Recursive Content Discovery with feroxbuster
recontool
Summary
Recursively brute-forces web directories and files with feroxbuster, appending extensions to surface scripts, configs and other hidden content.
Walkthrough
feroxbuster recursively walks a web server, brute-forcing directories and files. Use -x to append extensions and -w to pick a wordlist.
Examples
- Discover PHP files from the web root:
``bash feroxbuster -u http://<IP> -x php ``
- Hunt for JavaScript under a specific path:
``bash feroxbuster -u http://<IP>/js -x js ``
- Broader sweep with a custom wordlist and multiple extensions:
``bash feroxbuster -u http://<IP> -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,config ``
To brute-force an API, add -m GET,POST to try both methods and -k to accept invalid TLS certificates, starting from the API base path (e.g. /nagiosxi/api).
Commands
bash
feroxbuster -u http://<IP> -x php
bash
feroxbuster -u http://<IP>/js -x js
bash
feroxbuster -u http://<IP> -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,config