DirBuster

-13mcei06 &13mcei23 Introduction

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide!

Literature Survey
What DirBuster can do for you Attempt to find hidden pages/directories and directories with a web application, thus giving a another attack vector (For example. Finding an unlinked to administration page).
What DirBuster will not do for you

Exploit anything it finds. This is not the purpose of DirBuster. DirBuster sole job is to find other possible attack vectors.
How does DirBuster help in the building of secure applications?

By finding content on the web server or within the application that is not required. By helping developers understand that by simply not linking to a page does not mean it can not be accessed.

Scope of Work
The scope for the DirBuster Project is as follows: To produce a tool to that will assist in black box application testing, by trying to find hidden content. Ensure the tool produced provides information is such a way that any false positives produce can be quickly identified. Produce text based lists that can be used by the above mentioned tool.

Tools
This project is based on java multi-threaded programming, so it will require some basic java development tools like an IDE and obviously a Java development kit. 1

DirBuster
-13mcei06 &13mcei23
System Requirements
Software Requirements: Eclipse Helios Java 1.6 or higher Hardware Requirements: 500 mb RAM Windows Server 2003 or higher versions/Linux

Budget Requirement
Budget requirement specifies the development cycle and approximate investment with respect to each of its phases. Area of work Licensed agreement Development Manpower allocation Training Protection against damage Marketing Other policies Overall Cost: 28,90,000/: : : : : : : Budget Required (RS.) 7,00,000.00 14,00,000.00 3,00,000.00 1,00,000.00 1,50,000.00 2,00,000.00 40,000.00

Implementation Phases
Short Term Implementations Write algorithm to crawl through website. Optimize algorithm by taking various steps like removing redundancies and all. Implement algorithm. Add administrator brute force module. Test algorithm.

Long Term Implementations Continuously trying to increase efficiency of the algorithm. Create a new more effective algo if possible.

Fixing bugs, adding features requested by users.

2

DirBuster
-13mcei06 &13mcei23

Timeline
Estimated Start Date: November 25,2013 Estimated Completion Date: November 11,2014

Future Work
Improve and finish the java portion of the program Add documentation about the program eg Help, FAQ's Fully document the code Improve the DirBuster spider engine that generates the lists Gather information on things like cookie names, sub domain names, POST and GET 3

DirBuster
-13mcei06 &13mcei23
variable names

Conclusion
DirBuster is a very good project for multi-threaded directory-file extractor. Java provides cross platform support which makes it even stronger.

REFERENCES
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project