Research and Development

A command-line tool for bruteforce-guessing directory and filenames on web servers.

http-dir-enum is a tool for finding content that is not linked on a web site. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.

This tool is written in PERL and uses the LWP library.

Key features

  • Automatic detection of which HTTP response code to ignore (normally 404, but can vary on some sites)
  • Support for bruteforcing Files and Directories
  • Can search for directories recursively
  • Proxy support
  • Support for HTTP Basic Authentication
  • Support for sending custom cookies
  • Save scan output in XML format
  • Command line (lack of GUI is a feature, not a bug)
  • Mutli-threading for extra speed
  • HTTP keep alive support for extra speed (can be turned off)

Usage


http-dir-enum v0.4.3 ( https://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

Given a URL and a wordlist, http-dir-enum will attempt to determine names of
directories that exist on a web site.

Usage: http-dir-enum.pl [options] -f dir-file url

options are:
-m n Maximum number of worker processes (default: 8)
-f file File of potential directory names
-k file File of known directory names
-c 0|1 Close connection between each attempt (default: 0)
-r 0|1 Recursively enumerate sub directories (default: 1)
-t n Wait a maximum of n seconds for reply (default: 20)
-u user Username to use for basic authentication
-p pass Password to use for basic authentication
-H g|h HTTP method g=GET, h=HEAD (default: head)
-i code Ignore HTTP response code (e.g. 404 or '404|200')
-U str Set User-Agent header to str (default based on Firefox 2.0.0.2/Linux)
-s 0|1 Add a trailing slash to the URL (default: 1)
-S 0|1 Case sensitive directory names (default: 1)
-a 0|1 Automatically determine HTTP response code to ignore (default: 1)
-l n Limit scan to n attempts per second (default: unlimited)
-R 0|1 Follow redirects (default: 0)
-q Quiet. Don't print out info ("[I]") messages
-n n Only read first n lines of dirs file (default: unlimited)
-o file Save XML report of dirs found to file (default: don't save a report)
-x regx Return only results that match this regular expression
-X regx Ignore results that match this regular expression
-P url Proxy URL
-C str Use cookie
-v Verbose
-d Debugging output
-D code Print out whole response if it has HTTP code "code" (e.g. 500)
-h This help message

The default options should be suitable most of the time, so the
typical usage would be:

http-dir-enum.pl -f dirs.txt http://host

PERFORMANCE TIPS:

* Make sure the number of processes (-m) is less than the number of directories
passed via the -f option. It normally is anyway.

* Use a lower number of processes (e.g. 2) over fast connections like localhost. Use a
higher number (e.g. 8 or 32) over laggy connections.

Examples

Below are some common uses for http-dir-enum. The output has been edited for brevity in most cases.

Guessing directory names

The simplest (and most common way to run http-dir-enum is:

$ http-dir-enum.pl -f directory-names.txt http://192.168.2.54
Starting http-dir-enum v0.4.3 ( https://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

URL .................... http://192.168.2.54
Directory name file .... directory-names.txt
HTTP Method ............ HEAD
Recursive dir search ... On
Auto-ignore ............ On

######## Scan started on Fri Mar 28 16:08:11 2008 #########
[I] Processing directory: / (0 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54
cgi-bin 403
doc 403
icons 200
test 200
images 200
[I] Processing directory: cgi-bin (4 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/cgi-bin
[I] Processing directory: doc (3 dirs remaining)
[I] Auto-ignoring HTTP code 403 for http://192.168.2.54/doc
[I] Processing directory: icons (2 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/icons
[I] Processing directory: test (1 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/test
test/include 200
test/www 403
[I] Processing directory: images (2 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/images
[I] Processing directory: test/include (1 dirs remaining)
[I] Auto-ignoring HTTP code 200 for http://192.168.2.54/test/include
[I] Processing directory: test/www (0 dirs remaining)
[I] Auto-ignoring HTTP code 403 for http://192.168.2.54/test/www
######## Scan completed on Fri Mar 28 16:08:16 2008 #########
7 results.

5648 queries in 5 seconds (1130 queries / sec)

This will guess directory names using the dictionary file directory-names.txt. http-dir-enum will automatically figure out which HTTP response code it needs to ignore – for most directories it’s 404, but some it’s 403 or even 200. Any requests that don’t elicit the ignored response code are reported.

By default directory name guessing is recursive, i.e. when a directory is found http-dir-enum search for subdirectories within it. To turn off recursion use -r 0.

HTTP HEAD requests are used by default as they’re small and faster. Some servers don’t respond well to HEAD requests, so you can use GET requests instead with -H g.

To slow scans down a bit (you don’t want to DoS the server you’re testing!) you can use -l 100 to limit scanning to 100 requests per second. You’ll need to figure out many requests the target can handle. It varies a lot between servers, and even between directories on a single server.

If you’re scanning an IIS server you might want to use -S 0 to turn off case sensitivity.

You can use just the first 2000 lines of your huge dictionary file using -n 2000.

If for some reason you don’t want http-dir-enum to automatically detect which HTTP response code to ignore, use -a 0 to turn off this feature.

To manually specify an HTTP response code to ignore, use something like -i 404, or -i ’404|200′.

Less output

If you’d prefer not to know exactly where your scan is up to, you can use the -q option:

$ http-dir-enum.pl -q -f directory-names.txt http://192.168.2.54
Starting http-dir-enum v0.4.3 ( https://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

URL .................... http://192.168.2.54
Processes .............. 8
Directory name file .... directory-names.txt
Query timeout .......... 20 secs
HTTP Method ............ HEAD
Max Queries / sec ...... unlimited
Trailing slash ......... On
Recursive dir search ... On
Close connections ...... Off
Follow redirects ....... Off
Case sensistive dirs ... On
Auto-ignore ............ On

######## Scan started on Fri Mar 28 16:21:25 2008 #########
icons 200
test 200
images 200
cgi-bin 403
doc 403
test/include 200
test/www 403
######## Scan completed on Fri Mar 28 16:21:29 2008 #########
7 results.

5648 queries in 4 seconds (1412 queries / sec)

Guessing file names

Sometimes during testing you need to search all the directories on a web server for a particular file. Maybe you just uploaded a file via the web app, but don’t know where it’s storing it on the server. Or, maybe you just researched the web server you’re testing and found that ‘password.properties’ is a really important file if you can download it.

You need to supply a list of known directory name (taken from your directory-guessing attack), and a list of filenames:

$ http-dir-enum.pl -k dirs.txt -f files.txt http://192.168.2.54
Starting http-dir-enum v0.4.3 ( https://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

######## Scan started on Fri Mar 28 16:35:48 2008 #########
[I] Processing directory: cgi-bin (6 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/cgi-bin
cgi-bin/test.cgi 200
[I] Processing directory: icons (6 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/icons
[I] Processing directory: test (5 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/test
[I] Processing directory: images (4 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://192.168.2.54/images
[I] Processing directory: doc (3 dirs remaining)
[I] Auto-ignoring HTTP code 403 for http://192.168.2.54/doc
[I] Processing directory: test/include (2 dirs remaining)
[I] Auto-ignoring HTTP code 200 for http://192.168.2.54/test/include
[I] Processing directory: test/www (1 dirs remaining)
[I] Auto-ignoring HTTP code 403 for http://192.168.2.54/test/www
[I] Processing directory: cgi-bin/test.cgi (0 dirs remaining)
[I] Auto-ignoring HTTP code 200 for http://192.168.2.54/cgi-bin/test.cgi
######## Scan completed on Fri Mar 28 16:35:50 2008 #########
1 results.

1688 queries in 2 seconds (844 queries / sec)

Apache username guessing

Apache servers configured with the UserDir directive are vulnerable to username enumeration. This can be exploited with http-dir-enum. First create a dictionary file in the following format:

~root ~bin ~listen ~adm ...

Then run http-dir-enum with your dictionary file:

$ http-dir-enum.pl -f apache-tilda-usernames.txt http://localhost
Starting http-dir-enum v0.4.3 ( https://labs.portcullis.co.uk/application/http-dir-enum/ )
Copyright (C) 2006 Mark Lowe ( mrl@portcullis-security.com )

######## Scan started on Mon Mar 31 12:51:25 2008 #########
[I] Processing directory: / (0 dirs remaining)
[I] Auto-ignoring HTTP code 404 for http://localhost
~adm 403
~apache 403
~bin 403
~cron 403
~daemon 403
~ftp 403
~games 403
~halt 403
~ldap 403
~lp 403
...

Each user that exists on the systems should show up with a 403 response code (meaning that that user’s home directory exists, but you can’t browse it).

Using HTTPS

http-dir-enum is based on the LWP library, so can do SSL if LWP is installed properly. Simply specify an HTTPS URL:

$ http-dir-enum.pl -f dict.txt https://192.168.2.54

Non-standard TCP ports

Simply put the port number in the URL as you would in a browser:

$ http-dir-enum.pl -f dict.txt http://192.168.2.54:8000

Using a proxy

Use the -P option to specify the URL for your proxy:

$ http-dir-enum.pl -P http://myproxy:3128 -f dict.txt http://192.168.2.54

Using Basic Authentication

You can specify Basic Auth credentials on the command line:

$ http-dir-enum.pl -u user -p pass -f dict.txt http://192.168.2.54

The latest version of the code will be maintained on github. Older versions are available below.

Http-dir-enum-0.4.3 Tar
60.0 KiB
MD5 hash: df76eb7fd9d34d1698c0b1fbe8fa6f62
Details
Http-dir-enum-0.4.2 Tar
61.1 KiB
MD5 hash: c2c46b540666bd433cc8cd416222a9f3
Details

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)