How to Directory Brute Force Properly
Summary
TLDRThis video script discusses the importance of proper directory and file brute-forcing techniques in cybersecurity. It emphasizes that using the right word lists and contextualizing brute-force attacks is crucial for effectiveness. The speaker suggests using specific word lists tailored to the technology stack of the target and recommends tools like FF and Dirsearch for the task. The script also advises on leveraging subdomain names and domain keywords to refine brute-force strategies, and encourages viewers to create and maintain their own word lists for better results.
Takeaways
- π Most people are not utilizing word lists properly for file and directory brute forcing, leading to ineffective results.
- π The success of brute forcing relies on contextualizing your approach, not just on having the right word list.
- π οΈ It's crucial to use the correct tools for the job; personal preference plays a role, but tools like FF and DirSearch are recommended.
- π The use of the same word list for every target is ineffective; tailor your word list to the specific technology stack of the target.
- π‘ Assetnote's word list and SecLists are valuable resources for obtaining targeted word lists for different technologies.
- π Understanding the web server's underlying system can help narrow down the list of potential file extensions to check.
- π Subdomain names can provide clues about the type of content hosted, guiding the focus of brute forcing efforts.
- π Combining word lists from different sources can create a more comprehensive master list for brute forcing.
- π Brute forcing should be contextual, considering the target's specific characteristics, such as subdomain keywords and known common endpoints.
- β The process of effective brute forcing involves trial and error, using initial broad lists to find leads, then narrowing down with more specific lists based on findings.
Q & A
What is the main issue discussed in the video regarding brute force attacks?
-The main issue discussed is that most people are not utilizing word lists properly and are not contextualizing their brute force attacks effectively, which leads to inefficiency in finding hidden or forgotten files and directories.
Why is it important to contextualize brute force attacks?
-Contextualizing brute force attacks is important because it allows for a more targeted and efficient approach by considering the specific technology stack, programming languages, and the nature of the target, which can significantly increase the chances of discovering vulnerabilities.
What are the two main resources recommended for word listing in the video?
-The two main resources recommended for word listing are the Asset Notes word list and the SecLists word list, both of which offer extensive collections of potential file and directory names organized by technology stack.
Why is it not effective to use the same word list for every target during brute force attacks?
-Using the same word list for every target is ineffective because different servers and applications may use different programming languages and file extensions. For example, brute forcing for .net files on a Linux server running PHP would be futile.
What is the significance of the subdomain name in the context of brute forcing?
-The subdomain name can provide valuable clues about the target's structure and potential endpoints. For instance, a subdomain with 'API' in it might indicate that the subdomain is used for API purposes, guiding the brute force attack towards API-related routes and files.
What tool does the speaker personally prefer for brute forcing?
-The speaker personally prefers using 'ff' (a tool for finding files and directories) and 'dirsearch' for brute forcing.
What is the role of 'all.txt' in the brute forcing process as described in the video?
-'all.txt' is a combined list of common words for each programming language, used when the specific technology stack is unknown. It increases the chances of identifying the correct file extension and programming language being used by the target.
How can the information from a subdomain name be leveraged in brute forcing?
-The information from a subdomain name can be leveraged by using keywords from the subdomain in the brute forcing process. For example, if the subdomain contains 'API', the attacker might focus on finding API routes and related files.
What is the recommended approach after identifying a potential file extension during brute forcing?
-After identifying a potential file extension, the recommended approach is to perform an extended directory brute forcing using only files with that specific extension, which helps in narrowing down the search and finding more specific vulnerabilities.
Why is it suggested to create and maintain your own word list for brute forcing?
-Creating and maintaining your own word list is suggested because it allows for a more personalized and effective approach. It enables the attacker to add new words based on previous findings, leaks, or discovered directories, making the brute force attacks more tailored to their specific targets.
Outlines
π Introduction to Effective Directory and File Brute Forcing
The speaker begins by suggesting that many people, including viewers, may not be performing directory and file brute forcing correctly. They emphasize that the issue is not the lack of word lists but rather the improper use and lack of contextualization of these lists. The video aims to demonstrate how to utilize word lists effectively, build upon them, and enhance their accuracy. The speaker encourages viewers to subscribe and support the channel through memberships, which offer exclusive content and help in content creation. The concept of brute forcing is introduced as a method of using word lists to find hidden files and folders on a target system, which could lead to discovering vulnerabilities such as SQL injection or SSRF. Various tools for brute forcing are mentioned, including Burp Suite, Go Buster, and Dirsearch, with a personal preference for FF and Dirsearch. The importance of using the right word list tailored to the target's technology stack is highlighted, and the speaker suggests using specific word lists from sources like Asset Notes and SecLists.
