🦀 Releases ✨ Example Usage ✨ Contributing ✨ Documentation 🦀
Ferox is short for Ferric Oxide. Ferric Oxide, simply put, is rust. The name rustbuster was taken, so I decided on a variation. 🤷
Releases for multiple architectures can be found in the Releases section. Builds for the following systems are currently supported:
feroxbuster is published on crates.io, making it easy to install if you already have rust installed on your system.
cargo install feroxbuster
Head to the Releases section and download feroxbuster_amd64.deb. After that, use your favorite package manager to install the .deb.
sudo apt install ./feroxbuster_amd64.deb
Configuration begins with with the following built-in default values baked into the binary:
7 secondsfalse/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt500 (no logging enabled)200 204 301 302 307 308 401 403 405feroxbuster/VERSION4truestdoutAfter setting built-in default values, any values defined in a ferox-config.toml config file will override the
built-in defaults.
feroxbuster searches for ferox-config.toml in the following locations (in the order shown):
- /etc/feroxbuster/ (global)
- CONFIG_DIR/ferxobuster/ (per-user)
- The same directory as the feroxbuster executable (per-user)
- The user's current working directory (per-target)
If more than one valid configuration file is found, each one overwrites the values found previously.
If no configuration file is found, nothing happens at this stage.
As an example, let's say that we prefer to use a different wordlist as our default when scanning; we can
set the wordlist value in the config file to override the baked-in default.
Notes of interest:
- it's ok to only specify values you want to change without specifying anything else
- variable names in ferox-config.toml must match their command-line counterpart
```toml
wordlist = "/wordlists/jhaddix/all.txt" ```
A pre-made configuration file with examples of all available settings can be found in ferox-config.toml.example.
```toml
#
#
#
#
#
#
#
```
Finally, after parsing the available config file, any options/arguments given on the commandline will override any values that were set as a built-in or config-file value.
```
USAGE:
feroxbuster [FLAGS] [OPTIONS] --url
FLAGS: -f, --addslash Append / to each request -D, --dontfilter Don't auto-filter wildcard responses -h, --help Prints help information -k, --insecure Disables TLS certificate validation -n, --norecursion Do not scan recursively -q, --quiet Only print URLs; Don't print status codes, response size, running config, etc... -r, --redirects Follow redirects --stdin Read url(s) from STDIN -V, --version Prints version information -v, --verbosity Increase verbosity level (use -vv or more for greater effect)
OPTIONS:
-d, --depth
Options that take multiple values are very flexible. Consider the following ways of specifying extensions:
./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx
The command above adds .pdf, .js, .html, .php, .txt, .json, and .docx to each url
All of the methods above (multiple flags, space separated, comma separated, etc...) are valid and interchangeable. The same goes for urls, headers, status codes, queries, and size filters.
./feroxbuster -u http://127.1 -H Accept:application/json "Authorization: Bearer {token}"
./feroxbuster -u http://[::1] --norecursion -vv
cat targets | ./feroxbuster --stdin --quiet -s 200 301 302 --redirects -x js | fff -s 200 -o js-files
./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080
./feroxbuster -u http://127.1 --proxy socks5://127.0.0.1:9050
./feroxbuster -u http://127.1 --query token=0123456789ABCDEF
There are quite a few similar tools for forced browsing/content discovery. Burp Suite Pro, Dirb, Dirbuster, etc... However, in my opinion, there are two that set the standard: gobuster and ffuf. Both are mature, feature-rich, and all-around incredible tools to use.
So, why would you ever want to use feroxbuster over ffuf/gobuster? In most cases, you probably won't. ffuf in particular can do the vast majority of things that feroxbuster can, while still offering boatloads more functionality. Here are a few of the use-cases in which feroxbuster may be a better fit:
| | feroxbuster | gobuster | ffuf | |-----------------------------------------------------|---|---|---| | fast | ✔ | ✔ | ✔ | | easy to use | ✔ | ✔ | | | blacklist status codes (in addition to whitelist) | | ✔ | ✔ | | allows recursion | ✔ | | ✔ | | can specify query parameters | ✔ | | ✔ | | SOCKS proxy support | ✔ | | | | multiple target scan (via stdin or multiple -u) | ✔ | | | | configuration file for default value override | ✔ | | ✔ | | can accept urls via STDIN as part of a pipeline | ✔ | | | | can accept wordlists via STDIN | | ✔ | | | filter by response size | ✔ | | ✔ | | auto-filter wildcard responses | ✔ | | ✔ | | performs other scans (vhost, dns, etc) | | ✔ | ✔ | | time delay / rate limiting | | ✔ | ✔ | | huge number of other options | | | ✔ |
Of note, there's another written-in-rust content discovery tool, rustbuster. I came across rustbuster when I was naming my tool (😢). I don't have any experience using it, but it appears to be able to do POST requests with an HTTP body, has SOCKS support, and has an 8.3 shortname scanner (in addition to vhost dns, directory, etc...). In short, it definitely looks interesting and may be what you're looking for as it has some capability I haven't seen in similar tools.