How to use Dirhunt? OSINT RECON
If you are trying to gather information from a website, it is important to not only look at what is visible to the everyday user. Information gathering involves also looking and searching for hidden files. Hidden files do not necessarily mean they are purposely hidden, this could also just mean that someone forgot to take those files offline and left them publicly available on accident.
The dirhunt tool is specifically made to search and analyze directories and folders within a web application. Although it may seem like dirhunt uses brute force attacks, it does not. Dirhunt works by checking robots.txt, VirusTotal, Google, CommonCrawl & SSL Certificates. But neither is it just a crawler. This tool is faster than others because it minimizes requests to the server. Generally, this tool takes between 5-30 seconds, depending on the website and the server.
| Option | Example | Description |
|---|---|---|
| –threads {INTEGER} | $ dirhunt https://facebook.com –threads 10 | Number of threads to use. |
| –exclude-flags {TEXT} | $ dirhunt https://facebook.com –exclude-flags http,not_found,418 | Exclude results with these flags. |
| –include-flags {TEXT} | $ dirhunt https://facebook.com -include-flags https,443 | Only include results with these flags. |
| –interesting-extensions {TEXT} | $ dirhunt https://facebook.com –interesting-extensions zip,sh | Include files with interesting extensions. |
| –interesting-files {TEXT} | $ dirhunt https://facebook.com –interesting-files passwords,password | Include files with interesting files. |
| –stdout-flags {TEXT} | $ dirhunt https://facebook.com –stdout-flags html > directories.txt | Return only in stdout the urls of these flags. |
| –progress-enabled | $ dirhunt https://facebook.com –progress-enabled | Process bar is enabled by default. |
| –progress-disabled | $ dirhunt https://facebook.com –progress-disabled | If progress bar causes issues, disable it with this option. |
| –timeout {INTEGER} | $ dirhunt https://facebook.com –timeout 20 | Change time between each URL query. |
| –max-depth {INTEGER} | $ dirhunt http://facebook.com –max-depth 5 | Maximum links to follow without increasing directories depth. |
| –not-follow-subdomains | $ dirhunt https://facebook.com –not-follow-subdomains | The subdomains will be ignored. |
| –exclude-sources {TEXT} | $ dirhunt https://facebook.com –exclude-sources google,virustotal | Exclude source engines. Possible options: Google, robots.txt, Virustotal. |
| –proxies {TEXT} | $ dirhunt <url> –proxies <proxy> | Set one or more proxies to alternate between them. |
| –delay {FLOAT} | $ dirhunt http://facebook.com –delay 0.1 | Delay between requests to avoid bans by the server. |
| –not-allow-redirects | $ dirhunt https://facebook.com –not-allow-redirects | Redirectors will not be followed |
| –limit {INTEGER} | $ dirhunt https://facebook.com –limit 2000 | Max number of pages processed to search for directories |
| –to-file {PATH} | $ dirhunt https://facebook.com –to-file file.json | Create a report file in JSON |
| –user-agent {TEXT} | $ dirhunt https://facebook.com –user-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) | User agent to use. By default a random browser. |
| –cookie {TEXT} | $ dirhunt https://facebook.com –cookie Set-Cookie: mykey=myvalue | Add a cookie to requests in the cookie_name: value format. |
| –header {TEXT} | $ dirhunt https://fcscout.com –header Content-Type: text/html | Add a header to requests in the header:value format. |
| –version | $ dirhunt –version | Get dirhunt current installed version. |
| –help | $ dirhunt –hel | Show this message and exit. |
Dirhunt –threads Option
The Dirhunt tool makes multiple simultaneous requests using threads by default. The default number of threads is cpu count * 5. To change the thread count, use –threads {INTEGER}. Or -x.
NOTE: If you use the –delay option, the simultaneous requests mode is disabled and the number of threads by default is number of proxies.
NOTE: If you do not use proxies in –delay mode, the default threads number is 1.
Dirhunt –threads Syntax
$ dirhunt <url> --threads <flags comma separated values>Dirhunt –threads Example
$ dirhunt https://facebook.com --threads 10
Dirhunt –exclude-flags Option
The –exclude-flags will filter the results to exclude specific flags. To exclude flags in a query, use –exclude-flags with comma separated values. Or the -x option.
