How to Directory Brute Force Properly

Подписаться 133 тыс.

Просмотров 28 тыс.

50% 1

Purchase my Bug Bounty Course here 👉🏼 bugbounty.nahamsec.training
Buy Me Coffee:
www.buymeacoffee.com/nahamsec
Live Every Sunday on Twitch:
/ nahamsec
Free $100 DigitalOcean Credit:
m.do.co/c/3236319b9d0b
Follow me on social media:
/ nahamsec
/ nahamsec
twitch.com/nahamsec
hackerone.com/nahamsec
/ nahamsec1
Github:
github.com/nahamsec
Nahamsec's Discord:
discordapp.com/invite/ucCz7uh
00:00 - Intro
00:51 - Brute forcing explained
03:00 - Wordlists
06:00 - Hands-on example
09:05 - My Approach
11:00 - Outro
#offensivesecurity #redteam #bugbounty #hackerone #hackers #hacking #infosec #hackingtutorial #owasp #educational

Наука

Опубликовано:

6 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 82

@crusader_ Год назад

The titles are getting better Ben. Makes you wanna click the video. And the best part is you're not clickbaited.

@NahamSec Год назад

Thanks. I’m trying to walk a fine line with what I put on titles and thumbnails!

@AshleyEhSMR Год назад

I agree, because it’s very rare I will watch a video under 20 mins and clicked when I saw it. 🎉

@rajasekharreddy7977 Год назад

Thanks man. Great video. Looking forward for the video for making custom wordlists.

@crusader_ Год назад

Loving this series

@aow6813 Год назад

Thanks ! We love you man keep up the good work

@CodeAcademia00 Год назад

Keep going brother , that's amazing 🙏

@rahmat_qurishi Год назад

Great as usual♥️

@MFoster392 Год назад

Another great video

@sveneFX Год назад

Hey Ben, thanks for sharing your knowledge! I would love to see approaches for custom wordlists, keep up the good work 👍

@NahamSec Год назад

I'll see what I can come up with :)

@Hari-888 Год назад

thank you, this was super helpful

@websuraksha1600 Год назад

your content is excellent. you really do work hard for us. hey ben please make a video on how to create own wordlist.

@juliusrowe9374 Год назад

Ben, super dope content! Can you do a video on how to create and maintain a decent word list and the tricks ( Do's and Don'ts) and your recommendations?

@NahamSec Год назад

I got you! Give me a few weeks.

@thuglife896 Год назад

Good presentation, and explains details that other hacking channels don't 👍

@eligoldiner Год назад

great, thanks! how would you approach a targets list of several subdomains?

@HackerJi01 Год назад

It's awesome sir ...🔥🔥

@rezafadaei8388 Год назад

Thank you so much! Can you please also make a video of how to make custom world list based of the webapplication? What regex's are your favourite in that matter?

@mohamedalfadile6838 Год назад

it's highly important way many thanks 😍😍

@TCMSecurityAcademy Год назад

FFUF is OP and so are you.

@NahamSec Год назад

💪🏼💪🏼 thanks homie!

@eldanicarvajal Год назад

What do you think about feroxbuster?

@shashankmudgal4581 Год назад

Please make a dedicated video on how to make your own target specefic wordlist.

@user-fp7fs9xl2t 3 месяца назад

Thanks Man ...

@saminbinhumayun858 3 месяца назад

If there is scope given in bb program do we need to do directory bruteforcing?

@Hari-888 Год назад

Also, you mentioned that I should do dir bruteforcing in the cloud. how exactly would I do that ? edit... Never mind, I saw on another video of yours that you mentioned running things on digitalocean.

@nafizimtiaz9367 Год назад

thanks Ben. it was awesome and fun to learn things which i did in wrong. actually i came from CFT''s to web security penetration testing. A question! How long do you think i should spend on a program . and i am quite beginner in security.

@jaywandery9269 8 месяцев назад

iam at the same exact level. Iam curious to understand how this is taking you so far

@OneMinExplains Год назад

Thanks You!!!

