LinuxCommandLibrary

feroxbuster

Discover hidden web directories and files

TLDR

Discover specific directories and files that match in the wordlist with extensions and 100 threads and a random user-agent

$ feroxbuster --url "[https://example.com]" --wordlist [path/to/file] --threads [100] --extensions "[php,txt]" --random-agent
copy

Enumerate directories without recursion through a specific proxy
$ feroxbuster --url "[https://example.com]" --wordlist [path/to/file] --no-recursion --proxy "[http://127.0.0.1:8080]"
copy

Find links in webpages
$ feroxbuster --url "[https://example.com]" --extract-links
copy

Filter by a specific status code and a number of chars
$ feroxbuster --url "[https://example.com]" --filter-status [301] --filter-size [4092]
copy

SYNOPSIS

feroxbuster [OPTIONS] -u <URL> [-w <WORDLIST> ...]
feroxbuster -u <URL> --stdin

PARAMETERS

-u, --url
    The target URL to scan. Multiple URLs can be specified or read from a file by prepending the argument with `@` (e.g., `@urls.txt`).

-w, --wordlist
    Path to a wordlist file to use for brute-forcing. Multiple wordlists can be provided.

-x, --extensions
    Comma-separated list of extensions to append to each word (e.g., html,php,bak). Wildcard `*` can be used to load extensions from a built-in list.

-s, --status-codes
    Comma-separated list of HTTP status codes to include in results (e.g., 200,301,403). Default: 200,204,301,302,307,308.

-C, --dont-filter
    Comma-separated list of HTTP status codes to not filter. Overrides default filtering and other filtering options.

--filter-size
    Comma-separated list of response sizes (in bytes) to filter out from results.

--filter-wordcount
    Comma-separated list of response word counts to filter out.

--filter-linecount
    Comma-separated list of response line counts to filter out.

-k, --no-recursion
    Disables recursive scanning; only scans the top-level directory provided by the URL.

-d, --depth
    Maximum recursion depth for directories. Default is 4.

-t, --threads
    Number of concurrent threads to use for scanning. Default is 50.

-H, --headers
    Add a custom HTTP header to requests (e.g., "Authorization: Bearer token"). Can be used multiple times.

-A, --user-agent
    Set a custom User-Agent string for requests. Default is `feroxbuster/version`.

--insecure
    Disables SSL certificate verification, allowing connections to servers with invalid or self-signed certificates.

--extract-links
    Extracts links from HTML responses and adds them to the scan queue for further discovery.

--data
    HTTP method and POST data (e.g., "POST /path/to/data.json"). This will send a POST request with the specified data.

--config
    Path to a TOML configuration file for predefined settings, overriding command-line arguments if conflicts exist.

DESCRIPTION

Feroxbuster is an open-source, fast, and powerful web content discovery tool written in Rust. It is designed for penetration testers and bug bounty hunters to efficiently find hidden directories, files, and other assets on web servers by brute-forcing.

Key features include:

  • Recursive directory discovery: Automatically follows redirects and explores deeper into the web application structure.
  • Intelligent filtering: Filters out unwanted responses (e.g., 404s, specific content lengths) to reduce noise and focus on relevant findings.
  • Dynamic runtime configuration: Allows modifications to scan parameters while a scan is in progress.
  • Concurrency: Highly multi-threaded for speed and efficiency.
  • Payloads: Supports multiple wordlists, extensions, and custom HTTP headers.
  • WAF Bypass: Includes options to evade Web Application Firewalls.
  • Data extraction: Can extract links from HTML responses for further analysis and queueing.
It aims to provide comprehensive insights into a web application's attack surface, surpassing traditional tools in speed and flexibility.

CAVEATS

Ethical Considerations: Always ensure you have explicit permission before scanning any target. Unauthorized scanning can be illegal and may lead to legal repercussions.

Resource Usage: High thread counts can consume significant network bandwidth and target server resources, potentially leading to denial of service or network congestion. Use responsibly.

False Positives/Negatives: While `feroxbuster` employs intelligent filtering, it might occasionally miss valid paths or report non-existent ones. Fine-tuning filters and using dynamic filtering can improve accuracy.

WAFs/IPS: Aggressive scanning patterns can trigger Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS), potentially leading to IP blocking, CAPTCHAs, or other defensive measures.

CONFIGURATION FILES

Feroxbuster supports configuration files (default: ferox-buster.toml in the current directory or ~/.config/feroxbuster/ferox-buster.toml). These TOML-formatted files allow users to define default settings, wordlists, status codes, and other options, significantly simplifying complex or repetitive scans by centralizing configurations.

OUTPUT FORMATTING

Feroxbuster provides various output options to suit different needs. The --json flag outputs results in a structured JSON format, enabling easy integration with other tools or scripts for automated analysis. Additionally, a quiet mode (-q) is available for minimal output, focusing only on the discovered resources without verbose logging, ideal for scripting.

DYNAMIC FILTERING

Beyond static size, word, or line count filtering, `feroxbuster` can perform dynamic filtering. This advanced feature automatically calculates a statistical baseline of typical error or non-existent page responses and then filters out entries that match this baseline, effectively reducing noise and highlighting truly unique findings.

HISTORY

Feroxbuster was created by Mark Baggett (@epi052) and first released in 2019. It emerged from a desire for a faster and more flexible web content discovery tool that could leverage modern programming paradigms. Developed in Rust, it aimed to improve upon the performance and concurrency capabilities of existing tools. Since its inception, `feroxbuster` has rapidly gained popularity within the cybersecurity community due to its speed, robust recursive scanning abilities, and continuous development, establishing itself as a go-to tool for reconnaissance during penetration tests and bug bounty hunting.

SEE ALSO

gobuster(1), dirb(1), nikto(1), ffuf(1)

Copied to clipboard