How to Directory Brute Force Properly

00:00

how would you feel if I told you most

00:02

people including you watching this video

00:04

are probably not doing your file and

00:07

directory Brew for sync right and that's

00:09

not because you don't have the right

00:10

word list but it's because you're not

00:12

utilizing those word lists properly and

00:15

you're not contextualizing your Brute

00:17

Forces well today I want to show you

00:19

exactly how to do that how do you use

00:21

all these current word lists and you

00:23

build up on it on your own and leverage

00:25

them to do a better and more accurate

00:28

word listing but before we jump into

00:30

this video if you haven't already please

00:31

hit that subscribe button if you want to

00:33

support our channels I've actually

00:34

opened up memberships where you can

00:36

become a subscriber you can donate to

00:38

the channel and in return you get

00:40

exclusive content emotes and also it

00:42

helps me create more content and overall

00:44

supports this YouTube channel so we can

00:47

keep it going alright enough about that

00:49

let's talk about brute forcing if you're

00:52

not familiar with brute forcing means

00:54

the whole idea and the concept is you

00:56

have a list of words and a list of files

00:58

or potential folders and you're hoping

01:00

to find those on your target some of

01:02

these could be Dev files it could be

01:03

backups it could be API endpoints it

01:05

could be API swaggers or the

01:07

specification for the API and all these

01:09

different things the reason why we look

01:11

for those is in hopes of finding an

01:13

endpoint or something that leads us to

01:15

an endpoint that could be vulnerable for

01:17

a SQL injection ssrf idor whatever that

01:20

is so the whole concept is we want to

01:23

find hidden or forgotten files and

01:26

folders well you can do this in a number

01:27

of different ways the how you do it

01:29

doesn't matter and by how you do it I

01:31

mean the tools that you use doesn't

01:32

really matter it's all I think is

01:34

personal preference you can use burp

01:36

Suite I don't recommend it because burp

01:38

takes a lot of resources on your

01:39

computer and you also want to do this in

01:41

the cloud so your IP doesn't get banned

01:43

but you can also use Forex Buster

01:45

there's Go Buster there's directory

01:46

search or Dr search there's FF all all

01:50

these different tools honestly it all

01:52

comes down to a personal preference I

01:54

personally use FF and IR search those

01:57

are the two tools that I really like but

01:58

honestly that's up to you what you want

02:00

to use do me a favor comment down below

02:02

tell me what you use and why you use it

02:04

and maybe I will cover it in one of the

02:06

upcoming videos okay so the tool doesn't

02:07

really matter we just talked about we

02:09

can use whatever tool we want the whole

02:11

concept is finding endpoints the biggest

02:14

thing that I see people do is they use

02:16

the same word list for every single

02:19

Target and unfortunately that's not how

02:22

it works the example of it is you can

02:25

hope for finding.net files that end in

02:27

aspx on a Linux server that's running

02:30

PHP or another server that's running JSP

02:32

it doesn't work I'm not saying that you

02:35

can't have JSP on a Windows machine but

02:37

I'm just seeing if an application is

02:39

mostly serving you dot aspx files then

02:42

doing a brute force with DOT PHP files

02:44

is kind of useless and it's just taking

02:47

up your time and resources for no reason

02:50

so the thing you want to do is you want

02:52

to find wordless specific by technology

02:55

stack and what they do and stick around

02:58

at the end I'll tell you how I do all

02:59

this but for now I want to cover what

03:01

are the things that you should have

03:02

before you get into directory brute

03:04

forcing well there are two main

03:05

resources I highly recommend for word

03:07

listing that you can download them for

03:09

free the first one is the asset notes

03:12

word list which you can see on the

03:13

screen right here they have a ton of

03:15

them they have API routes you have some

03:17

for domains and subdomains that we have

03:20

covered in the past we can also look at

03:22

they have HTML dot files

03:25

to have JSP and you can also look for

03:27

aspx for example you can see they have

03:30

tons of different ones based on the

03:33

Technology stock so the number one thing

03:35

is you want to identify what is this web

03:38

server running is it a Linux based web

03:40

server is it windows with Windows you

03:42

have more leniency there could be PHP on

03:44

there some people will run PHP or other

03:46

programming languages on Windows but

03:48

honestly knowing the system behind it

03:50

could kind of weave out the ones that

03:52

you don't need and if I were you what I

