11 Directory Bruteforce
Summary
TLDRThe video script discusses the concept of directory brute force attacks, a technique used to uncover hidden pages and content on web applications. It emphasizes the importance of the wordlist used in the attack, as a larger list can potentially reveal more content. The script introduces tools like DirBuster, First Search, and Gobuster for performing directory brute force. The tutorial demonstrates setting up a web server with a predefined content and using the DirBuster tool to attempt brute force on a web application. It explains the command-line usage of DirBuster to target specific file extensions, such as .php, and concludes with the results of the brute force attempt, showcasing discovered content.
Takeaways
- đ The video discusses a technique called 'directory bruteforce', which is an attack aimed at discovering hidden pages and content on a web application.
- đ The success of a directory bruteforce attack depends on the list of words, or 'wordlist', used, with a larger list potentially revealing more web content.
- đ ïž The video mentions several tools that can be used for directory bruteforcing, including DirBuster, First Search, and Gobuster.
- đ» The tutorial is conducted using Kali Linux, which is a pre-configured environment for such attacks, with a web application already provided for practice.
- đ The presenter demonstrates how to use the web application by dragging and dropping it into the Kali Linux environment.
- đ The video shows the process of starting a web server with content that has been previously copied, accessible via a specific port.
- đ The presenter tests the web server by accessing it through a browser, using 'localhost' and the specified port number.
- đ§ The tutorial then moves on to performing a bruteforce attack, starting with opening a new terminal for the purpose.
- đ The DirBuster tool is highlighted for its ease of use, and the video explains how to run it with specific parameters to filter for certain file extensions, such as '.php'.
- đ The DirBuster tool is run with a command that includes the target web server's address and the desired file extension, aiming to find hidden '.php' files.
- đ After the bruteforce process, the tool will display the content found, listing any discovered pages or files from the target web address.
- đ The video concludes with a summary of the bruteforce method using one of the tools in Kali Linux and an invitation to the next video.
Q & A
What is the main topic of the video script?
-The main topic of the video script is about discussing and demonstrating directory brute-force attacks on web applications.
What is a directory brute-force attack?
-A directory brute-force attack is a technique where an attacker uses a list of words or phrases to attempt to find hidden pages and content on a web application.
What are the tools mentioned in the script that can be used for directory brute-force attacks?
-The tools mentioned in the script for directory brute-force attacks are dirb, TheHarvester, and Gobuster.
What is the significance of the wordlist in a brute-force attack?
-The wordlist is crucial in a brute-force attack as the success of discovering hidden content on a web application depends on the number of words in the list. The more words in the list, the higher the chance of finding hidden content.
What is the role of Kali Linux in the demonstration provided in the script?
-Kali Linux is used as the platform to run the brute-force attack. It is pre-configured with the necessary tools and web application for the demonstration.
How is the web application prepared for the demonstration in the script?
-The web application for the demonstration is prepared by copying its content into the Kali Linux environment, which can then be accessed and manipulated during the attack.
What is the purpose of running a web server in the context of the script?
-The purpose of running a web server in the script is to host the content that will be targeted by the brute-force attack, simulating a real-world scenario.
What command is used to start the web server in the script?
-The command used to start the web server in the script is 'python -m http.server' with a specified port, such as 8000.
How does the script differentiate between the initial terminal and the one used for the brute-force attack?
-The script differentiates by using 'Ctrl + Alt + T' to open a new terminal for the brute-force attack, while the initial terminal is used to run the web server service.
What is the command used to run the brute-force attack with the tool dirb in the script?
-The command used to run the brute-force attack with dirb in the script is 'dirb http://localhost:port -X .php', where 'localhost:port' is the address of the web server and '-X .php' specifies the file extension to target.
What does the script suggest will be the outcome of a successful brute-force attack?
-A successful brute-force attack will result in the discovery of hidden content, such as index.php, login.php, register.php, and other files, which will be displayed after the attack is completed.
Outlines
đ Introduction to Directory Brute Force
This paragraph introduces the concept of directory brute force, a type of attack focused on uncovering hidden pages and content on web applications. It explains that the technique involves checking content using wordlists, which are collections of potential website names. The success of a brute force attack depends on the quality and quantity of words in the wordlist. Several tools, such as DirBuster, Feroxbuster, and Gobuster, are mentioned as useful for conducting directory brute force attacks. The example uses Kali Linux to demonstrate how to carry out such an attack, starting with setting up the environment and preparing the necessary web server and files.
đ ïž Performing a Brute Force Attack Using DirBuster
This paragraph details the step-by-step process of conducting a brute force attack using the DirBuster tool on Kali Linux. The procedure includes launching the Kali Linux environment, preparing the web server by dragging and dropping the web files onto the desktop, and running the web server on port 8000. After verifying that the web server is running, another terminal is opened to differentiate between the service-running terminal and the attack-executing terminal. The example demonstrates using DirBuster to filter and brute force files with the '.php' extension, detailing the specific commands and parameters used. The result of the brute force attack reveals several hidden files, such as index.php, login.php, and register.php.
Mindmap
Keywords
đĄDirectory Bruteforce
đĄWeb Application
đĄWordlist
đĄKali Linux
đĄTools
đĄDirbuster
đĄWebserver
đĄParameter
đĄExtension
đĄBrute Force
Highlights
Introduction to directory bruteforce as a web attack technique.
