Bug#433472: ITP: dirbuster -- Directory & file brute forcing, with a twist
On Tuesday 17 July 2007 15:05:44 Steve Greenland wrote:
> Nitpick: "multi-threaded".
The description is taken directly from upstream. I will pass on your comment.
> Bigger pick: I *think* I understand what a "directory brute forcing"
> is from the context, but there's got to be a more explicit way of
> describing this package. In particular, think about what someone who
> wants this package might search for.
There are lists, but they are licenced under a CC (:() license. I will
probably add scripts to pull them directly from sourceforge.net.
> Does this package really have any non-cracker usefulness? If I'm the
> sys admin, then it's a lot easier for me to 'ls -R' and look at the
> configuration files to find what URLs might be in play.
It's always questionable whether tools have non-cracker usefulness. I'm a
penetration tester, so from my perspective yes. I guess the tool falls into
the same bracket as nikto. Some legitimate use cases off the top of my head:
* Cases where roles within an organisation are segregated - security teams do
not always have root
* Auditing embedded devices - the lists are generated from crawling the net,
so are based on real file/directory names used by developers
* Auditing dynamic applications where URLs don't necessarily map on to files
* Auditing web server ACLs
* Load testing - it can produce up to 6000 requests/second
I'd also point out that this is an OWASP project.
Tim
--
Tim Brown
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
Reply to: