Skip to content

Latest commit

 

History

History
230 lines (156 loc) · 5.03 KB

File metadata and controls

230 lines (156 loc) · 5.03 KB

feroxbuster

Fast, recursive content discovery tool written in Rust. Excels at finding unlinked content.

Install:

curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | sudo bash -s /usr/local/bin

Basic Usage

# Default scan (uses built-in wordlist)
feroxbuster -u http://TARGET

# Custom wordlist
feroxbuster -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/common.txt

Recursive Scanning

Feroxbuster is recursive by default - automatically scans discovered directories.

# Limit recursion depth
feroxbuster -u http://TARGET -d 2

# Disable recursion
feroxbuster -u http://TARGET -n

# Only recurse on specific status codes
feroxbuster -u http://TARGET --force-recursion -s 200,301

Extensions

# Add file extensions
feroxbuster -u http://TARGET -x php,html,txt,bak,js

# With dot prefix (some setups)
feroxbuster -u http://TARGET -x .php,.txt,.conf

# Multiple extensions
feroxbuster -u http://TARGET -x php -x html -x txt

HTTPS

# Skip TLS verification (-k)
feroxbuster -u https://TARGET -k -E -g -t 10

Filtering Output

Flag Description
-s Status codes to include (whitelist)
-C Status codes to exclude (blacklist)
-S Filter by response size
-W Filter by word count
-N Filter by line count
-X Filter by regex pattern
--filter-similar-to Exclude pages similar to a reference
--dont-scan Exclude specific paths from scanning

Examples

# Only show 200 responses
feroxbuster -u http://TARGET -s 200

# Exclude 404 and 500
feroxbuster -u http://TARGET -C 404,500

# Exclude by response size
feroxbuster -u http://TARGET -S 1234

# Filter by word count
feroxbuster -u http://TARGET -W 100

# Filter by regex (exclude error pages)
feroxbuster -u http://TARGET -X "not found|error"

# Don't scan specific paths
feroxbuster -u http://TARGET --dont-scan /uploads --dont-scan /static

# Exclude only 404 (e.g. when 404 is noisy)
feroxbuster -u http://TARGET -Eg -C 404 -w wordlist.txt

CMS and non-standard ports

# CMS config files wordlist
feroxbuster -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/CMS/cms-configuration-files.txt

# CMS vanilla wordlist, exclude 404, auto extensions + word extraction
feroxbuster -Eg -C 404 -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/CMS/trickest-cms-wordlist/vanilla.txt

# Scan service on non-standard port (e.g. MinIO, API)
feroxbuster -u http://TARGET:54321 -Eg -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
feroxbuster -u http://TARGET:54321 -w /usr/share/seclists/Discovery/Web-Content/common.txt

# Scan a subpath (e.g. /js) for specific extensions
feroxbuster -u http://TARGET/js -E -g -t 10 -x js -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Performance

# Threads (default 50)
feroxbuster -u http://TARGET -t 100

# Rate limit (requests per second)
feroxbuster -u http://TARGET --rate-limit 100

# Timeout
feroxbuster -u http://TARGET -T 10

Authentication

# Cookie
feroxbuster -u http://TARGET -b "session=abc123"

# Header
feroxbuster -u http://TARGET -H "Authorization: Bearer TOKEN"

Proxy

# Through Burp
feroxbuster -u http://TARGET --insecure --proxy http://127.0.0.1:8080

# Through SOCKS proxy
feroxbuster -u http://TARGET --proxy socks5h://127.0.0.1:9050

Output

# Save to file
feroxbuster -u http://TARGET -o results.txt

# JSON output
feroxbuster -u http://TARGET --json -o results.json

# Quiet mode (less output)
feroxbuster -u http://TARGET -q

File Extensions & Word Extraction

# Auto adds extensions found when directory searching. If the web app is written in php feroxbuster will automatically start scanning for .php extensions
feroxbuster -u http://TARGET -E

# Collect words from responses (builds custom wordlist)
feroxbuster -u http://TARGET -g

# Both together - comprehensive discovery
feroxbuster -u http://TARGET -Eg -t 15

Use case: -Eg is great for initial recon - file extensions AND builds a wordlist from page content for further fuzzing.


Advanced Options

# Follow redirects
feroxbuster -u http://TARGET -r

# Custom User-Agent
feroxbuster -u http://TARGET -a "Mozilla/5.0"

# Scan multiple URLs from file
feroxbuster --stdin < urls.txt

# Resume scan from state file
feroxbuster --resume-from ferox-state.json

# Auto-tune (smart throttling)
feroxbuster -u http://TARGET --auto-tune

Quick Reference

# Standard recursive scan
feroxbuster -u http://TARGET -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html -d 2

# Fast scan with filtering
feroxbuster -u http://TARGET -t 100 -C 404,403 -S 0

# Through proxy
feroxbuster -u http://TARGET --insecure --proxy http://127.0.0.1:8080 -k

# HTTPS dir bust with extensions and word extraction
feroxbuster -u https://TARGET -k -E -g -t 10 -x .txt,.php

# Save results
feroxbuster -u http://TARGET -o scan_results.txt