An advanced web path brute-forcer dirsearch is being actively developed by @maurosoria and @shelld3v Reach to our Discord server to communicate with the team at best Requirement: python 3.7 or higher Choose one of these installation options: Summary: Examples: Passing asp and aspx as extensions will generate the following dictionary: Passing php and html as extensions with -f/--force-extensions flag will generate the following dictionary: Passing jsp and jspa as extensions with -O/--overwrite-extensions flag will generate the following dictionary: By default, Some examples for how to use dirsearch - those are the most common arguments. If you need all, just use the -h argument. dirsearch allows you to pause the scanning progress with CTRL+C, from here, you can save the progress (and continue later), skip the current target, or skip the current sub-directory. There are 2 more options: --force-recursive and --deep-recursive If there are sub-directories that you do not want to brute-force recursively, use The thread number (-t | --threads) reflects the number of separated brute force processes. And so the bigger the thread number is, the faster dirsearch runs. By default, the number of threads is 25, but you can increase it if you want to speed up the progress. In spite of that, the speed still depends a lot on the response time of the server. And as a warning, we advise you to keep the threads number not too big because it can cause DoS (Denial of Service). Wordlist: Generated with prefixes: Wordlist: Generated with suffixes: Inside the Example: If you add Use -i | --include-status and -x | --exclude-status to select allowed and not allowed response status-codes For more advanced filters: --exclude-sizes, --exclude-texts, --exclude-regexps, --exclude-redirects and --exclude-response dirsearch allows you to import the raw request from a file. The content would be something looked like this: Since there is no way for dirsearch to know what the URI scheme is, you need to set it using the Supported wordlist formats: uppercase, lowercase, capitalization Use -X | --exclude-extensions with an extension list will remove all paths in the wordlist that contains the given extensions Wordlist: After: dirsearch supports SOCKS and HTTP proxy, with two options: a proxy server or a list of proxy servers. Supported report formats: simple, plain, json, xml, md, csv, html, sqlite There are more to discover, try yourself! Install Docker To use docker you need superuser power To create image dirsearch is the name of the image and v0.4.3 is the version For using We have been receiving a lot of helps from many people around the world to improve this tool. Thanks so much to everyone who have helped us so far!
See CONTRIBUTORS.md to know who they are. Copyright (C) Mauro Soria (maurosoria@gmail.com) License: GNU General Public License, version 2git clone https://github.com/maurosoria/dirsearch.git --depth 1
(RECOMMENDED)docker build -t "dirsearch:v0.4.3" .
(more information can be found here)pip3 install dirsearch
or pip install dirsearch
sudo apt-get install dirsearch
(deprecated)%EXT%
keyword with extensions from -e flag.%EXT%
(like SecLists), -f | --force-extensions switch is required to append extensions to every word in wordlist, as well as the /
.wordlist1.txt,wordlist2.txt
.index.%EXT%
index
index.asp
index.aspx
admin
admin
admin.php
admin.html
admin/
login.html
login.html
login.jsp
login.jspa
Usage: dirsearch.py [-u|--url] target [-e|--extensions] extensions [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Mandatory:
-u URL, --url=URL Target URL(s), can use multiple flags
-l PATH, --url-file=PATH
URL list file
--stdin Read URL(s) from STDIN
--cidr=CIDR Target CIDR
--raw=PATH Load raw HTTP request from file (use '--scheme' flag
to set the scheme)
-s SESSION_FILE, --session=SESSION_FILE
Session file
--config=PATH Path to configuration file (Default:
'DIRSEARCH_CONFIG' environment variable, otherwise
'config.ini')
Dictionary Settings:
-w WORDLISTS, --wordlists=WORDLISTS
Customize wordlists (separated by commas)
-e EXTENSIONS, --extensions=EXTENSIONS
Extension list separated by commas (e.g. php,asp)
-f, --force-extensions
Add extensions to the end of every wordlist entry. By
default dirsearch only replaces the %EXT% keyword with
extensions
-O, --overwrite-extensions
Overwrite other extensions in the wordlist with your
extensions (selected via `-e`)
--exclude-extensions=EXTENSIONS
Exclude extension list separated by commas (e.g.
asp,jsp)
--remove-extensions
Remove extensions in all paths (e.g. admin.php ->
admin)
--prefixes=PREFIXES
Add custom prefixes to all wordlist entries (separated
by commas)
--suffixes=SUFFIXES
Add custom suffixes to all wordlist entries, ignore
directories (separated by commas)
-U, --uppercase Uppercase wordlist
-L, --lowercase Lowercase wordlist
-C, --capital Capital wordlist
General Settings:
-t THREADS, --threads=THREADS
Number of threads
-r, --recursive Brute-force recursively
--deep-recursive Perform recursive scan on every directory depth (e.g.
