DirBuster is an application made in Java; it can be called from Kali's main menu or from a terminal using the dirbuster command. The following are the steps required to make such call:
- Navigate to Applications | 03 - Web Application Analysis | Web Crawlers & Directory Bruteforcing | Dirbuster.
-
In the DirBuster window, set the target URL to http://192.168.56.11/.
- Set the number of threads to 20 to have a decent testing speed.
- Select List based brute force and click on Browse.
- In the browsing window, select the file we just created (dir_dictionary.txt).
- Uncheck the Be Recursive option.
- For this recipe, we will leave the rest of options at their defaults:
- Click on Start.
- If we go to the Results tab, we will see that DirBuster has found at least two of the files in our dictionary: cgi-bin and phpmyadmin. The response code 200 means that the file or directory exists and can be read. phpmyadmin is a web-based MySQL database administrator; finding a directory with this name tells us that there is a database management system (DBMS) in the server and it may contain relevant information about the application and its users: