Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Cyber Security

DIRB – A Complete Guide to Web Content Scanning with Commands and Examples

DIRB is a web content scanner that finds hidden files and directories on websites using dictionary-based brute-force attacks

DIRB – A Complete Guide to Web Content Scanning with Commands and Examples

📌 Introduction

In the realm of web application penetration testing and ethical hacking, one of the most vital steps is to enumerate and discover hidden files, directories, and endpoints on a target server. Why? Because many web applications have sensitive or forgotten resources left exposed – admin panels, backups, configuration files, and more – that could become entry points for attackers.

DIRB is one such powerful tool designed to help in this discovery process.

What is DIRB?

DIRB (Directory Buster) is a command-line web content scanner. It works by launching a dictionary-based attack against a target web server and attempting to locate existing directories and files by making HTTP requests based on pre-defined wordlists.

DIRB is not only simple and fast but also incredibly effective when used properly with the right wordlists and configurations.

🛠️ Installing DIRB

DIRB is available on most Linux distributions, and comes pre-installed with Kali Linux.

On Kali Linux:

dirb

If not installed, you can install it using:

Debian/Ubuntu:

sudo apt update
sudo apt install dirb

Arch Linux:

sudo pacman -S dirb

From Source:

Clone the repository from the official source:

git clone https://gitlab.com/kalilinux/packages/dirb.git
cd dirb
make
sudo make install

⚙️ How DIRB Works

DIRB works by sending HTTP GET requests to the target web server using a dictionary file. It appends each word in the dictionary to the base URL and observes the responses.

Basic Workflow:

  1. You specify the target URL.
  2. DIRB appends each word from the dictionary to the base URL.
  3. It checks HTTP response codes (e.g., 200 OK, 403 Forbidden).
  4. If a valid directory/file is found, it’s reported.

🧰 Basic Syntax and Command Structure

dirb <url> [wordlist] [options]

Parameters:

  • <url>: The target website.
  • [wordlist]: Optional. Custom wordlist. If not specified, it uses the default wordlist.
  • [options]: Additional switches for customizing scan behavior.

🛠️ Default Wordlist

DIRB’s default wordlist is located at:

/usr/share/dirb/wordlists/common.txt

You can also use custom wordlists from:

  • SecLists: /usr/share/seclists/Discovery/Web-Content/
  • Your own crafted dictionaries

🧪 Basic Usage

1. Scan with Default Wordlist

dirb http://example.com

🔍 What happens:

  • DIRB scans the site using /usr/share/dirb/wordlists/common.txt
  • Results are displayed live.

📤 Sample Output:

--
DIRB v2.22    
By The Dark Raver
--

START_TIME: Mon May 01 10:00:00 2025
URL_BASE: http://example.com/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

--
GENERATED WORDS: 4612

- Scanning URL: http://example.com/ -
+ http://example.com/admin/ (CODE:200|SIZE:4821)
+ http://example.com/login/ (CODE:200|SIZE:1256)
+ http://example.com/uploads/ (CODE:403|SIZE:298)

--
END_TIME: Mon May 01 10:03:15 2025

🧭 Using Custom Wordlists

2. Scan with Custom Wordlist

dirb http://example.com /usr/share/seclists/Discovery/Web-Content/big.txt

📍 Use larger or specialized wordlists to find deeply hidden directories.

⚙️ Important Options and Their Explanations

Let’s dive into the most important DIRB options:

🔸 -o <file>

Save output to a file.

dirb http://example.com -o output.txt

🔸 -r

Don’t search for default extensions.

dirb http://example.com -r

🔸 -S

Silent mode (only shows found items, not 404s).

dirb http://example.com -S

🔸 -x <ext>

Specify file extensions to append (e.g., .php,.html)

dirb http://example.com -x .php,.bak

🔍 Example:

  • Will try /login.php, /login.bak, etc.

🔸 -z <millisec>

Delay between requests (for stealth)

dirb http://example.com -z 500

🔸 -t <threads>

Set number of concurrent threads (default is 10)

dirb http://example.com -t 30

📌 Higher threads = faster, but noisier.