api/users -> api/)
--force-recursive Do recursive brute-force for every found path, not
only directories
-R DEPTH, --max-recursion-depth=DEPTH
Maximum recursion depth
--recursion-status=CODES
Valid status codes to perform recursive scan, support
ranges (separated by commas)
--subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by
commas)
--exclude-subdirs=SUBDIRS
Exclude the following subdirectories during recursive
scan (separated by commas)
-i CODES, --include-status=CODES
Include status codes, separated by commas, support
ranges (e.g. 200,300-399)
-x CODES, --exclude-status=CODES
Exclude status codes, separated by commas, support
ranges (e.g. 301,500-599)
--exclude-sizes=SIZES
Exclude responses by sizes, separated by commas (e.g.
0B,4KB)
--exclude-text=TEXTS
Exclude responses by text, can use multiple flags
--exclude-regex=REGEX
Exclude responses by regular expression
--exclude-redirect=STRING
Exclude responses if this regex (or text) matches
redirect URL (e.g. '/index.html')
--exclude-response=PATH
Exclude responses similar to response of this page,
path as input (e.g. 404.html)
--skip-on-status=CODES
Skip target whenever hit one of these status codes,
separated by commas, support ranges
--min-response-size=LENGTH
Minimum response length
--max-response-size=LENGTH
Maximum response length
--max-time=SECONDS Maximum runtime for the scan
--exit-on-error Exit whenever an error occurs
Request Settings:
-m METHOD, --http-method=METHOD
HTTP method (default: GET)
-d DATA, --data=DATA
HTTP request data
--data-file=PATH File contains HTTP request data
-H HEADERS, --header=HEADERS
HTTP request header, can use multiple flags
--header-file=PATH File contains HTTP request headers
-F, --follow-redirects
Follow HTTP redirects
--random-agent Choose a random User-Agent for each request
--auth=CREDENTIAL Authentication credential (e.g. user:password or
bearer token)
--auth-type=TYPE Authentication type (basic, digest, bearer, ntlm, jwt,
oauth2)
--cert-file=PATH File contains client-side certificate
--key-file=PATH File contains client-side certificate private key
(unencrypted)
--user-agent=USER_AGENT
--cookie=COOKIE
Connection Settings:
--timeout=TIMEOUT Connection timeout
--delay=DELAY Delay between requests
--proxy=PROXY Proxy URL (HTTP/SOCKS), can use multiple flags
--proxy-file=PATH File contains proxy servers
--proxy-auth=CREDENTIAL
Proxy authentication credential
--replay-proxy=PROXY
Proxy to replay with found paths
--tor Use Tor network as proxy
--scheme=SCHEME Scheme for raw request or if there is no scheme in the
URL (Default: auto-detect)
--max-rate=RATE Max requests per second
--retries=RETRIES Number of retries for failed requests
--ip=IP Server IP address
--interface=NETWORK_INTERFACE
Network interface to use
Advanced Settings:
--crawl Crawl for new paths in responses
View Settings:
--full-url Full URLs in the output (enabled automatically in
quiet mode)
--redirects-history
Show redirects history
--no-color No colored output
-q, --quiet-mode Quiet mode
Output Settings:
-o PATH, --output=PATH
Output file
--format=FORMAT Report format (Available: simple, plain, json, xml,
md, csv, html, sqlite)
--log=PATH Log file
config.ini
inside your dirsearch directory is used as the configuration file but you can select another file via --config
flag or DIRSEARCH_CONFIG
environment variable.# If you want to edit dirsearch default configurations, you can
# edit values in this file. Everything after `#` is a comment
# and won't be applied
[general]
threads = 25
recursive = False
deep-recursive = False
force-recursive = False
recursion-status = 200-399,401,403
max-recursion-depth = 0
exclude-subdirs = %%ff/,.;/,..;/,;/,./,../,%%2e/,%%2e%%2e/
random-user-agents = False
max-time = 0
exit-on-error = False
# subdirs = /,api/
# include-status = 200-299,401
# exclude-status = 400,500-999
# exclude-sizes = 0b,123gb
# exclude-text = "Not found"
# exclude-regex = "^403$"
# exclude-redirect = "*/error.html"
# exclude-response = 404.html
# skip-on-status = 429,999
[dictionary]
