Dirsearch Tutorial to find the Hidden Web Directories
Irfan Shakeel
I am on a mission to create a secure cyber world ???| Director @ CIP Cyber | Creating ICS/OT Security Content ????
When a security analyst performing website penetration testing the initial step should be finding hidden directories of a vulnerable website.
These hidden web directories are essential because they can give useful information i.e. potential attack vectors that would not be visible on the public facing website.
One of the ways to achieve this is by attempting brute-forcing site structure that includes directories and files in websites and for that, you have to choose a powerful tool.
Although there are many tools available used to perform site brute-forcing includes Dirbuster or Dirb but these have their own limitation such as Dirbuster only offers GUI interface that is not feasible all the time and Dirb does not include multithreading feature.
The most popular choice among penetration testers for website brute-forcing is Dirsearch.
Dirsearch, written in python is a command-line website directory scanner. It has a lot of features making it the complete winner in terms of performance:
- It includes Multithreading, making it faster than any other site scanner tool
- It performs Recursive brute-forcing
- It has HTTP proxy support
- Dirsearch effectively detects invalid web pages
- It has User agent randomization and Batch processing
- Supports Request delaying
This tool can be run on any operating system (Windows, Linux, mac) making it more compatible and simpler, yet a powerful tool.
In this setup we will be using Kali Linux as an attacking machine and DVWA on Metasploitable 2 as the target.
Install Dirsearch
You need to install Dirsearch in your Kali Linux attacking machine. First update all the repositories from the command # apt-get update
After that install Dirsearch from Github by using the link: https://github.com/maurosoria/dirsearch
Type command:
# git clone https://github.com/maurosoria/dirsearch
After successfully installing the tool, change the root directory into Dirsearch.
# cd dirsearch/
Type ls to see the content under Dirsearch directoy.
You can see there is a configuration file and a python file named ‘dirsearch.py’ which we are going to execute.
Configuring the Tool
Next step will be configuring the Dirsearch. You can do it in three ways.
As this ‘dirsearch.py’ file needs python 3 to execute correctly, just simply run it with python.
# python3 dirsearch.py
It gives a usage example, stating we need to specify a valid URL.
See the complete article published here: