Penetration Testing

A Detailed Guide on Feroxbuster

Feroxbuster is a robust tool designed to identify directories and files on web servers using brute-force techniques. It is frequently utilized in penetration testing and security evaluations to detect concealed paths and resources. Here we are going to discuss about various tasks which we can perform using Feroxbuster.

Table of contents

  • Lab setup
  • Installation
  • Default mode
  • Redirects
  • Extensions
  • Result output
  • User agent
  • Filter status code
  • Quiet mode
  • Controlling threads
  • Custom wordlist
  • Disable recursion
  • Limit recursion depth
  • Force Recursion
  • Filter by character size
  • Filter by number of words
  • Filter by number of lines
  • Filter by status code using deny list
  • Filter by status code using allow list
  • Generating random User-Agent
  • HTTP methods
  • Custom headers
  • Cookies
  • Adding slash
  • Capturing requests in Burp
  • Read target from list
  • Resume from last state
  • Follow redirect
  • Timeout
  • Comparasion between Feroxbuster and other tools
  • Conclusion

Lab setup

Target Machine: 192.168.1.4

Attacker Machine: 192.168.1.31 (Kali Linux)

After setting up a web server in the target machine, we can proceed with the enumeration in the kali linux after installing Feroxbuster.

Installation

To install the Feroxbuster in kali linux, we can use the following command:

apt install feroxbuster

Default mode

Once we are done with the installation, we can proceed with the enumeration part. To perform a default directory brute force, we can use the following the command:

feroxbuster -u http://192.168.1.4

It can be seen from above that the wordlist used in default mode is the raft-medium-directories.txt.

To get a less verbose output, we can use the –silent flag to hide the non-essential data.

feroxbuster -u http://192.168.1.4 --silent

Redirects

In order to allow the Feroxbuster to continue the directory brute forcing on the redirected URL, we can use the -r or –redirect flag. For example if http://192.168.1.4 redirects to http://192.168.1.4/newpath, Feroxbuster will follow this redirection and continue to scan http://192.168.1.4/newpath for directories and files.

feroxbuster -u http://192.168.1.4 -r

Extensions

To perform brute-force for a particular type of file extension, the -x or –extensions flag can be used.

feroxbuster -u http://192.168.1.4 -x php,txt --silent

Result output

If we want to log the output, we use the –output flag and then mentioning the file name.

feroxbuster -u http://192.168.1.4 --output results.txt

User agent

To set up a custom user agent to send request at the server, we can use the -a or –user-agent flag. By default, the user agent used by Feroxbuster is feroxbuster/<version>.

feroxbuster -u http://192.168.1.4 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Filter status code

There are times when we need to skip certain status codes responses, so we can use the -C or –filter-status, to skip the results of the mentioned codes. If we want to include a particular status code in output, we can use the -s or –status-codes flag.

feroxbuster -u http://192.168.1.4 -C 403,404

Quiet mode

To present the output without showing the progress bar or banner, we can use the quite mode by giving the -q or –quiet flag.

feroxbuster -u http://192.168.1.4 -q

Controlling threads

To control the number of concurrent threads depending on the environment type, we can use the –threads or -t flag. The default threads value is 50.

feroxbuster -u http://192.168.1.4 -t 20

Custom wordlist

To use a custom wordlist, we can use the -w or –wordlist flag and then give the wordlist path. Here we are giving the common.txt file path.

feroxbuster -u http://192.168.1.4 -w /usr/share/wordlists/dirb/common.txt

Disable recursion

To allow the scanning of only top level directories, we can set the -n or –no-recursion flag to disable the recursive scanning.

feroxbuster -u http://192.168.1.4 -n

Limit recursion depth

To set a limit on the depth of recursion, we can use the -L or –scan-limit.

feroxbuster -u http://192.168.1.4 -L 4

Force Recursion

To ensure that the recursion is used, we can use the –force-recursion flag.

feroxbuster -u http://192.168.1.4 --force-recursion

Filter by character size

To filter out the messages of a particular length, we can use the -S or –filter-size flag. This will filter based on character size.

feroxbuster -u http://192.168.1.4 -q
feroxbuster -u http://192.168.1.4 -q -S 285,286,283,289