03:54

would do is I would download all these

03:55

different asp.jsp HTML all these

03:58

different extensions organize them in my

04:01

computer and then depending on what that

04:03

server is I will run this but I also

04:05

understand that sometimes you may not be

04:06

in luck and you may not be able to

04:08

identify what programming language or

04:10

stack they're using and that's where a

04:12

all.txt comes in and all.txt is a

04:15

combination of common words for each

04:17

programming languages so it could be

04:19

test.php test.asp test.jsp index and so

04:23

on you have a list of all these and you

04:26

want to make sure one of them hits in

04:28

hopes that you can actually find the

04:30

programming language that's being used

04:32

and then director directory brute

04:34

forcing to that specific language and

04:36

extension the other option you have for

04:38

this is using uh cyclist by Dan uh this

04:41

is also another great resource honestly

04:43

I would say you can combine the two but

04:45

this one goes beyond just web it has

04:46

also DNS stuff but for us we're gonna go

04:49

to Discovery we can go to web content

04:52

and also to have different things you

04:54

can see they have Apache they have

04:55

common back doors HTTP JavaScript all

04:58

that stuff some of these are outdated

05:00

you can see it's five years ago it

05:02

hasn't been updated but honestly it

05:04

doesn't hurt to spend a day and combine

05:07

all the PHP files from this one and the

05:09

one from asset node combine them into

05:11

one and having a master webless so I

05:13

mentioned that you need to contextualize

05:15

your brute forcing and it doesn't just

05:17

mean having the right word list having

05:19

the right extension for that company

05:21

whatever that asset it also means

05:23

understanding where and what to root for

05:25

for example if a subdomain has the

05:28

keyword API in it chances are they're

05:30

using that subdomain or that asset for

05:32

API purposes you're not going to want to

05:34

look for jspn.net files for example so

05:37

you want to shift and focus your entire

05:38

directory brute forcing on finding API

05:41

routes using some of the files and word

05:43

lists that I showed you in the earlier

05:45

in the video but it goes also beyond

05:46

that it doesn't always have to be

05:48

site.com API that slash the folder that

05:52

your directory brute forcing could also

05:55

be easily guessable based on the domain

05:58

that we have so let's just look at it on

06:00

this screen and maybe we'll make more

06:01

sense so for example imagine we have

06:03

this subdomain right here it is called

06:06

one app API hack with no homesick well

06:10

the first thing is I wanted to do is I

06:12

see the word API in there it's behind an

06:14

API zone or subdomain so the indication

06:17

of it is more than likely this is some

06:18

sort of an API that I want to Brute

06:20

Force for the next thing I want to do is

06:22

I want to find the API route could it be

06:24

API could it be V1 V2 could it be API V1

06:29

or V2 and so on there's one more step

06:32

we're going to look at at the end but

06:33

I'm going to use fluff for this example

06:34

and you can see I'm using all that txt

06:36

my file for all.txt has most of my

06:40

common words that I look for they're not

06:43

specific to a extension but it has a lot

06:45

of different files that I usually look

06:47

for right off the bat I'm matching for

06:49

these different responses I'm looking to

06:52

see if a 302 400 405 401 all these

06:55

different ones to come back and the URL

06:57

is right here and we're going to see if

06:58

this works

07:00

you know bunch is going by index.html

07:02

was found of indexation over there a

07:04

couple of times it's come back it says

07:06

nothing was found no API routes nothing

07:08

of important to us doesn't hurt maybe

07:11

API comes back but it doesn't match any

07:13

of those response codes that I put in

07:15

earlier so I'm going to put API in there

07:17

really quickly again it's going to Brute

07:19

Force nothing's going to come back

07:20

that's okay we're gonna do is we're

07:22

going to take a look at our URL and this

07:24

is where contextualizing and

07:25

understanding your asset becomes very

07:27

important what right here you see is is

07:29

one Dash app dot API Dot hackwood and

07:32

homesick this within itself can be

07:35

broken up in two different things for us

07:36

through Brute Force One could be that we

07:38

can look for the word up because that's

07:40

what's in the subdomain it could be just

07:42

an app and we're going to fuzz for it

07:44

we're going to give it a couple minutes

07:45

nothing comes up we can cancel this as

07:48

soon as there's nothing there because I

07:49

know what my word list has in the

07:50

beginning and then there's the other

07:52

option of using the word one again one

