iwantmore.pizza

phra's blog ~ Technical posts about InfoSec

Jul 11, 2019

Introducing Rustbuster — A Comprehensive Web Fuzzer and Content Discovery Tool

I decided to learn The Rust Programming Language and I ended up writing Rustbuster, yet another web fuzzer and content discovery tool™, but comprehensive of the main features from DirBuster, Gobuster, wfuzz, Patator’s http_fuzz and IIS Short Name Scanner.

Motivation

Rust is an amazing systems programming language. It features powerful and innovative ideas to provide what I like to define as a higher low level language.

The best aspects are:

If you are interested into learning the language, check out The Rust Programming Language book.

Rustbuster

Rustbuster was started as a Rust playground project with @ps1dr3x with the goal of reimplement a DirBuster equivalent. It ended up by becoming a collection of modules useful in different situation. Having a single executable suitable for most common web fuzzing tasks is very handy. At the time of writing, there are five modules available, that are: dir, dns, vhost, fuzz and tilde.

Features Matrix Directories and Files A/AAAA DNS Entries Vhost Enumeration Custom Fuzzing 8.3 Short Names
DirBuster
Gobuster
Wfuzz
Patator
IIS Short Name Scanner
Rustbuster

Modules

Let’s see each available modules in detail.

dirDirectories and files enumeration mode

The dir module can be used to discover new content. You can set up a wordlist and an extensions list to discover directories and files hosted on the web server. Rustbuster will send all the requests with the given concurrency level and report back which one are existing. In the following example we will enumerate the directories and files with the optional php extension and the concurrent requests will be limited to 10.

Example command:

rustbuster dir -u http://localhost:3000/ -w examples/wordlist -e php -t 10

asciicast

dnsA/AAAA DNS entries enumeration mode

The dns module can be used to discover subdomains of a given domain. It works by simply asking your default DNS resolver to resolve potential hostnames and reporting which one successfully resolve. In the following example we will enumerate the subdomains of google.com by iterating the provided wordlist.

Example command:

rustbuster dns -d google.com -w examples/wordlist

asciicast

vhostVirtual hosts enumeration mode

The vhost module can be used to enumerate which Virtual Hosts are available on the web server. It works by fuzzing the Host HTTP Header using the given wordlist and filtering out the results by checking the presence of provided -x,--ignore-string parameter in the HTTP body of the response. In the following example we will bruteforce the available Vhosts, ignoring all the responses that contains the world Hello in the HTTP body.

Example command:

rustbuster vhost -u http://localhost:3000/ -w examples/wordlist -d test.local -x "Hello"

asciicast

fuzzCustom fuzzing enumeration mode

The fuzz module can be used when a more flexible fuzzing pattern is needed. You can define the injection points and a wordlist for each of them. A cartesian product of requests will be generated. CSRF token are also supported! In the following example we will bruteforce a login form that requires a different CSRF token per request, that will be extracted by applying a RegEx.

Example command:

rustbuster fuzz -u http://localhost:3000/login \
    -X POST \
    -H "Content-Type: application/json" \
    -b '{"user":"FUZZ","password":"FUZZ","csrf":"CSRFCSRF"}' \
    -w examples/wordlist \
    -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt \
    -s 200 \
    --csrf-url "http://localhost:3000/csrf" \
    --csrf-regex '\{"csrf":"(\w+)"\}'

asciicast

tildeIIS 8.3 shortname enumeration mode

The tilde module can be used to exploit the known information disclosure issue related to Microsoft IIS and DOS 8.3 filenames that makes possible to easily enumerate the server side file system structure. In the following example we will enumerate available 8.3 short names by using the .aspx redirection extension and OPTIONS as HTTP method.

rustbuster tilde -u http://localhost:3000/ -e aspx -X OPTIONS

asciicast

Installation

You can grab the latest prebuilt binary from GitHub.

At the moment I am only providing a x86_64-unknown-linux-gnu build. If you need it for a different architecture or operating system, you can find how to build it from the sources below.

This following function will do the trick:

install_rustbuster() {
    echo "Installing latest version of Rustbuster"
    latest_version=`curl -s https://github.com/phra/rustbuster/releases | grep "rustbuster-v" | head -n1 | cut -d'/' -f6`
    echo "Latest release: $latest_version"
    mkdir -p /opt/rustbuster
    wget -qP /opt/rustbuster https://github.com/phra/rustbuster/releases/download/$latest_version/rustbuster-$latest_version-x86_64-unknown-linux-gnu
    ln -fs /opt/rustbuster/rustbuster-$latest_version-x86_64-unknown-linux-gnu /opt/rustbuster/rustbuster
    chmod +x /opt/rustbuster/rustbuster
    echo "Done! Try running"
    echo "/opt/rustbuster/rustbuster -h"
}

install_rustbuster

Hack it

In order to compile it from the sources we first need to install the Rust toolchain.

By being a conventional Rust project, all the development flow is managed by Cargo, the Rust package manager.

Getting the source

You can grab the latest master branch hosted on GitHub using git:

git clone https://github.com/phra/rustbuster.git

Development build

To produce a debug version of the binary, we can issue the following command in the root directory of the project:

cargo build

Release build

When everything is ready, we can generate an optimized binary and strip the remaining symbols with the following command:

cargo build --release && strip target/release/rustbuster

Running tests

Few tests are included at the moment. To run them you can use the following command:

cargo test

Running benches

Also few benches are included. To run them use:

cargo bench

Contributing to the project

PRs are warmly welcome! ❤

Contributions are not only welcome, but encouraged! Feel free to mess with the codebase and open a pull request on GitHub with fixes, refactors and new features.

Bonus: CircleCI integration

Are you interested in integrating a CI pipeline in a Rust project? I wrote a generic CircleCI configuration for Rust projects that you can reuse with yours. See it in action here.

back