Directory bruteforce focuses on discovering hidden pages and content on a web application.
The success of a directory bruteforce attack depends on the wordlist used.
More words in the wordlist increase the likelihood of finding more web content.
Tools for directory bruteforce include dirb, dirbuster, feroxbuster, and gobuster.
Kali Linux is used to demonstrate directory bruteforce attacks in this session.
Participants are provided with a pre-configured Kali Linux environment and a web application to test.
Instructions on how to drag and drop the web application into Kali Linux.
Steps to start a web server on Kali Linux using the command 'php -S localhost:8000'.
Checking the web application by opening 'localhost:8000' in a browser.
Launching a new terminal session to separate web server tasks from bruteforce tasks.
Using the 'dirb' tool for directory bruteforce with a specific focus on '.php' files.
Command for directory bruteforce: 'dirb http://localhost:8000 -X .php'.
Default wordlist location for 'dirb' is '/usr/share/dirb/wordlists/common.txt'.
Results of the bruteforce attack include discovered pages like 'index.php', 'login.php', 'register.php', and 'admin.php'.
Conclusion of the session and an invitation to join the next video.
Transcripts
the
Selamat datang kembali pada pertemuan
kali ini kita akan membahas tentang
directory bruteforce gimana directory
brush ini merupakan sebuah Serangan yang
berfokus untuk menemukan sebuah halaman
dan konten tersembunyi pada sebuah
aplikasi berbasis web nah Teknik ini
berfokus pada melakukan pengecekan
konten dengan menggunakan semacam
worthless atau kumpulan kata yang
kemungkinan merupakan nama dari konvensi
website tersebut
catatan disini keberhasilan melakukan
brute Force yaitu tergantung dengan
worthless yang kita punya jadi semakin
banyak kata dalam worthless kemungkinan
juga akan semakin banyak konten dari web
yang akan kita dapatkan
Nah di sini juga ada beberapa tools yang
bisa digunakan untuk melakukan directory
performs yaitu ada dear petir Buster
first search dan juga push-up
Hai untuk materi kali ini kita akan
menjalankan kalilinux untuk mencoba
melakukan serangan brute-force pada web
yang akan kita sediakan nah dimana
disini kali linuxnya sudah saya sediakan
dan juga
untuk
webnya juga telah saya sediakan gimana
teman-teman dapat langsung melakukan
Drag and drop webnya ini kedalam CD kali
linuxnya Nah disini akan saya japen drop
ke desktop seperti ini
nah lanjut disini akan saya buka
terlebih dahulu untuk directory sea
webnya
nah lalu akan saya jalankan Klik Kanan
dan Open Terminal here
nah disini akan saya jalankan
webserver di mana kontennya yaitu konten
ini akan berisikan semua biar isi web
yang telah kita copy sebelumnya ah
dengan cara kita bisa menjalankan
perintah ke HP minus
localhost
dengan port yaitu port
8000 seperti ini nah disini jika sudah
dijalankan bisa kita coba terlebih
dahulu dengan membuka Browser dan
menjalankan misalkan
localhost8000 nah disini harusnya untuk
webnya sudah jalan jadi di sini kita
lanjut ke
materi selanjutnya yaitu melakukan brute
Force namun disini kita akan membuka
Terminal lagi yaitu dengan cara
kontrol ltt
nah seperti ini
nah fungsinya apa jadi fungsinya untuk
membedakan antara Terminal yang
sebelumnya dan Terminal yang sekarang
gimana yang sebelumnya hanya berfokus
untuk menjalankan service si web
servernya nah disini kita akan melakukan
root Force dengan menggunakan salah satu
tools yang sudah ada yaitu yang namanya
dear pqntai bisa kita Tuliskan yaitu
Herbert seperti ini nah disini untuk
cara kerja dari setiap tools yaitu mirip
maka dari itu saya akan menjelaskan
salah satu saja yaitu yang paling mudah
yaitu Derby ini nah lanjut untuk
penggunaan definisi juga cukup mudah
disini akan saya jalankan terlebih
dahulu dirutnya untuk mengetahui
parameter apa saja yang ada pada CD gini
Nah di sini juga terdapat banyak
parameter namun disini Saya hanya akan
menjalankan parameter minus X yang
maksudnya extension nah disini Saya
ingin melakukan filter untuk melakukan
brute Force yang Nia nantinya dia akan
melakukan root for school file yang
akhirannya yaitu dot PHP
Nah untuk perintahnya gimana kita bisa
menjalankan sprinter dear lalu alamat
dari si
localhost nya yaitu dengan cara http
localhost
Lalu port-nya
seperti ini lalu kita berikan minus EC
atau extension dan PHP nah seperti ini
lalu saat saya jalankan
nantinya Sider gini dia akan melakukan
brute Force dengan menggunakan WordPress
default-nya yaitu WordPress comment yang
berada pada direktori les
share dear buat list command.com Nah
setelah dia prosesnya selesai maka dia
akan menampilkan konten yang telah
ditemukan saat melakukan brute Force
pada
Hai atau alamat yang telah kita masukkan
sebelumnya disini jika kita lihat ada
index.co HP login.co HP register.hp.com
section dot PHP nah seperti ini Nah itu
aja untuk materi DVD bruteforce dengan
menggunakan salah satu tools di Kali
Linux terima kasih dan selamat berjumpa
di video berikutnya
5.0 / 5 (0 votes)