07:54

could be

07:55

the keyword one could be anything it

07:57

could be a random few letters that means

08:00

something to the company but us as the

08:02

hackers they build our hacking on this

08:03

company we don't know what that means

08:05

for that one Dash app could be a number

08:07

of different things but what I'm trying

08:08

to say is all these different words

08:09

within the subdomain like the subdomain

08:11

name one app one Dash app one without

08:15

the Dash app combined together a

08:17

combination of one or more of these

08:19

different words could be a lead for us

08:21

two sub domain brute force or I'm sorry

08:23

fall brute force and folder brute force

08:25

in hopes of finding an asset or an

08:27

endpoint that was left behind so for

08:29

this example I'm going to start with one

08:31

nothing comes back I'm gonna give it a

08:33

few minutes

08:34

we're gonna exit out of that we're gonna

08:36

do one

08:37

up and see if anything comes back and

08:39

right off the bat right here you can see

08:41

that API API V1 both KMS 301 which is

08:45

redirecting to somewhere else and then

08:47

you also see that we have API V1

08:50

swagger.yamo which is probably their

08:52

specification for that API that came

08:54

back and said hey this exists that could

08:57

give us all the different routes within

08:58

that API and potentially one of those

09:00

API routes could dump a list of users it

09:03

could be vulnerable whatever that is

09:04

that's pretty much how you should

09:07

approach all your targets when it comes

09:09

down to brute forcing for a thousand

09:11

directories early in the video I said

09:12

that I was going to tell you how I

09:14

approach my directory and file brute

09:16

forcing well the first thing is when I

09:18

find my target I threw all that txt at

09:20

it I look and see what comes back if

09:22

nothing absolutely comes back then I

09:23

look at the sub domain name and I start

09:25

playing with different keywords I'm not

09:27

subdomain in hopes that it could be

09:29

my first lead into finding a folder that

09:32

exists and then once I have done my

09:34

all.txt that's what I get my leads in

09:36

hopes that it gives me hey there is a

09:38

PHP there's an API route whatever that

09:40

is that exists right there so for

09:42

example if says Hey test.php.exists then

09:44

I'm going to go and do an extended

09:46

directory brute forcing by just using

09:49

dot PHP files and then of course just

09:52

scaling it from there so a lot of it

09:54

comes from two things one is my historic

09:56

knowledge the things that I have

09:57

collected obviously you can do the same

09:59

you can go to use seclist's raft word

10:02

list clean it up and use it as your

10:04

basis for

10:06

when you want to do it all.txt and then

10:08

you can create that and add on to it

10:11

more and more as you find more

10:13

interesting targets and you need more

10:14

JavaScript files and that kind of stuff

10:16

and then of course the second one is you

10:18

want to have a good word list I highly

10:19

recommend going to sick list and going

10:21

to asset notes uh word list combining

10:24

the two making a good word list for

10:26

yourself for each extension and having a

10:28

name properly and just querying them as

10:30

you go none of the stuff that I talked

10:31

about throughout this video is a secret

10:33

it's obviously a lot of top hackers are

10:35

doing these things including myself I do

10:37

the same things but a lot of people that

10:39

I've seen online where they post or they

10:41

talk about brute forcing they're using

10:43

the same words as other people and

10:45

they're not looking at the asset itself

10:47

so if you're watching this what I want

10:49

you to do is please keep that in mind

10:51

the sub domain name is a huge bit of

10:53

information that you can leverage please

10:54

please make sure you are understanding

10:56

the context of where you want to Brute

10:59

Force you want to make sure using the

11:00

right files in the right extension and

11:02

obviously you want to create your word

11:04

list on your own based on on all these

11:06

different files that you find leaks that

11:08

you see maybe a directory listing comes

11:10

up and you can see a list of files added

11:12

to your word list and maintain your own

11:14

okay that's it about brute forcing do me

11:16

a favor leave me a comment let me know

11:18

if you want me to dedicate an entire

11:20

video on how to create your own word

11:22

list how to organize them how I do mine

11:24

maybe I'll make that into a video let me

11:26

know down below if you find that helpful

11:27

and again if you haven't already

11:28

subscribe to the channel hit that like

11:31

button and let me know what you think of

11:33

this video and what you want to see next

11:35

okay that's it see you in the next video

11:38

[Music]