Find hidden directories on web server

Share this…


Dirbuster/ Directory Traversal Attacks where attacker can use dictionary of word list to find hidden or not hidden directories and files on the target web application & server. According to ethical hacker in international institute of cyber security, attacker may find directories that are thought to be unavailable on the target server or web application.

Dirbuster methods works on URL and a port. Attacker provide it with port 80 and 443 and the wordlist. After executing the attack dirbuster sends HTTP GET requests to the website and listens for site’s response.

How to use DirBuster on Kali linux?

  • In the above screen shot you have the enter the target IP address and the port:80 will be used for sending and receiving client based communication in the dirbuster . It’s an HTTP protocol.
  • Now the HTTP method you have to select Auto switch (HEAD and GET).
  • Now select the no. of threads 10 or Go Faster. Threads can also be increased but will take time in finishing the dirbuster scan.
  • Select the List based bruteforce or pure brute force. List based will selected from the directory of the dirbuster, or attacker can use the custom wordlist. In brute force attack we will take one wordlist at a time as provided by dirbuster. Default directory of wordlist provided by dirbuster is /usr/share/wordlists/dirbuster/
  • If you select char set option, it will create a wordlist with all the characters mentioned by user in the dirbuster tool.
  • In starting options if attacker uses standard start point – dirbuster will go through all the webpages of target website/server and the webpages. In URL Fuzz dirbuster will try to find hidden HTML.
  • If the attacker know some of the directories in the target’s URL/website, then those directory names can be entered in the Dir to start with field. Highest priority will be given to them. If no directory is entered, then it will scan the wordlist sequentially.



  • For checking the wordlist that will be used in scanning. Click on the list infobutton to see the wordlist.



  • Once you click start button then you will see something like below in dirbuster




  • Dirbuster takes time while scanning the whole URL, the above screen shot shows the scan information with Folders and URL what dirbuster has found.
  • In current/average speed shows the number of request per second dirbuster is sending to the victim URL.
  • Attacker can also change the speed to dirbuster scanning by changing the number of threads in dirbuster.
  • Total Requests shows the number of HTTP/HTTPS request sent to victim URL.
  • Time to Finish shows the amount time dirbuster has taken in finishing of the scan.
  • In Results – List View Tab shows the list of files that dirbuster has grabbed from the victim URL.
  • In Results – Tree View Tab shows the hidden or not hidden directories found.
  • In error it shows the connection timeout for the particular page because the request send have been denied because the no response from victim URL/Server.



  • After finishing of the scan you can also save the report and you can choose in what extension you want to save the report in. Select the location where you want to save the report.














  • In the above screen shot the report can be seen/downloaded in many formats.