How to Use DirBuster: Complete Beginner's Guide to Directory Scanning

What Is DirBuster?

DirBuster is a multi-threaded Java application designed to brute force directories and file names on web and application servers. Originally developed by the Open Web Application Security Project (OWASP) and now available on SourceForge, it works by making HTTP requests using entries from a wordlist to discover hidden content.

Web applications often contain directories and files that are not linked from the main navigation. These might include:

• Admin panels at paths like /admin or /administrator
• Backup files such as config.bak or database.sql
• Development files like .git folders or phpinfo.php
• API endpoints not documented publicly
• Old versions of files with names like index.php.old

DirBuster finds these hidden resources by systematically testing thousands of potential paths against your target. When the server responds with a status code indicating the resource exists (like 200 OK or 403 Forbidden), DirBuster flags it for your review.

The tool offers both a graphical user interface (GUI) and headless command-line mode. The GUI makes it beginner-friendly, displaying results in real-time as both a list and a tree structure that maps the discovered directory hierarchy.

Unlike some security tools that offer web-based versions, DirBuster runs locally on your machine. This gives you full control over scan parameters, wordlists, and output, but requires installation before use.

How to Use DirBuster in Kali Linux

DirBuster comes pre-installed on most penetration testing distributions. On Kali Linux, you can verify its presence or install it with a single command.

Check If DirBuster Is Installed

Open a terminal and type:

which dirbuster

If installed, this returns the path to the executable, typically /usr/bin/dirbuster.

Install DirBuster

If DirBuster is not present, install it using apt:

sudo apt update && sudo apt install dirbuster

The installation includes both the application and a collection of wordlists in /usr/share/dirbuster/wordlists/.

Launching DirBuster

You have several ways to start DirBuster:

• From terminal: Type dirbuster and press Enter
• From menu: Navigate to Applications > Web Application Analysis > dirbuster
• From command line with options: dirbuster -u http://target.com

The GUI opens in a new window, ready for configuration. If you are new to Kali Linux, our guide on updating Kali Linux ensures your tools are current before testing.

After launching DirBuster, you are ready to configure your first scan. The sections below walk you through each GUI setting and explain how to run your initial directory enumeration.

Understanding the DirBuster GUI

The DirBuster interface might look complex at first, but it is logically organized. Understanding each component helps you configure scans effectively.

Main Configuration Panel

At the top of the window, you will find the essential settings:

• Target URL: Enter the full URL including protocol (http:// or https://) and port if non-standard
• Work Method: Choose between GET requests (faster, default) or HEAD requests (less intrusive)
• Number of Threads: Controls concurrent connections; default is 10
• Go Faster checkbox: Removes politeness delay between requests

Scanning Type Selection

DirBuster offers two scanning approaches:

• List based brute force: Uses a wordlist file; this is the most common method
• Pure brute force: Generates character combinations; extremely slow and rarely practical

For almost all scenarios, use list-based brute force with an appropriate wordlist.

File Extension Settings

The "File extension" field lets you specify extensions to append to each wordlist entry. For example, entering php,txt,bak means each word gets tested as a directory and with each extension.

If your wordlist contains "config", DirBuster tests:

• /config (as a directory)
• /config.php
• /config.txt
• /config.bak

Results Display

The lower section shows results in two tabs:

• Results - List View: Shows each discovery with URL, response code, and size
• Results - Tree View: Displays the directory structure as a hierarchical tree

Both views update in real-time as DirBuster discovers content.

How to Use DirBuster: Step-by-Step Tutorial

Let us walk through a complete scan from start to finish. This tutorial assumes you have a legally authorized target.

Step 1: Configure the Target

In the "Target URL" field, enter your target address. Include the protocol and port:

http://192.168.1.100:80

For HTTPS targets:

https://target.example.com:443

The trailing slash is optional; DirBuster handles both formats.

Step 2: Select a Wordlist

Click "Browse" next to the "File with list of dirs/files" field. Navigate to the wordlists directory:

/usr/share/dirbuster/wordlists/

You will find several options:

• directory-list-2.3-small.txt (87,650 entries) - Quick scans
• directory-list-2.3-medium.txt (220,546 entries) - Balanced approach
• directory-list-2.3-big.txt (1,273,819 entries) - Comprehensive but slow

Start with the small or medium list. You can always run additional scans with larger lists if needed.

Step 3: Configure Extensions

In the "File extension" field, add extensions relevant to your target. Common choices include:

• PHP applications: php, phps, php5, phtml
• ASP.NET: asp, aspx, ashx, asmx
• General web: html, htm, txt, xml, json
• Backup files: bak, old, backup, orig, save

For a PHP target, you might enter: php,txt,bak,old

Step 4: Adjust Thread Count

The default 10 threads works for most targets. Consider these guidelines:

• Slow servers: Reduce to 5 threads
• Robust servers: Increase to 20-50 threads
• Rate-limited targets: Use fewer threads to avoid blocks

Higher thread counts complete scans faster but increase the chance of detection or overwhelming the target.

Step 5: Start the Scan

Click "Start" to begin. The progress bar shows completion percentage, and the Results tabs populate with discoveries. You will see entries appear with status codes like:

• 200 OK: Resource exists and is accessible
• 301/302: Redirect to another location
• 403 Forbidden: Exists but access denied
• 404 Not Found: Does not exist (usually filtered from results)

Step 6: Analyze Results

Review discoveries in the List View. Pay special attention to:

• 200 responses for accessible content
• 403 responses indicating protected directories that exist
• Unusual file names suggesting development artifacts
• Backup extensions that might expose source code

Switch to Tree View to understand the directory hierarchy. This visualization helps you spot patterns and plan further enumeration of interesting subdirectories.

Step 7: Export Results

When the scan completes, export your findings. Go to Report > Generate Report and choose your format (HTML, XML, or plain text). This documentation is essential for professional penetration testing reports.

DirBuster Wordlist: Choosing the Right One

Your wordlist determines what DirBuster can find. A comprehensive wordlist improves discovery rates, while a targeted list reduces scan time.

Default DirBuster Wordlists

The included wordlists in /usr/share/dirbuster/wordlists/ cover common scenarios:

• directory-list-2.3-small.txt: Fast scans, ~87K entries, completes in minutes
• directory-list-2.3-medium.txt: Industry standard, ~220K entries, balances speed and coverage
• directory-list-2.3-big.txt: Exhaustive, ~1.3M entries, takes hours on most targets

SecLists Collection

For more options, install SecLists, the most comprehensive wordlist collection available:

sudo apt install seclists

After installation, find directory enumeration lists in /usr/share/seclists/Discovery/Web-Content/. Notable options include:

• common.txt - Quick starting point with ~4,600 entries
• raft-small-directories.txt - Compiled from real website crawls
• big.txt - Extensive list for thorough testing

For detailed wordlist recommendations, our Gobuster wordlist guide covers selection strategies that apply equally to DirBuster.

Wordlist Strategy

Follow this approach for efficient scanning:

1. Start with common.txt for quick wins
2. Progress to medium lists if initial results are sparse
3. Use large lists only for high-value targets with sufficient time
4. Create custom lists based on target reconnaissance

DirBuster Commands: Using the Command Line

DirBuster supports headless mode for scripting or when running on systems without a GUI. This mode is useful for automation and remote testing.

Basic Command Line Syntax

dirbuster -H -u http://target.com -l /path/to/wordlist.txt -e php,txt

Key command line options:

• -H - Run in headless (no GUI) mode
• -u - Target URL
• -l - Path to wordlist file
• -e - File extensions to test
• -t - Number of threads (default: 10)
• -r - Path to save the report file
• -s - Directory to start scanning from

Complete Example

dirbuster -H -u http://192.168.1.100 -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,txt,bak -t 20 -r /tmp/dirbuster_report.txt

This command scans the target with 20 threads, tests PHP, TXT, and BAK extensions, and saves results to a file.

When to Use Command Line Mode

• Running scans on remote servers via SSH
• Automating scans in scripts or pipelines
• Systems with limited memory where GUI overhead is unwanted
• Batch scanning multiple targets

DirBuster vs Gobuster: Which Should You Use

Modern penetration testers often ask whether to use DirBuster or its Go-based successor, Gobuster. Both tools serve similar purposes but differ in implementation and features.

DirBuster Advantages

• GUI interface: Easier for beginners; visual tree view of results
• Built-in reporting: Generate formatted reports directly
• Pure brute force option: Generate character combinations (rarely useful but available)
• Pause and resume: Stop scans and continue later

Gobuster Advantages

• Speed: Written in Go, typically faster than Java-based DirBuster
• Lower memory usage: More efficient for large wordlists
• Additional modes: DNS subdomain enumeration, virtual host discovery, S3 bucket scanning
• Active development: Regular updates and new features

Recommendation

Use DirBuster when you want a GUI, need built-in reporting, or are learning directory enumeration basics. Switch to Gobuster for faster scans, scripted automation, or when you need DNS and vhost enumeration. Many professionals use both depending on the situation. Learn Gobuster syntax with our cheat sheet collection.

Tips for Effective Directory Enumeration

Getting good results from DirBuster requires more than just clicking Start. These techniques improve your discovery rate and efficiency.