Dirhunt –exclude-flags Syntax
$ dirhunt <url> --threads <flags comma separated values>Dirhunt –exclude-flags Example
$ dirhunt https://facebook.com --exclude-flags http,not_found,418
Dirhunt –include-flags Option
The –include-flags will filter the results to only include results with the flags specified. To filter the flags in a query, use –include-flags with comma separated values. Or the -i option.
Dirhunt –include-flags Syntax
$ dirhunt <url> --include-flags <flags comma separated values>Dirhunt –include-flags Example
$ dirhunt https://facebook.com -include-flags https,443
Dirhunt –interesting-extensions Option
The –interesting-extensions will filter the results to only include the files found with the extension names specified. By default, dirhunt shows php, zip, sh, asp, csv and log. To filter the output to specific extensions in a query, use –interesting-extensions with comma separated values. Or the -e option.
Dirhunt –interesting-extensions Syntax
$ dirhunt <url> -interesting-extensions <extension>,<extension>Dirhunt –interesting-extensions Example
$ dirhunt https://facebook.com --interesting-extensions zip,sh
Dirhunt –interesting-files Option
The –interesting-files will filter the results warn you if it found a file with a specific name. By default, dirhunt warns you of the access_log, error_log, error, logs, dump files. To get notified of specific file names, use –interesting-files with comma separated values. Or the -f option.
Dirhunt –interesting-files Syntax
$ dirhunt <url> --interesting-files <file-name>,<file-name>Dirhunt –interesting-files Example
$ dirhunt https://facebook.com --interesting-files passwords,passwordDirhunt –interesting-files Example
$ dirhunt https://facebook.com --interesting-files /Desktop/file-names.txt
Dirhunt –stdout-flags Option
The –stdout-flags can define the type of results that will be returned using flags:
Dirhunt –stdout-flags Syntax
$ dirhunt <url> --stdout-flags <file> > <file-name>Dirhunt –stdout-flags Example
$ dirhunt https://facebook.com --stdout-flags html > directories.txt
Dirhunt –progress-disabled & –progress-enabled Option
Dirhunt displays a progress bar while loading results by default. If there are issues or errors during a query, diabling the progress bar might help. You can manually disable it using –progress-disabled.
Dirhunt –progress-disabled Syntax
$ dirhunt <url> --progress-disabledDirhunt –progress-disabled Example
$ dirhunt https://facebook.com --progress-disabled
Dirhunt –max-depth Option
The default link depth in dirhunt is 3. For example in redirects /index.html > /page1.html > /page2.html > /page3.html. The following page “/page4.html” will now query at the same directory level because it has exceeded the default limit of 3. To change the max depth, use –max-depth.
Dirhunt –max-depth Syntax
$ dirhunt <url> --max-depth <number>Dirhunt –max-depth Example
$ dirhunt http://facebook.com --max-depth 5
Dirhunt –not-follow-subdomains Option
Dirhunt will follow all the subdomains of the domain urls by default. If your searching the domain facebook.com, it will also traverse all other subdomains of facebook.com such as mail.facebook.com, web.facebook.com, mobile.facebook.com, and more. To disable subdomain searching, use the –not-follow-subdomains option.
Dirhunt –not-follow-subdomains Syntax
$ dirhunt <url> --not-follow-subdomainsDirhunt –not-follow-subdomains Example
$ dirhunt https://facebook.com --not-follow-subdomains
Dirhunt –exclude-sources Option
The feedback you receive from dirhunt will be retrieved from various sources such as Google, VirusTotal, and robots.txt. If you want to exclude a specific search option from running during scan, you can use the –exclude-sources option.
Dirhunt –exclude-sources Syntax
$ dirhunt <url> --exclude-sources <sources comma separated values>Dirhunt –exclude-sources Example
$ dirhunt https://facebook.com --exclude-sources google,virustotal
Dirhunt –proxies Option
Dirhunt allows you to use one proxy, multiple proxies, or multiple alternating proxies.
