rustbuster
DirBuster for Rust. It ended up by becoming a collection of modules useful in a different situation. Having a single executable suitable for most common web fuzzing tasks is very handy. At the time of writing, there are five modules available, that are: dir, dns, vhost, fuzz, and tilde.
Module
dir — Directories and files enumeration mode
The dir module can be used to discover new content. You can set up a wordlist and an extensions list to discover directories and files hosted on the webserver. Rustbuster will send all the requests with the given concurrency level and report back which one is existing.
rustbuster-dir
Directories and files enumeration mode
USAGE:
rustbuster dir [FLAGS] [OPTIONS] --url <url> --wordlist <wordlist>...
FLAGS:
-f, --append-slash Tries to also append / to the base request
-K, --exit-on-error Exits on connection errors
-h, --help Prints help information
-k, --ignore-certificate Disables TLS certificate validation
--no-banner Skips initial banner
--no-progress-bar Disables the progress bar
-V, --version Prints version information
-v, --verbose Sets the level of verbosity
OPTIONS:
-e, --extensions <extensions> Sets the extensions [default: ]
-b, --http-body <http-body> Uses the specified HTTP method [default: ]
-H, --http-header <http-header>... Appends the specified HTTP header
-X, --http-method <http-method> Uses the specified HTTP method [default: GET]
-S, --ignore-status-codes <ignore-status-codes> Sets the list of status codes to ignore [default: 404]
-s, --include-status-codes <include-status-codes> Sets the list of status codes to include [default: ]
-o, --output <output> Saves the results in the specified file [default: ]
-t, --threads <threads> Sets the amount of concurrent requests [default: 10]
-u, --url <url> Sets the target URL
-a, --user-agent <user-agent> Uses the specified User-Agent [default: rustbuster]
-w, --wordlist <wordlist>... Sets the wordlist
EXAMPLE:
rustbuster dir -u http://localhost:3000/ -w examples/wordlist -e php
dns — A/AAAA DNS entries enumeration mode
The dns module can be used to discover subdomains of a given domain. It works by simply asking your default DNS resolver to resolve potential hostnames and reporting which one successfully resolve.
rustbuster-dns
A/AAAA entries enumeration mode
USAGE:
rustbuster dns [FLAGS] [OPTIONS] --domain <domain> --wordlist <wordlist>...
FLAGS:
-K, --exit-on-error Exits on connection errors
-h, --help Prints help information
--no-banner Skips initial banner
--no-progress-bar Disables the progress bar
-V, --version Prints version information
-v, --verbose Sets the level of verbosity
OPTIONS:
-d, --domain <domain> Uses the specified domain
-o, --output <output> Saves the results in the specified file [default: ]
-t, --threads <threads> Sets the amount of concurrent requests [default: 10]
-w, --wordlist <wordlist>... Sets the wordlist
EXAMPLE:
rustbuster dns -d google.com -w examples/wordlist
vhost — Virtual hosts enumeration mode
The vhost module can be used to enumerate which Virtual Hosts are available on the webserver. It works by fuzzing the Host HTTP Header using the given wordlist and filtering out the results by checking the presence of provided -x,–ignore-string parameter in the HTTP body of the response.
rustbuster-vhost
Virtual hosts enumeration mode
USAGE:
rustbuster vhost [FLAGS] [OPTIONS] --domain <domain> --ignore-string <ignore-string>... --url <url> --wordlist <wordlist>...
FLAGS:
-K, --exit-on-error Exits on connection errors
-h, --help Prints help information
-k, --ignore-certificate Disables TLS certificate validation
--no-banner Skips initial banner
--no-progress-bar Disables the progress bar
-V, --version Prints version information
-v, --verbose Sets the level of verbosity
OPTIONS:
-d, --domain <domain> Uses the specified domain to bruteforce
-b, --http-body <http-body> Uses the specified HTTP body [default: ]
-H, --http-header <http-header>... Appends the specified HTTP header
-X, --http-method <http-method> Uses the specified HTTP method [default: GET]
-S, --ignore-status-codes <ignore-status-codes> Sets the list of status codes to ignore [default: 404]
-x, --ignore-string <ignore-string>... Ignores results with specified string in the HTTP body
-s, --include-status-codes <include-status-codes> Sets the list of status codes to include [default: ]
-o, --output <output> Saves the results in the specified file [default: ]
-t, --threads <threads> Sets the amount of concurrent requests [default: 10]
-u, --url <url> Sets the target URL
-a, --user-agent <user-agent> Uses the specified User-Agent [default: rustbuster]
-w, --wordlist <wordlist>... Sets the wordlist
EXAMPLE:
rustbuster vhost -u http://localhost:3000/ -w examples/wordlist -d test.local -x "Hello"
fuzz — Custom fuzzing enumeration mode
The fuzz module can be used when a more flexible fuzzing pattern is needed. You can define the injection points and a wordlist for each of them. A cartesian product of requests will be generated. CSRF token is also supported!
