Monday, July 18, 2022
HomeHackerZenbuster - Multi-threaded URL Enumeration/Brute-Forcing Software

Zenbuster – Multi-threaded URL Enumeration/Brute-Forcing Software




ZenBuster is a multi-threaded, multi-platform URL enumeration instrument written in Python by Zach Griffin (@0xTas).

I wrote this instrument as a method to deepen my familiarity with Python, and to assist enhance my understanding of Cybersecurity tooling generally. ZenBuster is probably not the quickest or most complete instrument of its variety. It’s nonetheless, easy to make use of, decently versatile, and in observe solely marginally slower than different “tried-and-true” instruments like Gobuster. Personally, I’ve been utilizing it to assist me remedy CTF challenges on platforms like TryHackMe, and have discovered my implementation to be satisfactorily dependable.

This software program is meant to be used in CTF challenges, or by safety professionals to collect info on their targets:

  • It’s able to brute-force enumerating subdomains and likewise URI sources (directories/information).
  • Each strategies of enumeration require use of an applicable wordlist or dictionary file.
  • Options Embody:
    1. Hostname format helps commonplace, IPv4, and IPv6.
    2. Help for logging outcomes to a file with -O [filename].
    3. Specifying customized ports for nonstandard webservers with -p .
    4. Non-compulsory file extensions in listing mode with -x .
    5. Quiet mode for much less distracting output with -Q.
    6. Colour will be disabled for much less distracting output with -nc/-nl.
    7. Examined on Python variations 3.9 and three.10, with theoretical assist for variations >= 3.6

CAUTION/DISCLAIMER

ZenBuster is able to producing a probably unwelcome variety of HTTP requests in a brief period of time.

The builders and contributors are usually not liable or answerable for any harm brought on by misuse or abuse of this software program.

Please Enumerate Responsibly!

License

Multi-threaded URL enumeration/brute-forcing tool in Python. (5)

ZenBuster is licensed below the GNU GPLv3 License, see right here for extra info.

Credit

Yin-Yang ASCII artwork within the banners had been created by Joan G. Stark (jgs) and Hayley Jane Wakenshaw (hjw). Modifications had been made by me, when specified with: ‘zg‘.

Firstly, be sure that Python model >= 3.6 is put in, then clone the repository with:

git clone https://github.com/0xTas/zenbuster.git

Subsequent, cd zenbuster.

Dependencies

ZenBuster depends on 3 exterior libraries to operate, and it is suggested to put in these with:

pip set up -r necessities.txt

The modules that shall be put in and their functions are as follows:

  1. Python requests

    • The spine of every enumeration request. With out this, the script won’t operate.
  2. termcolor

    • Permits coloured terminal output. Non-critical, the script can nonetheless run with out coloration if this isn’t current.
  3. colorama (Home windows solely)

    • Primes the Home windows terminal to just accept ANSI coloration codes (from Termcolor). Non-critical.

These dependencies could also be put in manually, with pip utilizing necessities.txt, or through interplay with the script upon first run.

As soon as dependencies have been put in, you possibly can run this system within the following methods:

On Linux (+Mac?):

./zenbuster.py [options] or python3 zenbuster.py [options]

On Home windows:

python zenbuster.py [options]

[Options]

Quick Flag Lengthy Flag Objective
-h –help Shows the assistance display and exits
-d –dirs Permits Listing Enumeration Mode
-s -ssl Forces utilization of HTTPS in requests
-v –verbose Prints verbose data to terminal/log
-q –quiet Minimal terminal output till remaining outcomes
-nc –no-color Disables coloured terminal output
-nl –no-lolcat Disables lolcat-printed banner (Linux solely)
-u <hostname> –host Host to focus on for the scan
-w <wordlist> –wordlist Path to wordlist/dictionary file
-x <exts> –ext Comma-separated checklist of file extensions (Dirs solely)
-p <port#> –port Customized port possibility for nonstandard webservers
-o [filename] –out-file Log outcomes to a file (accepts customized identify/path)

Instance Utilization

./zenbuster.py -d -w /usr/share/wordlists/dirb/frequent.txt -u goal.thm -v

python3 zenbuster.py -w ../subdomains.txt --host goal.thm --ssl -O myResults.log

zenbuster -w subdomains.txt -u goal.thm --quiet (With .bashrc alias)

  • Elevated ranges of elective verbosity.
  • Permit elective throttling of job thread-count.
  • Permit customers to change the checklist of ignored standing codes.
  • Permit larger consumer management over varied request headers.
  • Permit elective ignoring of responses primarily based on content-length.
  • Increase subdomain enumeration to incorporate OSINT strategies as an alternative of simply brute-forcing.
  • Discover a extra complete and source-readable resolution to fancy coloured output (probably utilizing wealthy).
  • Enumerating lengthy endpoints could end in ugly terminal output attributable to line-wraping on smaller console home windows. Logging to a file is really useful, particularly on Home windows.
  • If goal host is a vHost on a shared webserver, enumeration through IP could not operate as anticipated. Use area/hostname as an alternative.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments