> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/hidden-directory/trick-0331.md).

# Directory Bruteforcing with Wordlist

***

Use directory bruteforcing with tools like `dirb` to discover hidden paths on a web server by systematically attempting requests from a wordlist. This technique helps uncover administrative panels, configuration files, or other sensitive directories not linked from the main site.

```bash
dirb http://santascookies.thm /usr/share/dirb/wordlists/common.txt
```

To scan for specific file extensions, such as `.php`, `.html`, or `.txt`, use the `-X` option. This narrows the search to files with those suffixes.

```bash
dirb http://example.com /usr/share/dirlists/common.txt -X .php,.html,.txt
```

By default, `dirb` scans recursively. To disable recursive scanning, use the `-r` option.

It is often useful to ignore specific HTTP status codes during the scan, such as `404 Not Found`, which indicates the resource was not found. This can be done with the `-N` option followed by the status code(s) to ignore.

```bash
dirb http://example.com /usr/share/dirb/wordlists/common.txt -X .php -r -N 404
```

To save the output of the scan to a file, use the `-o` option followed by the desired filename.

```bash
dirb http://example.com /usr/share/dirb/wordlists/common.txt -o output.txt
```

Additional options allow for further customization, such as setting the User-Agent header with `-a` or using a proxy with `-p`.

```bash
dirb http://<IP> /usr/share/dirb/wordlists/common.txt -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" -p http://127.0.0.1:8080
```

`dirb` is a Web Content Scanner that looks for existing (and hidden) Web Objects. It basically works as a wrapper to the CURL command, launching a dictionary-based attack against a web server to find existing paths.