Dirhunt Single Proxy –proxies Syntax
$ dirhunt <url> --proxies <proxy 1>Dirhunt Multiple Proxy –proxies Syntax
$ dirhunt <url> --proxies <proxy 1>, <proxy 2>Dirhunt Tor Alias –proxies Syntax
$ dirhunt <url> --proxies <proxy 1>, <proxy 2>Dirhunt Random Proxy with proxydb –proxies Syntax
$ dirhunt https://facebook.com --proxies randomDirhunt Multiple Random Proxies with proxydb –proxies Syntax
$ dirhunt https://facebook.com --proxies random*4
Dirhunt –delay Option
Dirhunt has the delay option turned off by default. The delay option does not allow simultaneous requests, therefore creating a waiting time from the end of a request and the next one begins. This mode is best used if the server is restricting requests.
Dirhunt –delay Syntax
$ dirhunt <url> --delay <float>Dirhunt –delay Example
$ dirhunt http://facebook.com --delay 0.1
Dirhunt –not-allow-redirects Option
URL redirection, also known as URL forwarding, is a technique to give more than one URL address to a page, a form, or a whole Web site/application. HTTP has a special kind of response, called a HTTP redirect, for this operation. By using –not-allow-redirects, redirectors will not be followed.
Dirhunt –not-allow-redirects Syntax
$ dirhunt <url> --not-allow-redirectsDirhunt –not-allow-redirects Example
$ dirhunt https://facebook.com --not-allow-redirects
Dirhunt –limit Option
Similar to –delay, there is –limit that allows you to change the maximum number of pages queried to find links. Link traversal is the process in how dirhunt finds directories. By default, dirhunt queries 1000 pages. To change the number of pages you want dirhunt to go through, use –limit. If you want dirhunt to go through unlimited pages, use –limit 0.
Dirhunt –limit Syntax
$ dirhunt <url> --limit <number>Dirhunt –limit Example
$ dirhunt https://facebook.com --limit 2000
Dirhunt –to-file Option
Dirhunt allows you to create a JSON file with your results using the –to-file option.
Dirhunt –to-file Syntax
$ dirhunt <url> --to-file <.json file>Dirhunt –to-file Example
$ dirhunt https://facebook.com --to-file file.json
Dirhunt –user-agent Option
Dirhunt allows you to change the user agent to use by using the –user-agent. By default a random browser.
Dirhunt –user-agent Syntax
$ dirhunt <url> --user-agentDirhunt –user-agent Example
$ dirhunt https://facebook.com --user-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Dirhunt –cookie Option
Dirhunt allows you to add a custom cookie such as session cookie alteration to your query using the –cookie option. An example of a session cookie is a shopping cart on most e-commerce or online shopping websites. It stores the products the user has added to their cart. So when the user opens a new page, the products remain in the cart. Without session cookies, a user wouldn’t be able to add multiple items to their cart. Also, the new pages would not recognize a user’s past activities and their cart would always be empty. It is important to note that session cookies are not tracking cookies.
Dirhunt –cookie Syntax
$ dirhunt <url> --cookie <Cookie name>:<Cookie value>Dirhunt –cookie Example
$ dirhunt https://facebook.com --cookie Set-Cookie: mykey=myvalue
Dirhunt –header Option
Dirhunt allows you to add custom HTTP headers to requests by using the --header parameter. HTTP headers are the core part of these HTTP requests and responses, and they carry information about the client browser, the requested page, the server, and more.
Dirhunt –header Syntax
$ dirhunt <url> --header <Field name>:<Field value>Dirhunt –header Example
$ dirhunt https://fcscout.com --header Content-Type: text/html
Dirhunt –version Option
To view the Dirhunt installed version on your asset use the –version option.
Dirhunt –version Syntax
$ dirhunt --versionDirhunt –help Option
To view the Dirhunt options use –help
Dirhunt –help Syntax
$ dirhunt --helpDisclaimer
The examples above use the facebook.com domain. As of this writing, Facebook (Meta) has an open bug bounty program, which makes it available for scanning for security researching purposes. Although dirhunt does not actively bruteforce directories, it is important to check to make sure no other commands are ran against this domain if not in a public bounty program. Please visit this link to make sure the Facebook program is still open before attempting any other commands.
