File and Directory Bruteforcing

Some common feroxbuster switches

./feroxbuster --threads 4 --scan-limit 2 --rate-limit 2
./feroxbuster --threads 2--scan-limit 4 --rate-limit 2

Methodology

Important Note: The goal is to get “more” hidden files, if there are any, and not to complete the scan. You can now know what file names the developer has given. Instead of simply waiting for scan to finish which could take lot of hours, you can always invest time in other webapps or webpages for “hanging fruits”. File/Directory bruteforcing is a “long shot”, it is not a given that it will always be useful. You should run file/directory bruteforcing as a “parallel” activity (means you are not waiting for it to finish, and, if it does not get anything it will not affect other activities).

./feroxbuster --url https://www.website.com --wordlist index_wordlist.txt --threads 2 --scan-limit 4 --extensions EXTENSIONS
feroxbuster --url https://website.com --wordlist PathToSecLists/Discovery/Web-Content/raft-medium-directories.txt --threads 2 --scan-limit 4
feroxbuster --url https://website.com/IDENTIFIEDDIRECTORY --wordlist PathToSecLists/Discovery/Web-Content/raft-medium-files.txt --threads 2 --scan-limit 4
feroxbuster --url https://website.com --wordlist FullUrlWordList.txt --threads 2 --scan-limit 4

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store