rustbuster-fuzz
Custom fuzzing enumeration mode
USAGE:
rustbuster fuzz [FLAGS] [OPTIONS] --url <url> --wordlist <wordlist>...
FLAGS:
-K, --exit-on-error Exits on connection errors
-h, --help Prints help information
-k, --ignore-certificate Disables TLS certificate validation
--no-banner Skips initial banner
--no-progress-bar Disables the progress bar
-V, --version Prints version information
-v, --verbose Sets the level of verbosity
OPTIONS:
--csrf-header <csrf-header>... Adds the specified headers to CSRF GET request
--csrf-regex <csrf-regex> Grabs the CSRF token applying the specified RegEx
--csrf-url <csrf-url> Grabs the CSRF token via GET to csrf-url
-b, --http-body <http-body> Uses the specified HTTP method [default: ]
-H, --http-header <http-header>... Appends the specified HTTP header
-X, --http-method <http-method> Uses the specified HTTP method [default: GET]
-S, --ignore-status-codes <ignore-status-codes> Sets the list of status codes to ignore [default: 404]
-x, --ignore-string <ignore-string>... Ignores results with specified string in the HTTP Body
-s, --include-status-codes <include-status-codes> Sets the list of status codes to include [default: ]
-i, --include-string <include-string>... Includes results with specified string in the HTTP body
-o, --output <output> Saves the results in the specified file [default: ]
-t, --threads <threads> Sets the amount of concurrent requests [default: 10]
-u, --url <url> Sets the target URL
-a, --user-agent <user-agent> Uses the specified User-Agent [default: rustbuster]
-w, --wordlist <wordlist>... Sets the wordlist
EXAMPLE:
rustbuster fuzz -u http://localhost:3000/login \
-X POST \
-H "Content-Type: application/json" \
-b '{"user":"FUZZ","password":"FUZZ","csrf":"CSRFCSRF"}' \
-w examples/wordlist \
-w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt \
-s 200 \
--csrf-url "http://localhost:3000/csrf" \
--csrf-regex '\{"csrf":"(\w+)"\}'
tilde — IIS 8.3 shortname enumeration mode
The tilde module can be used to exploit the known information disclosure issue related to Microsoft IIS and DOS 8.3 filenames that makes possible to easily enumerate the server-side file system structure.
rustbuster-tilde
IIS 8.3 shortname enumeration mode
USAGE:
rustbuster tilde [FLAGS] [OPTIONS] --url <url>
FLAGS:
-K, --exit-on-error Exits on connection errors
-h, --help Prints help information
-k, --ignore-certificate Disables TLS certificate validation
--no-banner Skips initial banner
--no-progress-bar Disables the progress bar
-V, --version Prints version information
-v, --verbose Sets the level of verbosity
OPTIONS:
-e, --extension <extension> Sets the redirect extension
-b, --http-body <http-body> Uses the specified HTTP body [default: ]
-H, --http-header <http-header>... Appends the specified HTTP header
-X, --http-method <http-method> Uses the specified HTTP method [default: GET]
-S, --ignore-status-codes <ignore-status-codes> Sets the list of status codes to ignore [default: 404]
-s, --include-status-codes <include-status-codes> Sets the list of status codes to include [default: ]
-o, --output <output> Saves the results in the specified file [default: ]
-t, --threads <threads> Sets the amount of concurrent requests [default: 10]
-u, --url <url> Sets the target URL
-a, --user-agent <user-agent> Uses the specified User-Agent [default: rustbuster]
EXAMPLE:
rustbuster tilde -u http://localhost:3000/ -e aspx -X OPTIONS
Changelog v3.0.3
- fixed false positives (#34)
- optimized build for size
Use
Copyright (C) 2019 Phra
Source: https://github.com/phra/
