dirbuster

Start in GUI mode

$ dirbuster -u [http://example.com]

$ dirbuster -H -u [http://example.com]

$ dirbuster -e [txt,html]

$ dirbuster -v

$ dirbuster -r [path/to/report.txt]

java -jar /path/to/DirBuster.jar [java_options]

java -jar /path/to/DirBuster.jar
    This is the primary command to execute the DirBuster application. DirBuster is fundamentally a GUI tool, and while launched via the command line, it does not typically offer extensive command-line parameters for direct scanning operations. Most interactions occur within its graphical interface.

-Xmx<size>
    (Java VM option) Sets the maximum Java heap memory size. For example, -Xmx1G allocates 1 Gigabyte of memory. This is crucial for performance, especially when using large wordlists or targeting many hosts.

-D<property>=<value>
    (Java VM option) Sets a system property for the Java Virtual Machine. This can sometimes be used to configure specific proxy settings or other environment variables for the Java application, though direct DirBuster CLI options for scanning are minimal.

DirBuster is a multi-threaded Java application designed to brute-force web servers for hidden directories and files. It's a widely used tool by penetration testers and security professionals to discover potentially sensitive information or attack vectors that are not explicitly linked or obvious.

It operates by making HTTP requests for each path generated from its comprehensive wordlists, including common directory names, file extensions, and file names. Based on the HTTP response codes (e.g., 200 OK, 403 Forbidden, 404 Not Found), it determines if a path exists. DirBuster can handle various network configurations, including proxies, custom HTTP headers, and can follow redirects. While primarily known for its graphical user interface (GUI), it can be launched from the command line, though its core scanning functionality is best utilized through the GUI. It helps uncover forgotten or misconfigured directories that could lead to information disclosure or further exploitation during a security assessment.

DirBuster is primarily a GUI-based application, not a traditional command-line utility for automated scripting. Its direct command-line options for scanning are very limited to non-existent; the command-line is mainly used for launching the GUI. It requires a Java Runtime Environment (JRE) to function. Being a brute-forcing tool, its usage can be resource-intensive, consuming significant CPU and network bandwidth. Always ensure you have explicit permission before using DirBuster against any target system to avoid legal and ethical issues.

DirBuster was developed by the OWASP (Open Web Application Security Project) as part of their comprehensive suite of open-source security tools. It gained significant popularity among penetration testers, especially when pre-installed in security-focused Linux distributions like BackTrack and later Kali Linux. Its initial development and widespread usage peaked in the late 2000s and early 2010s. While still functional and included in many toolsets, its development has largely slowed, with newer, often CLI-focused, alternatives like Gobuster and Ffuf gaining prominence for automated scanning tasks.

gobuster(1): A Go-based, fast CLI directory/file brute-forcer., ffuf(1): A fast web fuzzer, often used for directory and file enumeration., wfuzz(1): A powerful web application fuzzer with extensive options for directory discovery., nikto(1): A web server scanner that includes directory enumeration as part of its checks., dirb(1): Another classic CLI web content scanner, similar in purpose to DirBuster.