From s to Goldmines: Website Reconnaissance Made Easy with Dirsearch

By /

Listen to this Post

Website reconnaissance is a critical phase in cybersecurity, helping ethical hackers and penetration testers discover hidden directories, files, and vulnerabilities. One powerful tool for this task is Dirsearch, a command-line tool designed to brute-force directories and files on web servers.

What is Dirsearch?

Dirsearch is a Python-based tool that performs brute-force attacks to uncover hidden paths on a web server. It’s faster and more efficient than many GUI-based tools, making it a favorite among cybersecurity professionals.

Installation & Setup

To install Dirsearch, ensure you have Python 3 installed, then run:

git clone https://github.com/maurosoria/dirsearch.git 
cd dirsearch 
pip3 install -r requirements.txt

Basic Usage

Run a simple scan against a target website:

python3 dirsearch.py -u https://example.com -e php,html,js

Key Flags & Options:

  • -u: Target URL
  • -e: File extensions to search (e.g., php,html,json)
  • -w: Custom wordlist (default: directory-list-2.3-small.txt)
  • -t: Threads (default: 20)
  • -r: Recursive scan
  • --proxy: Use a proxy (e.g., `–proxy http://127.0.0.1:8080`)

Advanced Scanning

For a deeper scan, use a larger wordlist and recursive mode:

python3 dirsearch.py -u https://example.com -e  -w /path/to/big-wordlist.txt -r

You Should Know:

  • Common Hidden Paths:
  • /admin, /backup, /wp-login.php, `/config.php`
  • Log Files: Check `/logs/access.log` or `.git/config` for sensitive data.
  • API Endpoints: Look for /api/v1/, /graphql, or /swagger.json.

Automating with Bash:

Save this script as `dirsearch_scan.sh` and run it:

!/bin/bash 
echo "Enter target URL:" 
read url 
python3 dirsearch.py -u $url -e php,html,js,json -w /usr/share/wordlists/dirb/common.txt -t 30

Defensive Measures (For Admins)

To protect against Dirsearch scans:

  • Rate Limiting: Use Nginx/Apache rules to block excessive requests.
  • Fail2Ban: Ban IPs scanning for hidden paths.
  • Restrict Access: Use `.htaccess` or WAF rules.

What Undercode Say

Dirsearch is a powerful tool for uncovering hidden web assets, but it must be used ethically. Always get permission before scanning. Combine it with tools like Nikto, Gobuster, or Burp Suite for a full recon workflow.

Expected Output:

[/bash]

[16:45:32] 200 – 1KB – /admin/

[16:45:33] 301 – 162B – /backup -> https://example.com/backup/

[16:45:35] 403 – 277B – /config.php

[bash]

For more, check the official GitHub: Dirsearch GitHub

References:

Reported By: Alexrweyemamu Website – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ TelegramFeatured Image

Related Posts: