← Back to search

Recursive Content Discovery with feroxbuster

recontool

Summary

Recursively brute-forces web directories and files with feroxbuster, appending extensions to surface scripts, configs and other hidden content.

Walkthrough

feroxbuster recursively walks a web server, brute-forcing directories and files. Use -x to append extensions and -w to pick a wordlist.

Examples

  • Discover PHP files from the web root:

``bash feroxbuster -u http://<IP> -x php ``

  • Hunt for JavaScript under a specific path:

``bash feroxbuster -u http://<IP>/js -x js ``

  • Broader sweep with a custom wordlist and multiple extensions:

``bash feroxbuster -u http://<IP> -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,config ``

To brute-force an API, add -m GET,POST to try both methods and -k to accept invalid TLS certificates, starting from the API base path (e.g. /nagiosxi/api).

Commands

bash

feroxbuster -u http://<IP> -x php

bash

feroxbuster -u http://<IP>/js -x js

bash

feroxbuster -u http://<IP> -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,config