Dirb — A web content scanner

Ajay Manoharan
Oct 30, 2017 · 3 min read
Dirb Using Kali Linux

DIRB is a command line based tool to brute force any directory based on wordlists. DIRB will make an HTTP request and see the HTTP response code of each request

It internally has a wordlist file which has by default around 4000 words for brute force attack. There are a lot of updated wordlists available over the internet which can also be used. Dirb searches for the words in its wordlist in every directory or object of a website or a server. It might be an admin panel or a subdirectory that is vulnerable to attack. The key is to find the objects as they are generally hidden.

via Github : https://github.com/seifreed/dirb via Sourceforge : https://sourceforge.net/projects/dirb/

Purpose of DIRB is to help in professional and web application auditing in security testing. DIRB looks for almost all the web objects that other generic CGI scanners can’t look for. It doesn’t look for vulnerabilities but it looks for the web contents that can be vulnerable.

Once we have a terminal open, go ahead and type to get the help screen.

As you can see in this screenshot above, DIRB’s syntax is very simple with multiple options. In its simplest form, we only need to type the command followed by the of the website we are testing.

with the Dirb’s default word list file it searches the URL for 4612 Object types. Let’s try it on test site, webscantest.com.

DIRB begins the scan looking for those keywords among the website objects.

The results list with the response code and the size of the file for each ping. Also, dirb starts searching the files of the folder which returns the response code as 200. It searches the entire folders with the wordlist and displays the results.

Finally, when DIRB is done, it reports back the number of found objects (113 in this case). Note that in the help screen above, we can use the -o switch to send the results to an output file to save the results to a text file.

We can use DIRB to test for specific vulnerable objects within specific types of web technologies. Each web technology has different vulnerabilities. They are NOT all the same. DIRB can help us look for specific vulnerable objects specific to the particular technology.

In Kali, DIRB has specific wordlists to search for these vulnerable often hidden objects. You can find them at:

As you can see above, there is a number of file list for each of the specific vulnerability to test. If your web server is Apache and you want to test it use apache.txt

Tech Zoom

Technical ramblings from ZoomRx techies about Mobile and WebApps

Ajay Manoharan

Written by

Test Automation engineer

Tech Zoom

Tech Zoom

Technical ramblings from ZoomRx techies about Mobile and WebApps