I was working on some automated tasks to include in my workflow and realized I wanted to use gobuster for launching dictionary-based enumeration on targets. I was currently using dirb for this but gobuster seems to be the faster tool to use. I fell behind on my scanning efforts during my last engagement and am trying to squeeze more juice from the time I’m being given.
Run it with something like.
./gobuster_recurse.sh http://www.target.com /path/to/wordlist.txt 5
You can also find this in my Gists at github at https://gist.github.com/ryan-wendel/b2c0545b3b76e86ff1afac5e1849dafe
The entire script…
#!/bin/bash
TARGET="$1"
WORDLIST="$2"
LEVELS="$3"
TMP_FILE_PREFIX="/tmp/gobuster_$$"
USER_AGENT='Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'
BACKUP_WORDLIST="/usr/local/wordlists/custom/rw-common-dirs.txt"
RESPONSE_CODES="200,301,307,401,403"
THREADS="10"
print_help() {
echo "Usage: $(basename $0) <url> <wordlist> <levels>"
}
if [ -z "$TARGET" ]; then
echo "Error: Provide me with a URL"
echo
print_help
exit 1
fi
if [ -z "$WORDLIST" ]; then
echo "Error: You did not provide me with a wordlist."
echo
WORDLIST="${BACKUP_WORDLIST}"
echo "Using ${WORDLIST}, instead."
#print_help
exit 2
fi
if [ ! -e "$WORDLIST" ]; then
echo "Error: Wordlist file doesn't exist."
echo
print_help
#exit 3
fi
if [ -z "$LEVELS" ]; then
echo "Error: Provide me with a number of levels to recurse"
echo
print_help
exit 4
elif [[ ! "$LEVELS" =~ ^[0-9]+$ ]]; then
echo "Error: Provide me with an integer"
echo
print_help
exit 5
fi
run_gobuster() {
local TARGET=$1
local LEVEL=$2
local NEXT_LEVEL=$((LEVEL + 1))
#echo "[-] Level = $LEVEL"
#echo "[+] Busting $TARGET"
if [ "${LEVEL}" -lt "${LEVELS}" ]; then
#echo gobuster -f -q -e -k -r -t ${THREADS} -m dir -w "${WORDLIST}" -s "${RESPONSE_CODES}" -u ${TARGET} -a "${USER_AGENT}"
gobuster -f -q -e -k -r -t ${THREADS} -m dir -w "${WORDLIST}" -s "${RESPONSE_CODES}" -u ${TARGET} -a "${USER_AGENT}" | grep 'http.*Status: [234]' | sed 's/ (Status.*//' | while read HIT; do
echo "[+] Found $HIT"
run_gobuster ${HIT} ${NEXT_LEVEL}
done
fi
}
STATUS=$(curl -k -o /dev/null --silent --head --write-out '%{http_code}\n' "$TARGET")
if [ "$STATUS" -ge "100" -a "$STATUS" -lt "500" ]; then
echo "[+] Found $TARGET"
run_gobuster $TARGET 0
fi
The plan is to use the output of this script and feed it into Chris Truncer’s EyeWitness. This will help me quickly get a feel for the web application surface-area I am working with while on engagements.
Something like:
./gobuster_recurse.sh http://192.168.0.115 3 | grep Found | sed 's/.*http/http/' > /tmp/web_enum.tmp python /usr/share/eyewitness/EyeWitness.py --no-prompt -f /tmp/web_enum.tmp --timeout 30 --threads 4 --web -d /tmp/project_foo/web/eyewitness/192.168.0.115
You can loop over your URL list and spit out that same command for each URL. Nice and easy way to perform a quick visual scan of a webapp.