Filter by number of words

To filter out the results using number of words filter, we can use the -w or –filter-words flag.

feroxbuster -u http://192.168.1.4 -q
feroxbuster -u http://192.168.1.4 -q -W 33

Filter by number of lines

To filter out the results using number of words filter, we can use the -N or –filter-lines flag.

feroxbuster -u http://192.168.1.4 -q
feroxbuster -u http://192.168.1.4 -q -N 9

Filter by status code using deny list

To filter the results using status codes (deny list), we can use the –filter-status flag.

feroxbuster -u http://192.168.1.4 -q
feroxbuster -u http://192.168.1.4 -q --filter-status 404

Filter by status code using allow list

To filter the results using status codes (allow list), we can use the –status-codes flag.

feroxbuster -u http://192.168.1.4 -q
feroxbuster -u http://192.168.1.4 -q --status-codes 200,301

Generating random User-Agent

To use a random user agent for every request, we can use the -A flag. Here we have used the –burp flag simultaneously to show how the user agent looks in the requests.

feroxbuster -u http://192.168.1.4 -A --burp

HTTP methods

To explicitly define the HTTP methods to be used, we can use the -m flag and then state the method to be used like POST. The default method is GET while running the Feroxbuster.

feroxbuster -u http://192.168.1.4 -m POST

Custom headers

To explicitly define the request header to be used, we can use the -H flag and then state the header alongwith the value to be used like ‘Content-Type: application/x-www-form-urlencoded’. Here we have used the –burp flag simultaneously to show how the user agent looks in the requests.

feroxbuster -u http://192.168.1.4 -H 'Content-Type: application/x-www-form-urlencoded' --burp -q

Cookies

To use a specific cookie value in all the requests, we can mention the cookies header alongwith the value. The flag which can be used here is –cookies or -b. Here we have used the –burp flag simultaneously to show how the cookie looks in the requests.

feroxbuster -u http://192.168.1.4 --cookies PHPSESSID=t54ij15l5d51i2tc7j1k1tu4p4 --burp -q

Adding slash

To add a slash (/) after every request, we can use the -f or –add-slash flag.

feroxbuster -u http://192.168.1.4 -f

Capturing requests in Burp

To capture a request in Burp Suite, we can use the –burp flag while running the scan.

feroxbuster -u http://192.168.1.4 --burp

Read target from list

To perform the scanning on the targets provided in the list, we can use the following command:

cat target.txt
cat target.txt| feroxbuster --stdin -q

 

Resume from last state

If we wish to resume the scan from the last state, we can use the –resume-from flag and provide the .state file. There are times when we need to terminate the scan in between, so Feroxbuster will save the results in the file.

feroxbuster -u http://192.168.1.4 -q
feroxbuster --resume-from ferox-http_192_168_1_4-1723370176.state -q

Follow redirect

While scanning if there are requests which result in the redirection, so we can control that by allowing the clients to follow the redirects using -r flag.

feroxbuster -u http://192.168.1.4  -r

Timeout

To setup a timeout limit, we can use the -T flag. This determines the amount of time the Feroxbuster wil wait for the server response before terminating the scan. By default, this value is set to 7 seconds, however we can modify it by using the flag.

feroxbuster -u http://192.168.1.4

The above image shows the default timeout limit used and now we are going to modify it to 5 seconds.

feroxbuster -u http://192.168.1.4 -T 5

Comparasion between Feroxbuster and other tools

  • Feroxbuster stands out for its comprehensive set of features, including extensive response filtering, Burp Suite integration, and customization options. It provides a balance between advanced functionality and user control, making it a powerful choice for detailed and nuanced directory and file brute-forcing.
  • DirBuster is user-friendly with its GUI but may not be as fast or flexible as command-line tools like Feroxbuster.
  • Gobuster offer speed and efficiency but with fewer advanced features and less flexibility compared to Feroxbuster.
  • ffuf provides high performance and extensive filtering but can be complex to configure and use.

Conclusion

In conclusion, we can say that Feroxbuster is an excellent choice for those requiring precise control over their scanning processes, advanced filtering capabilities, and the ability to integrate with other tools.

Author: Vinayak Chauhan is an InfoSec researcher and Security Consultant. Contact here