@hashmatrixuniverse5203 Год назад

You have youtube channel

@guccifer_3.0 Год назад

feroxbuster is my favorite 🙂

@abhinavkumar8052 Год назад

exactly what I want. Thanks And yes make a video on how to make a custom wordlist

@NahamSec Год назад

I got you! Give me a few weeks.

@sourabhekka Год назад

@@NahamSec Request you to make video on " How to create/make custom wordlist based on the target?"

@antnio773 Год назад

dirsearch combined with ffuf (for files as it is more easily manageable)

@firosiam7786 Год назад

Could u do a series on web hacking or smthg like that

@swoodby09 Год назад

@NahamSec are you doing your recon from the cloud / vps or local?

@NahamSec Год назад

VPS using digital ocean. Check out the video description for some free goodies :)

@techhacker7711 Год назад

Op bro

@cadetpriyanshu6987 Год назад

I like dirsearch ❤

@umarfarooq9950 Год назад

FFUF because easy to use and automate and fast !

@vladiaveryanov610 Год назад

What is your approach if after 10 attempts you get banned by IP? Or what do you do if you generate so much traffic on the target and you need to slow down the requests per second?

@Pwnedby Год назад

You can lower the threads and use a proxy list

@Budokid 2 месяца назад

I noticed in your ffuf command you don’t looked for a status of 500. Is that something you ever look for situationally? Sometimes I find that if you hit a route that is expecting certain parameters but they are missing from the request some applications will give you 500 errors

@singing_dev Год назад

I use gobuster and dirbuster

@laurent9255 Год назад

I found an open redirect this way . There was an endpoint like "app-login" i tried to fuzz the part after the dash "login" and found "logout". Then i fuzzed for hidden parameters on this endpoint and found "redirect" wich was vulnerable to open redirect.

@hackersguild8445 Год назад

did you try for xss on that redirect parameter?

@laurent9255 Год назад

@@hackersguild8445 Yes but i failed :(

@mtech1935 Год назад

Thanks ben for the great content♥️ but the video quality is so low I have set 1080p but thw quality is very poor in case of showing any text in the video those texts are a bit blurry

@NahamSec Год назад

I’m not experiencing that. Everything is shot in 1080 or higher.

@dibens Год назад

@@NahamSec The part where you show SecLists github is in low resolution. Everything else looks good.

@mtech1935 Год назад

@nahamsec the other part is really fine but when you show some texts like you were mentioning about the seclist part it was not in good quality

@user-we9vc3xe3t 5 месяцев назад

Is it okay to do directory brute forcing to find assets?

@NahamSec 5 месяцев назад

Yes, but make sure you aren't sending too many requests and contextualizing your brute force.

@attackermail 8 месяцев назад

you could have added -recursive in it

@brainless_bin9414 Год назад

Wfuzz and ffuf i do prefer 🔥

@NahamSec Год назад

Love ffuf!

@techofch Год назад

with using FFUF :)

@chiragartani Год назад

Thank you! Could you please create a video about How to write a bash script for fuzzing directory on all the subdomains we got with ffuf?

@NahamSec Год назад

hmm. Maybe!

@dareenoch6880 Год назад

I got one working one

@chiragartani Год назад

@@dareenoch6880 could you share please

@ashleypursell9702 Год назад

ooft the one-app thing is a good tip thanks for this

@fa7han748 Год назад

17590 req/sec how????? :") my vps dont go to even 1000 req

@abdullahbhatti9730 Год назад

How to Brute Force in the Cloud?

@Hari-888 Год назад

He means using a vps like digitalocean I believe

@cguzmanvisuals Год назад

Personally, I prefer FFUF

@M0M3NTUM33 Год назад

Axiom... do yourself a favor... look it up

@1734-Jason 7 месяцев назад

It dosnt work these days servers just permanently block you

@DevCucr Год назад

Next game pasword cracking

@neon_Nomad Год назад

This is way too prescient

@obfuscated9943 Год назад

I like gobuster and dirsearch

@NahamSec Год назад

Dirsearch is ❤️

@msalih Год назад

I just realized that we can use ffuf instead dirsearch. For Example domains.txt wordlist.txt extensions.txt ffuf -w domains.txt:D -w wordlist.txt:F -w extensions.txt:E -u D/F.E