π§ Contextualizing Brute Force Attacks for Better Results
The speaker discusses the importance of contextualizing brute force attacks, which involves understanding the target's technology stack and adjusting the word list accordingly. They advise against using the same word list for every target, as this can be ineffective and waste resources. The speaker suggests using a combination of word lists from various sources, such as Asset Notes and SecLists, to create a master list. They also recommend using the 'all.txt' file for a broad initial scan, which contains common words across different programming languages. The focus then shifts to understanding the target's subdomain and domain names to inform the brute forcing strategy. The speaker demonstrates using tools like FF and Dirsearch, and explains how to interpret response codes to identify potential vulnerabilities. They also discuss the significance of subdomain names in guiding the brute forcing process and how domain names can provide clues for directory brute forcing. The speaker concludes by sharing their personal approach to directory and file brute forcing, which involves starting with a broad word list, refining the list based on initial findings, and then focusing on specific file extensions and routes.
π Final Thoughts on Brute Forcing and Future Content
In the concluding part, the speaker summarizes the key points of the video, emphasizing the importance of understanding the context of the target when performing brute force attacks. They stress the need to use the right files and extensions and to create and maintain a personalized word list based on findings and observations. The speaker encourages viewers to engage by commenting on the video, suggesting topics for future videos, and expressing interest in a dedicated video on creating and organizing word lists. They remind viewers to subscribe to the channel and like the video to show support, and they hint at the possibility of creating more content based on viewer feedback. The video ends with a call to action for viewers to apply the knowledge shared and to stay tuned for more educational content.
Mindmap
Keywords
π‘Brute Forcing
π‘Word List
π‘Technology Stack
π‘Contextualizing
π‘Subdomain
π‘API Endpoints
π‘File Extensions
π‘Asset Notes
π‘SecLists
π‘Directory Brute Forcing
Highlights
Many people, including viewers of the video, may not be using their file and directory brute force tools correctly, even if they have the right word lists.
The key to effective brute forcing lies not only in having word lists but in contextualizing brute force attempts to match the technology stack of the target.
Identifying what kind of server is being targeted, such as Linux or Windows, and selecting word lists specific to that server is crucial for efficient brute forcing.
The speaker recommends tools like FF and DirSearch for brute forcing, but ultimately, the choice of tool comes down to personal preference.
Many users make the mistake of using the same word list for every target, which is inefficient. Word lists should be specific to the technology stack of the target.
AssetNote word lists, which are categorized by technology stack, are recommended as a key resource for brute forcing.
If unsure about the targetβs programming language, using an all-purpose word list like 'all.txt' is helpful as it contains common words for multiple programming languages.
Cyclist by Dan is another useful resource, containing additional word lists not just limited to web content but also DNS-related data.
Contextualizing brute forcing by analyzing subdomains, like focusing on 'API' in a subdomain, can help direct brute force attempts towards more useful API endpoints.
Understanding the naming conventions within subdomains and paths is key to finding hidden or forgotten files and endpoints.
The speaker uses the example of fuzzing for 'API' routes and API versions (e.g., V1, V2) to demonstrate the method of brute forcing API-specific paths.
Utilizing response codes such as 302, 400, 401 during brute force attempts can indicate the existence of valuable endpoints.
Creating a master word list by combining resources like AssetNote and Cyclist, and organizing them based on extension and technology stack, will improve brute forcing results.
The importance of continuous learning: As more files and endpoints are found during brute force attempts, the word list should be updated with new patterns.
The speaker emphasizes the importance of contextual awareness when brute forcing, which includes understanding the subdomain structure, server technology, and naming conventions of the target.
Custom word lists tailored to specific targets are essential for effective brute forcing, instead of relying solely on generic or pre-made lists.