Reconnaissance First

Before scanning, gather information about your target:

• Identify the web server (Apache, Nginx, IIS)
• Determine the programming language (PHP, ASP.NET, Python)
• Note any frameworks or CMS platforms

This information guides wordlist selection and extension choices. An IIS server running ASP.NET needs different extensions than an Apache server running PHP.

Start with Focused Scans

Begin with a small wordlist and common extensions. If you find an interesting directory like /api/, run a separate scan against that path specifically:

Target URL: http://target.com/api/

This recursive approach finds deeper content without scanning the entire wordlist against every possible base path.

Investigate 403 Responses

A 403 Forbidden response means the directory exists but access is denied. These are valuable findings. The directory might:

• Allow access from specific IPs
• Require authentication you can bypass
• Contain misconfigured subdirectories with looser permissions

Watch for Custom Error Pages

Some applications return 200 OK for non-existent pages with a custom "not found" message. DirBuster might report these as found. Check the response size column; legitimate pages typically have varying sizes, while error pages are uniform.

Consider Timing and Rate Limiting

Aggressive scanning triggers security controls. If you notice connection drops or increased latency:

• Reduce thread count
• Uncheck "Go Faster" to add delays
• Switch from GET to HEAD requests

Patience often yields better results than speed.

Legal and Ethical Considerations

DirBuster sends potentially thousands of requests to a target server. This activity is only legal when you have explicit authorization from the system owner.

Authorized Use Cases

• Penetration testing with a signed engagement letter
• Bug bounty programs where enumeration is in scope
• Testing your own applications and infrastructure
• CTF competitions and intentionally vulnerable labs
• Educational environments designed for security practice

Never Scan Without Permission

Unauthorized scanning is illegal in most jurisdictions, regardless of intent. Even if you discover a vulnerability, accessing systems without permission can result in criminal charges. The "I was just testing" defense does not hold up in court.

Document Your Authorization

Before any penetration test, obtain written authorization that specifically includes:

• Target IP addresses or domains
• Testing timeframes
• Permitted techniques (including directory enumeration)
• Emergency contacts

Keep this documentation accessible throughout your engagement. If questioned, you can immediately prove your authorization.

Safe Practice Environments

Build your skills on intentionally vulnerable systems. Options include HackerDNA labs, OWASP WebGoat, DVWA, and VulnHub machines. These environments let you practice aggressive techniques without legal risk. Check our CTF guide for beginners for more practice platforms.

Frequently Asked Questions

How do I install DirBuster on Kali Linux?

Run sudo apt update && sudo apt install dirbuster in your terminal. On most Kali installations, DirBuster comes pre-installed. Launch it by typing dirbuster in the terminal or finding it in the applications menu under Web Application Analysis.

What is the best wordlist for DirBuster?

Start with directory-list-2.3-medium.txt for a good balance of coverage and speed. For quick scans, use common.txt from SecLists. The best choice depends on your target and time constraints.

Is DirBuster better than Gobuster?

Each tool has strengths. DirBuster offers a GUI and built-in reporting, making it beginner-friendly. Gobuster is faster and supports additional enumeration modes like DNS and virtual hosts. Many professionals use both tools depending on the scenario.

How long does a DirBuster scan take?

Scan duration depends on wordlist size, extensions, thread count, and target response time. A medium wordlist (220K entries) with 10 threads against a responsive server completes in 30-60 minutes. Large wordlists can take several hours.

Why does DirBuster miss directories I know exist?

DirBuster only finds what is in your wordlist. If a directory uses an unusual name not in your list, it will not be discovered. Try larger wordlists, add relevant extensions, or create custom wordlists based on target reconnaissance.

Can I use DirBuster against HTTPS sites?

Yes, DirBuster supports both HTTP and HTTPS. Enter the full URL with the https:// protocol in the Target URL field. The tool handles SSL/TLS connections automatically.

Can I use DirBuster online without installing it?

DirBuster is a desktop application that requires local installation. There is no official online version. Web-based directory scanners exist but lack DirBuster's customization and control. For best results, install DirBuster on Kali Linux where you can configure wordlists and scan parameters freely.

Start Practicing Directory Enumeration Today

You now know how to use DirBuster for web directory enumeration, from basic GUI usage to command-line automation. The key points to remember: choose appropriate wordlists for your target, pay attention to all response codes including 403 errors, and always obtain proper authorization before scanning.

DirBuster remains a valuable tool in any web application tester's arsenal. Its graphical interface makes it accessible to beginners while providing the power needed for professional assessments. Combined with proper reconnaissance and thoughtful wordlist selection, it reveals hidden content that manual browsing would never uncover.

Ready to put your skills into practice? Explore our web attacks course for hands-on experience with directory enumeration and other web application testing techniques. The more you practice in safe environments, the more effective your real-world assessments become.