    --proxylist=PROXYLIST, --http-proxy-list=PROXYLIST
                        Path to file containg http proxy servers.
    -m HTTPMETHOD, --http-method=HTTPMETHOD
                        Method to use, default: GET
    --max-retries=MAXRETRIES
    -b, --request-by-hostname
                        By default dirsearch will request by IP for speed.
                        This forces requests by hostname

  Reports:
    --simple-report=SIMPLEOUTPUTFILE
                        Only found paths
    --plain-text-report=PLAINTEXTOUTPUTFILE
                        Found paths with status codes
    --json-report=JSONOUTPUTFILE

Operating Systems supported

  • Windows XP/7/8/10
  • GNU/Linux
  • MacOSX

Features

  • Multithreaded
  • Keep alive connections
  • Support for multiple extensions (-e|--extensions asp,php)
  • Support for every HTTP method
  • Reporting (plain text, JSON)
  • Heuristically detects invalid web pages
  • Recursive brute forcing
  • Subdirectories brute forcing
  • Force extensions
  • HTTP proxy support
  • HTTP cookies and headers support
  • User agent randomization
  • Batch processing
  • Request delaying
  • Quiet mode
  • Option to force requests by hostname
  • Option to exclude responses by texts
  • Option to exclude responses by regexps (example: "Not foun[a-z]{1}")
  • Option to remove dot from extension when forcing (--nd, example%EXT% instead of example.%EXT%)
  • Options to display only items with response length from range (--min & --max)
  • Option to whitelist response codes (-i 200,500)
  • Option to blacklist response codes (-x 404,403)
  • Option to remove output from console (-q, keeps output to files)
  • Option to add custom suffixes to filenames without dots (--suff .BAK,.old, example.%EXT%%SUFFIX%)

About wordlists

Dictionaries must be text files. Each line will be processed as such, except that the special word %EXT% is used, which will generate one entry for each extension (-e | --extension) passed as an argument.

Example:

  • example/
  • example.%EXT%

Passing the extensions "asp" and "aspx" will generate the following dictionary:

  • example/
  • example.asp
  • example.aspx

You can also use -f | --force-extensions switch to append extensions to every word in the wordlists (like DirBuster).

How to use

Some examples how to use dirsearch - those are the most common arguments. If you need all, just use the "-h" argument.

python3 dirsearch.py -E -u https://target
python3 dirsearch.py -E -u https://target -w db/dicc.txt
python3 dirsearch.py -E -u https://target --recursive -R 2
python3 dirsearch.py -e php,txt,zip -u https://target -w db/dicc.txt --recursive -R 4 --scan-subdirs=/,/wp-content/,/wp-admin/
python3 dirsearch.py -e php,txt,zip -u https://target -w db/dicc.txt --exclude-texts=This,AndThat
python3 dirsearch.py -e php,txt,zip -u https://target -w db/dicc.txt -H "User-Agent: IE"
python3 dirsearch.py -e php,txt,zip -u https://target -w db/dicc.txt -t 20
python3 dirsearch.py -e php,txt,zip -u https://target -w db/dicc.txt --random-agents
python3 dirsearch.py -e php,txt,zip -u https://target -w db/dicc.txt --json-report=reports/target.json
python3 dirsearch.py -e php,txt,zip -u https://target -w db/dicc.txt --simple-report=reports/target-paths.txt
python3 dirsearch.py -e php,txt,zip -u https://target -w db/dicc.txt --plain-text-report=reports/target-paths-and-status.json

Support Docker

Install Docker Linux

Install Docker

curl -fsSL https://get.docker.com | bash

To use docker you need superuser power

Build Image dirsearch

To create image

docker build -t "dirsearch:v0.3.8" .

dirsearch this is name the image and v0.3.8 is version

Using dirsearch

For using

docker run -it --rm "dirsearch:v0.3.8" -u target -e php,html,png,js,jpg

target is the site or IP

License

Copyright (C) Mauro Soria (maurosoria@gmail.com)

License: GNU General Public License, version 2

Contributors

Special thanks for these people.

  • shelld3v
  • mzfr
  • Damian89
  • Bo0oM
  • liamosaur
  • redshark1802
  • SUHAR1K
  • FireFart
  • k2l8m11n2
  • vlohacks
  • r0p0s3c
  • V-Rico
  • russtone