[!] Legal disclaimer: Usage of this tool for scanning targets without prior mutual consent is illegal.
dirW4lker.js
dirw4lker is an asynchronous directories/files web-sites scanner.
Implemented directly on top of TCP, improving performance avoiding headers-stripping and getting a lot of chunks from websites containing a lot of content.
It works with HTTP and HTTPS protocols and it allows to find hidden files hosted on target url using a dictionary-list.
You can use this for CTFs or to test your web applications or to automate your own multiple hosts monitoring.
Pure written in NodeJs and without dependencies.
Install with npm
npm install -g dirw4lkeror
npm i dirw4lkerHowTo
dirW4lker can used as Command Line Tool and is really simple to use.
dirw4lker --host=<TARGET_URL> --listDir=<PATH_TO_DICTIONARY_LIST>You can omit the --listDir option to use the default list includes in this module.
The default list is not really effective, but will cover common used page names
Js API
const dirWalker = ; { const config = host: 'http://testphp.vulnweb.com/' ext: 'php,txt,xml' asyncRequests: true ; const result = await dirWalker; console; if resultfoundslength console; };More examples in examples folder.
Config Object
The method launch need a configuration object with the follow parameters:
| Param | Type | Description |
|---|---|---|
| host | String |
The receiver hostname. |
| [listDir] | String |
Path to the dictionary-file to use. |
| [list] | Array |
Array of strings to use instead opening local file. |
| [appendSlashAfter] | Boolean |
Append / character on first loop. Default as true. |
| [ext] | String/Array |
The extra extensions name to combine with the hostname. ex: 'php,txt' or '.php,.txt' |
| [dns] | String |
Used dns to resolve hostname. You can use multiple dns splitting with ,. (Ex: '8.8.8.8,8.8.4.4') THIS OPTION WILL BE IGNORED IF PROXY IS USED |
| [proxy] | String |
The used proxy. The form must be the follow (Ex: http://proxyIp:proxyPort). |
| [ignoreResponseWith] | String |
The string to ignore on response received. If response contains given parameter, then will be ignored. |
| [asyncRequests] | Boolean |
Starting attack in async way. As Default false. |
| [maxConcurrency] | Number |
The maximal number of sent parallel asynchronous requests (only if asyncRequests is true). As default 100. |
| [verbose] | Boolean |
Activate verbose. As default false. THIS OPTION WILL BE IGNORED ON CLI |
@returns
| Type | Description |
|---|---|
Promise<Array> |
The found results. {sent:Number, founds:[{target:host:port/foundPage, response:String, ms:Number}, ...]} |
CLI: Quickstart
npm install -g dirw4lkerdirw4lker --host=http://testphp.vulnweb.com --asyncRequestsOutput:
.___.__ __ __ _____ .__ __ __ __| _/|__|______/ \ / \/ | || | | | __ ___________ |__| ______ / __ | | \_ __ \ \/\/ / | || | | |/ // __ \_ __ \ | |/ ___// /_/ | | || | \/\ / ^ / |_| <\ ___/| | \/ | |\___ \ \____ | |__||__| \__/\ /\____ ||____/__|_ \\___ >__| /\/\__| /____ > \/ \/ |__| \/ \/ \/\______| \/ by Gr3p [!] Legal disclaimer: Usage of this tool Compared to sync way => Time: 13308.580ms
The CLI accept same parameters as API-Module.
Using proxy
It may happen to test a web application with the need to use a proxy to access it. For this reason, the ability to encapsulate requests behind a proxy has been implemented. It works with HTTP & HTTPS targets as well.
This mode can be used with proxies working with HTTP Tunnel mechanism.
- Example: using TOR as HTTP-Proxy
dirw4lker --host=http://example.com --proxy=http://127.0.0.1:9080[!] Proxy must be written like url.
Examples
You can use your own list with the option --listDir
dirw4lker --host=http://example.com --listDir=/tmp/directory.txtThe option --ext can used to combine the string on list with file-extensions. Use , for multiple extensions.
dirw4lker --host=http://example.com --ext=php,txt,htmldirW4lker will use your local-dns to resolve hostname as default. But you can change this with the option --dns.
Use , for multiple dns servers.
dirw4lker --host=http://example.com --listDir=/tmp/directory.txt --dns=8.8.8.8To ignore response with custom string, use the option --ignoreResponseWith=<stringToIgnore>
For example, ignoring all responses containing code 301.
dirw4lker --host=http://example.com --listDir=/tmp/directory.txt --ignoreResponseWith=301Special Thanks
Inspired by dirBuster.
Updates
Issues & Bug-Reports are welcome
- [2020.04] @1.8.x Add maxConcurrency to avoid problem on other platforms (ex: win10).
- [2020.03] @1.7.x Bug Fixing & Code Refactor.
- [2020.03] @1.7.x implemented
listoption to use custom array. - [2020.03] @1.6.4 Fixed problem using proxy to http-targets
- [2020.03] Moved repository to https://github.com/gr3p1p3/dirw4lker
- [2020.03] @1.6.x
--proxyoption works on https-Targets too. - [2020.03] @1.5.x
--proxyoption is now implemented. It will only work on http-Targets. - [2020.03] Improved a lot of performance.
- [2020.03] @1.4.4
--asyncRequestsoption is now stable. - [2020.03] @1.4.x Implemented
--asyncRequests: possibility to start a scan in an async way. - [2020.03] @1.3.x Implemented new option
--ignoreResponseWith. - [2020.02] @1.2.x Removed option
--limit. This will be ignored.