Transcripts
how would you feel if I told you most
people including you watching this video
are probably not doing your file and
directory Brew for sync right and that's
not because you don't have the right
word list but it's because you're not
utilizing those word lists properly and
you're not contextualizing your Brute
Forces well today I want to show you
exactly how to do that how do you use
all these current word lists and you
build up on it on your own and leverage
them to do a better and more accurate
word listing but before we jump into
this video if you haven't already please
hit that subscribe button if you want to
support our channels I've actually
opened up memberships where you can
become a subscriber you can donate to
the channel and in return you get
exclusive content emotes and also it
helps me create more content and overall
supports this YouTube channel so we can
keep it going alright enough about that
let's talk about brute forcing if you're
not familiar with brute forcing means
the whole idea and the concept is you
have a list of words and a list of files
or potential folders and you're hoping
to find those on your target some of
these could be Dev files it could be
backups it could be API endpoints it
could be API swaggers or the
specification for the API and all these
different things the reason why we look
for those is in hopes of finding an
endpoint or something that leads us to
an endpoint that could be vulnerable for
a SQL injection ssrf idor whatever that
is so the whole concept is we want to
find hidden or forgotten files and
folders well you can do this in a number
of different ways the how you do it
doesn't matter and by how you do it I
mean the tools that you use doesn't
really matter it's all I think is
personal preference you can use burp
Suite I don't recommend it because burp
takes a lot of resources on your
computer and you also want to do this in
the cloud so your IP doesn't get banned
but you can also use Forex Buster
there's Go Buster there's directory
search or Dr search there's FF all all
these different tools honestly it all
comes down to a personal preference I
personally use FF and IR search those
are the two tools that I really like but
honestly that's up to you what you want
to use do me a favor comment down below
tell me what you use and why you use it
and maybe I will cover it in one of the
upcoming videos okay so the tool doesn't
really matter we just talked about we
can use whatever tool we want the whole
concept is finding endpoints the biggest
thing that I see people do is they use
the same word list for every single
Target and unfortunately that's not how
it works the example of it is you can
hope for finding.net files that end in
aspx on a Linux server that's running
PHP or another server that's running JSP
it doesn't work I'm not saying that you
can't have JSP on a Windows machine but
I'm just seeing if an application is
mostly serving you dot aspx files then
doing a brute force with DOT PHP files
is kind of useless and it's just taking
up your time and resources for no reason
so the thing you want to do is you want
to find wordless specific by technology
stack and what they do and stick around
at the end I'll tell you how I do all
this but for now I want to cover what
are the things that you should have
before you get into directory brute
forcing well there are two main
resources I highly recommend for word
listing that you can download them for
free the first one is the asset notes
word list which you can see on the
screen right here they have a ton of
them they have API routes you have some
for domains and subdomains that we have
covered in the past we can also look at
they have HTML dot files
to have JSP and you can also look for
aspx for example you can see they have
tons of different ones based on the
Technology stock so the number one thing
is you want to identify what is this web
server running is it a Linux based web
server is it windows with Windows you
have more leniency there could be PHP on
there some people will run PHP or other
programming languages on Windows but
honestly knowing the system behind it
could kind of weave out the ones that
you don't need and if I were you what I
would do is I would download all these
different asp.jsp HTML all these
different extensions organize them in my
computer and then depending on what that
server is I will run this but I also
understand that sometimes you may not be
in luck and you may not be able to
identify what programming language or
stack they're using and that's where a
all.txt comes in and all.txt is a
combination of common words for each
programming languages so it could be
test.php test.asp test.jsp index and so
on you have a list of all these and you
want to make sure one of them hits in
hopes that you can actually find the
programming language that's being used
and then director directory brute
forcing to that specific language and
extension the other option you have for
this is using uh cyclist by Dan uh this
is also another great resource honestly
I would say you can combine the two but
this one goes beyond just web it has
also DNS stuff but for us we're gonna go
to Discovery we can go to web content
and also to have different things you
can see they have Apache they have
common back doors HTTP JavaScript all
that stuff some of these are outdated
you can see it's five years ago it
hasn't been updated but honestly it
doesn't hurt to spend a day and combine
all the PHP files from this one and the
one from asset node combine them into
one and having a master webless so I
mentioned that you need to contextualize
your brute forcing and it doesn't just
mean having the right word list having
the right extension for that company
whatever that asset it also means
understanding where and what to root for
for example if a subdomain has the
keyword API in it chances are they're
using that subdomain or that asset for
API purposes you're not going to want to
look for jspn.net files for example so
you want to shift and focus your entire
directory brute forcing on finding API
routes using some of the files and word
lists that I showed you in the earlier
in the video but it goes also beyond
that it doesn't always have to be
site.com API that slash the folder that
your directory brute forcing could also