default-extensions = php,aspx,jsp,html,js
force-extensions = False
overwrite-extensions = False
lowercase = False
uppercase = False
capitalization = False
# exclude-extensions = old,log
# prefixes = .,admin
# suffixes = ~,.bak
# wordlists = /path/to/wordlist1.txt,/path/to/wordlist2.txt
[request]
http-method = get
follow-redirects = False
# headers-file = /path/to/headers.txt
# user-agent = MyUserAgent
# cookie = SESSIONID=123
[connection]
timeout = 7.5
delay = 0
max-rate = 0
max-retries = 1
## By disabling `scheme` variable, dirsearch will automatically identify the URI scheme
# scheme = http
# proxy = localhost:8080
# proxy-file = /path/to/proxies.txt
# replay-proxy = localhost:8000
[advanced]
crawl = False
[view]
full-url = False
quiet-mode = False
color = True
show-redirects-history = False
[output]
## Support: plain, simple, json, xml, md, csv, html, sqlite
report-format = plain
autosave-report = True
autosave-report-folder = reports/
# log-file = /path/to/dirsearch.log
# log-file-size = 50000000
python3 dirsearch.py -u https://target
python3 dirsearch.py -e php,html,js -u https://target
python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist
admin/
, it will brute-force admin/*
(*
is where it brute forces). To enable this feature, use -r (or --recursive) flagpython3 dirsearch.py -e php,html,js -u https://target -r
python3 dirsearch.py -e php,html,js -u https://target -r --max-recursion-depth 3 --recursion-status 200-399
/
a/b/c
=> add a/
, a/b/
)--exclude-subdirs
python3 dirsearch.py -e php,html,js -u https://target -r --exclude-subdirs image/,media/,css/
python3 dirsearch.py -e php,htm,js,bak,zip,tgz,txt -u https://target -t 20
python3 dirsearch.py -e php -u https://target --prefixes .,admin,_
tools
tools
.tools
admintools
_tools
python3 dirsearch.py -e php -u https://target --suffixes ~
index.php
internal
index.php
internal
index.php~
internal~
db/
folder, there are several "blacklist files". Paths in those files will be filtered from the scan result if they have the same status as mentioned in the filename.admin.php
into db/403_blacklist.txt
, whenever you do a scan that admin.php
returns 403, it will be filtered from the result.python3 dirsearch.py -e php,html,js -u https://target --exclude-sizes 1B,243KB
python3 dirsearch.py -e php,html,js -u https://target --exclude-texts "403 Forbidden"
python3 dirsearch.py -e php,html,js -u https://target --exclude-regexps "^Error$"
python3 dirsearch.py -e php,html,js -u https://target --exclude-redirects "https://(.*).okta.com/*"
python3 dirsearch.py -e php,html,js -u https://target --exclude-response /error.html
GET /admin HTTP/1.1
Host: admin.example.com
Cache-Control: max-age=0
Accept: */*
--scheme
flag. By default, dirsearch automatically detects the scheme.admin
index.html
ADMIN
INDEX.HTML
Admin
Index.html
python3 dirsearch.py -u https://target -X jsp
admin.php
test.jsp
admin.php
python3 dirsearch.py -e php,html,js -u https://target --subdirs /,admin/,folder/
python3 dirsearch.py -e php,html,js -u https://target --proxy 127.0.0.1:8080
python3 dirsearch.py -e php,html,js -u https://target --proxy socks5://10.10.0.1:8080
python3 dirsearch.py -e php,html,js -u https://target --proxylist proxyservers.txt
python3 dirsearch.py -e php -l URLs.txt --format plain -o report.txt
python3 dirsearch.py -e php -u https://target --format html -o target.json
cat urls.txt | python3 dirsearch.py --stdin
python3 dirsearch.py -u https://target --max-time 360
python3 dirsearch.py -u https://target --auth admin:pass --auth-type basic
python3 dirsearch.py -u https://target --header-list rate-limit-bypasses.txt
curl -fsSL https://get.docker.com | bash
docker build -t "dirsearch:v0.4.3" .
docker run -it --rm "dirsearch:v0.4.3" -u target -e php,html,js,zip
--proxy-list
--suffixes ~
and --prefixes .
--remove-extensions
and --suffixes /
!--cidr
, -F
, -q
and will reduce most of noises + false negatives when brute-forcing with a CIDR--skip-on-status 429
will help you to skip a target whenever it returns 429HEAD
HTTP method instead of GET
--timeout 3 --retries 1