🔸 -u <agent>

Custom user-agent string

dirb http://example.com -u "Mozilla/5.0"

🔸 -p <proxy>

Use HTTP proxy

dirb http://example.com -p 127.0.0.1:8080

Useful when using Burp Suite to intercept requests.

⚡ Real World Examples

Example 1: Simple Scan with Save Output

dirb http://testphp.vulnweb.com -o scan_results.txt

✅ This will enumerate basic paths and save them.

Example 2: Custom Wordlist + File Extensions

dirb http://testphp.vulnweb.com /usr/share/dirb/wordlists/big.txt -x .php,.txt

✅ Appends .php and .txt to each word and checks for those files.

Example 3: Stealth Scan via Proxy

dirb http://example.com -p 127.0.0.1:8080 -u "CustomAgent/1.0" -z 1000 -S

✅ Used for quieter scans, routed through a proxy like Burp.

🔒 Use Cases in Cybersecurity

DIRB is used extensively in:

🔍 Reconnaissance:

  • Discover admin panels (/admin, /control)
  • Check for backups (/backup.zip, /db.sql)
  • Find unlinked resources

🛡️ Red Teaming:

  • Validate file access controls
  • Simulate attacker behavior

🔄 Bug Bounty:

  • Automate hidden path discovery
  • Explore juicy file leaks (.bak, .git, .swp)

📂 Useful Wordlists and Customization Tips

Top Wordlists:

  • common.txt – basic discovery
  • big.txt – deeper enumeration
  • raft-large-directories.txt – from SecLists
  • php.txt, asp.txt – tech-specific

Craft Your Own:

  • Use paths from robots.txt
  • Analyze JavaScript source for AJAX endpoints
  • Gather 404 pages and extract likely paths

🧠 Pro Tips

  1. Use multiple tools: Combine with Gobuster, FFUF, and wfuzz for cross-validation.

  2. Check HTTP codes: Focus on 200, 403, and even 500 responses.

  3. Run at odd hours: For stealth on bug bounty platforms, scan during low traffic periods.

  4. Rate limit properly: Avoid getting blacklisted by reducing threads or adding delays.

  5. Integrate with Burp: Use the proxy flag to analyze traffic live.

⚔️ DIRB vs. Other Tools

Feature DIRB Gobuster FFUF
Written in C Go Go
Speed Moderate Fast Very Fast
Extensible Limited High High
Proxy support Yes No (natively) Yes
HTTPS Yes Yes Yes
Recursive No Yes (with -r) Yes

📁 Sample Output Explained

Here’s a closer look at DIRB output:

+ http://example.com/uploads/ (CODE:403|SIZE:298)
  • +: Path found
  • URL: The discovered endpoint
  • CODE: HTTP response (e.g., 200 OK, 403 Forbidden)
  • SIZE: Size of response in bytes

📌 403? That’s good. It means the folder exists – just restricted!

🛑 Limitations of DIRB

  • No recursion (/admin/config/)
  • Not ideal for wildcard 404 handling
  • Slower than some modern tools
  • Limited output format (no JSON/XML)

Still, its simplicity makes it a favorite for quick enumeration.

🔄 Automating DIRB

Wrap it in a shell script:

#!/bin/bash

URL=$1
WORDLIST=$2

echo "Scanning $URL"
dirb $URL $WORDLIST -S -x .php,.bak -o "$URL-scan.txt"

Run it like:

bash dirbscan.sh http://example.com /usr/share/dirb/wordlists/common.txt

🧾 Conclusion

DIRB is an essential tool in any web security researcher or bug bounty hunter’s toolkit. While it might be older and slower than newer tools like FFUF or Gobuster, its ease of use, reliability, and configurability make it incredibly useful.

Remember, the success of DIRB depends greatly on the quality of the wordlist, understanding of the target, and your ability to interpret the responses.

So the next time you're pentesting a target, fire up DIRB and start digging!

🧠 Learn More