be easily guessable based on the domain
that we have so let's just look at it on
this screen and maybe we'll make more
sense so for example imagine we have
this subdomain right here it is called
one app API hack with no homesick well
the first thing is I wanted to do is I
see the word API in there it's behind an
API zone or subdomain so the indication
of it is more than likely this is some
sort of an API that I want to Brute
Force for the next thing I want to do is
I want to find the API route could it be
API could it be V1 V2 could it be API V1
or V2 and so on there's one more step
we're going to look at at the end but
I'm going to use fluff for this example
and you can see I'm using all that txt
my file for all.txt has most of my
common words that I look for they're not
specific to a extension but it has a lot
of different files that I usually look
for right off the bat I'm matching for
these different responses I'm looking to
see if a 302 400 405 401 all these
different ones to come back and the URL
is right here and we're going to see if
this works
you know bunch is going by index.html
was found of indexation over there a
couple of times it's come back it says
nothing was found no API routes nothing
of important to us doesn't hurt maybe
API comes back but it doesn't match any
of those response codes that I put in
earlier so I'm going to put API in there
really quickly again it's going to Brute
Force nothing's going to come back
that's okay we're gonna do is we're
going to take a look at our URL and this
is where contextualizing and
understanding your asset becomes very
important what right here you see is is
one Dash app dot API Dot hackwood and
homesick this within itself can be
broken up in two different things for us
through Brute Force One could be that we
can look for the word up because that's
what's in the subdomain it could be just
an app and we're going to fuzz for it
we're going to give it a couple minutes
nothing comes up we can cancel this as
soon as there's nothing there because I
know what my word list has in the
beginning and then there's the other
option of using the word one again one
could be
the keyword one could be anything it
could be a random few letters that means
something to the company but us as the
hackers they build our hacking on this
company we don't know what that means
for that one Dash app could be a number
of different things but what I'm trying
to say is all these different words
within the subdomain like the subdomain
name one app one Dash app one without
the Dash app combined together a
combination of one or more of these
different words could be a lead for us
two sub domain brute force or I'm sorry
fall brute force and folder brute force
in hopes of finding an asset or an
endpoint that was left behind so for
this example I'm going to start with one
nothing comes back I'm gonna give it a
few minutes
we're gonna exit out of that we're gonna
do one
up and see if anything comes back and
right off the bat right here you can see
that API API V1 both KMS 301 which is
redirecting to somewhere else and then
you also see that we have API V1
swagger.yamo which is probably their
specification for that API that came
back and said hey this exists that could
give us all the different routes within
that API and potentially one of those
API routes could dump a list of users it
could be vulnerable whatever that is
that's pretty much how you should
approach all your targets when it comes
down to brute forcing for a thousand
directories early in the video I said
that I was going to tell you how I
approach my directory and file brute
forcing well the first thing is when I
find my target I threw all that txt at
it I look and see what comes back if
nothing absolutely comes back then I
look at the sub domain name and I start
playing with different keywords I'm not
subdomain in hopes that it could be
my first lead into finding a folder that
exists and then once I have done my
all.txt that's what I get my leads in
hopes that it gives me hey there is a
PHP there's an API route whatever that
is that exists right there so for
example if says Hey test.php.exists then
I'm going to go and do an extended
directory brute forcing by just using
dot PHP files and then of course just
scaling it from there so a lot of it
comes from two things one is my historic
knowledge the things that I have
collected obviously you can do the same
you can go to use seclist's raft word
list clean it up and use it as your
basis for
when you want to do it all.txt and then
you can create that and add on to it
more and more as you find more
interesting targets and you need more
JavaScript files and that kind of stuff
and then of course the second one is you
want to have a good word list I highly
recommend going to sick list and going
to asset notes uh word list combining
the two making a good word list for
yourself for each extension and having a
name properly and just querying them as
you go none of the stuff that I talked
about throughout this video is a secret
it's obviously a lot of top hackers are
doing these things including myself I do
the same things but a lot of people that
I've seen online where they post or they
talk about brute forcing they're using
the same words as other people and
they're not looking at the asset itself
so if you're watching this what I want
you to do is please keep that in mind
the sub domain name is a huge bit of
information that you can leverage please
please make sure you are understanding
the context of where you want to Brute
Force you want to make sure using the
right files in the right extension and
obviously you want to create your word
list on your own based on on all these
different files that you find leaks that
you see maybe a directory listing comes
up and you can see a list of files added
to your word list and maintain your own
okay that's it about brute forcing do me
a favor leave me a comment let me know
if you want me to dedicate an entire
video on how to create your own word
list how to organize them how I do mine
maybe I'll make that into a video let me
know down below if you find that helpful
and again if you haven't already
subscribe to the channel hit that like
button and let me know what you think of
this video and what you want to see next
okay that's it see you in the next video
[Music]
5.0 / 5 (0 votes)