Jul 11, 2019
Introducing Rustbuster — A Comprehensive Web Fuzzer and Content Discovery Tool
I decided to learn The Rust Programming Language and I ended up writing Rustbuster, yet another web fuzzer and content discovery tool™, but comprehensive of the main features from DirBuster, Gobuster, wfuzz, Patator’s http_fuzz and IIS Short Name Scanner.
Motivation
Rust is an amazing systems programming language. It features powerful and innovative ideas to provide what I like to define as a higher low level language.
The best aspects are:
- it’s compiled: its toolchain is based on LLVM
- it’s strong typed: everything is strongly typed, providing by default a powerful linter and autocompletion tool
- it’s very fast: check some benchmarks versus Go
- it’s safe: Rust is safe! ..or explicitly unsafe :)
- it has no runtime: by design, Rust doesn’t depends on any runtime
- it has no garbage collector: the innovative ownership concept makes possible to not depend on a garbage collector while not having the responsability of manually managing the memory allocations on the heap
If you are interested into learning the language, check out The Rust Programming Language book.
Rustbuster
Rustbuster was started as a Rust playground project with @ps1dr3x with the goal of reimplement a DirBuster equivalent. It ended up by becoming a collection of modules useful in different situation. Having a single executable suitable for most common web fuzzing tasks is very handy. At the time of writing, there are five modules available, that are: dir
, dns
, vhost
, fuzz
and tilde
.
Features Matrix | Directories and Files | A/AAAA DNS Entries | Vhost Enumeration | Custom Fuzzing | 8.3 Short Names |
---|---|---|---|---|---|
DirBuster | ✓ | ✗ | ✗ | ✗ | ✗ |
Gobuster | ✓ | ✓ | ✓ | ✗ | ✗ |
Wfuzz | ✓ | ✗ | ✓ | ✓ | ✗ |
Patator | ✗ | ✗ | ✗ | ✓ | ✗ |
IIS Short Name Scanner | ✗ | ✗ | ✗ | ✗ | ✓ |
Rustbuster | ✓ | ✓ | ✓ | ✓ | ✓ |
Modules
Let’s see each available modules in detail.
dir
— Directories and files enumeration mode
The dir
module can be used to discover new content. You can set up a wordlist and an extensions list to discover directories and files hosted on the web server. Rustbuster will send all the requests with the given concurrency level and report back which one are existing. In the following example we will enumerate the directories and files with the optional php
extension and the concurrent requests will be limited to 10.
Example command:
rustbuster dir -u http://localhost:3000/ -w examples/wordlist -e php -t 10
dns
— A/AAAA DNS entries enumeration mode
The dns
module can be used to discover subdomains of a given domain. It works by simply asking your default DNS resolver to resolve potential hostnames and reporting which one successfully resolve. In the following example we will enumerate the subdomains of google.com
by iterating the provided wordlist.
Example command:
rustbuster dns -d google.com -w examples/wordlist
vhost
— Virtual hosts enumeration mode
The vhost
module can be used to enumerate which Virtual Hosts are available on the web server. It works by fuzzing the Host HTTP Header using the given wordlist and filtering out the results by checking the presence of provided -x,--ignore-string
parameter in the HTTP body of the response.
In the following example we will bruteforce the available Vhosts, ignoring all the responses that contains the world Hello
in the HTTP body.
Example command:
rustbuster vhost -u http://localhost:3000/ -w examples/wordlist -d test.local -x "Hello"
fuzz
— Custom fuzzing enumeration mode
The fuzz
module can be used when a more flexible fuzzing pattern is needed. You can define the injection points and a wordlist for each of them. A cartesian product of requests will be generated. CSRF token are also supported! In the following example we will bruteforce a login form that requires a different CSRF token per request, that will be extracted by applying a RegEx.
Example command:
rustbuster fuzz -u http://localhost:3000/login \
-X POST \
-H "Content-Type: application/json" \
-b '{"user":"FUZZ","password":"FUZZ","csrf":"CSRFCSRF"}' \
-w examples/wordlist \
-w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt \
-s 200 \
--csrf-url "http://localhost:3000/csrf" \
--csrf-regex '\{"csrf":"(\w+)"\}'
tilde
— IIS 8.3 shortname enumeration mode
The tilde
module can be used to exploit the known information disclosure issue related to Microsoft IIS and DOS 8.3 filenames that makes possible to easily enumerate the server side file system structure. In the following example we will enumerate available 8.3 short names by using the .aspx
redirection extension and OPTIONS
as HTTP method.
rustbuster tilde -u http://localhost:3000/ -e aspx -X OPTIONS
Installation
You can grab the latest prebuilt binary from GitHub.
At the moment I am only providing a x86_64-unknown-linux-gnu
build. If you need it for a different architecture or operating system, you can find how to build it from the sources below.
This following function will do the trick:
install_rustbuster() {
echo "Installing latest version of Rustbuster"
latest_version=`curl -s https://github.com/phra/rustbuster/releases | grep "rustbuster-v" | head -n1 | cut -d'/' -f6`
echo "Latest release: $latest_version"
mkdir -p /opt/rustbuster
wget -qP /opt/rustbuster https://github.com/phra/rustbuster/releases/download/$latest_version/rustbuster-$latest_version-x86_64-unknown-linux-gnu
ln -fs /opt/rustbuster/rustbuster-$latest_version-x86_64-unknown-linux-gnu /opt/rustbuster/rustbuster
chmod +x /opt/rustbuster/rustbuster
echo "Done! Try running"
echo "/opt/rustbuster/rustbuster -h"
}
install_rustbuster
Hack it
In order to compile it from the sources we first need to install the Rust toolchain.
By being a conventional Rust project, all the development flow is managed by Cargo, the Rust package manager.
Getting the source
You can grab the latest master
branch hosted on GitHub using git
:
git clone https://github.com/phra/rustbuster.git
Development build
To produce a debug version of the binary, we can issue the following command in the root directory of the project:
cargo build
Release build
When everything is ready, we can generate an optimized binary and strip the remaining symbols with the following command:
cargo build --release && strip target/release/rustbuster
Running tests
Few tests are included at the moment. To run them you can use the following command:
cargo test
Running benches
Also few benches are included. To run them use:
cargo bench
Contributing to the project
Contributions are not only welcome, but encouraged! Feel free to mess with the codebase and open a pull request on GitHub with fixes, refactors and new features.
Bonus: CircleCI integration
Are you interested in integrating a CI pipeline in a Rust project? I wrote a generic CircleCI configuration for Rust projects that you can reuse with yours. See it in action here.