loading
loading
Discovery
Web path scanner.
overview
dirsearch brute-forces a target URL against a wordlist to find directories and files that nothing links to: admin panels, backups, .git folders, config files, and forgotten endpoints. It fires many requests in parallel and can expand each wordlist entry by extension, so with -f the single entry admin also probes admin.php and admin.bak in one pass.
Its edge is filtering and recursion. Keep or drop responses by status code with -i and -x, by size with --exclude-sizes, or by regex and redirect target to cut soft-404 padding, then turn on -r to descend into the directories it finds and walk the application tree. It also speaks raw requests, custom headers, cookies, authentication, and proxies, so it reaches content behind a login or through an intercepting proxy.
Wire dirsearch into a Trickest workflow after httpx confirms a host is live: give it one or more URLs and a wordlist, then hand the discovered paths to a crawler or scanner for the next stage. Set a report --format such as json, csv, or html and the hits land as structured data the rest of the graph can query.
use cases
Brute-force a live host with a content wordlist and extension list to surface admin panels, backups, and endpoints missing from the site's navigation.
Include only interesting status codes and exclude noisy sizes or redirect targets so the output is real hits, not soft-404 padding.
Enable recursive brute-forcing to descend into discovered directories and map deeper paths automatically.
Pass cookies, headers, or an auth credential and route through a proxy to discover content behind a login or through an intercepting tool.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Target URL(s), can use multiple flags. |
| wordlist | FILE | --wordlists | Wordlist file of paths to brute-force. |
| extensions | STRING | --extensions | Extension list separated by commas (e.g. php,asp). |
| recursive | BOOLEAN | --recursive | Brute-force recursively into discovered directories. |
| include-status | STRING | --include-status | Include status codes, supports ranges (e.g. 200,300-399). |
| exclude-status | STRING | --exclude-status | Exclude status codes, supports ranges (e.g. 301,500-599). |
| format | STRING | --format | Report format (simple, plain, json, xml, md, csv, html, sqlite, and more). |
| threads | STRING | --threads | Number of threads for concurrent requests. |
Showing key inputs. dirsearch exposes 70 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| ip | STRING | --ip | Server IP address |
| raw | FILE | --raw | Load raw HTTP request from file (use '--scheme' flag to set the scheme) |
| tor | BOOLEAN | --tor | Use Tor network as proxy |
| url | STRING | --url | Target URL(s), can use multiple flags |
| auth | STRING | --auth | Authentication credential (e.g. user:password or bearer token) |
| cidr | STRING | --cidr | Target CIDR |
| data | STRING | --data | HTTP request data |
| crawl | BOOLEAN | --crawl | Crawl for new paths in responses |
| delay | STRING | --delay | Delay between requests |
| proxy | STRING | --proxy | Proxy URL (HTTP/SOCKS), can use multiple flags |
| config | FILE | --config | Path to configuration file |
| cookie | STRING | --cookie | Cookie |
| format | STRING | --format | Report format (Available: simple,plain,json,xml,md,csv,html,sqlite,mysql,postgresql) |
| header | STRING | --header | HTTP request header, can use multiple flags |
| scheme | STRING | --scheme | Scheme for raw request or if there is no scheme in the URL (Default: auto-detect) |
| capital | BOOLEAN | --capital | Capital wordlist |
| retries | STRING | --retries | Number of retries for failed requests |
| session | FILE | --session | Session file |
| subdirs | STRING | --subdirs | Scan sub-directories of the given URL[s] (separated by commas) |
| threads | STRING | --threads | Number of threads |
| timeout | STRING | --timeout | Connection timeout |
| full-url | BOOLEAN | --full-url | Full URLs in the output (enabled automatically in quiet mode) |
| key-file | FILE | --key-file | File contains client-side certificate private key (unencrypted) |
| max-rate | STRING | --max-rate | Max requests per second |
| max-time | STRING | --max-time | Maximum runtime for the scan |
| no-color | BOOLEAN | --no-color | No colored output |
| prefixes | STRING | --prefixes | Add custom prefixes to all wordlist entries (separated by commas) |
| suffixes | STRING | --suffixes | Add custom suffixes to all wordlist entries, ignore directories (separated by commas) |
| wordlist | FILE | --wordlists | Wordlist file |
| auth-type | STRING | --auth-type | Authentication type (basic, digest, bearer, ntlm, jwt) |
| cert-file | FILE | --cert-file | File contains client-side certificate |
| data-file | FILE | --data-file | File contains HTTP request data |
| interface | STRING | --interface | Network interface to use |
| lowercase | BOOLEAN | --lowercase | Lowercase wordlist |
| recursive | BOOLEAN | --recursive | Brute-force recursively |
| uppercase | BOOLEAN | --uppercase | Uppercase wordlist |
| urls-file | FILE | --urls-file | URL list file |
| wordlists | FOLDER | --wordlists | Wordlists folder |
| extensions | STRING | --extensions | Extension list separated by commas (e.g. php,asp) |
| proxy-auth | STRING | --proxy-auth | Proxy authentication credential |
| quiet-mode | BOOLEAN | --quiet-mode | Quiet mode |
| user-agent | STRING | --user-agent | User agent |
| http-method | STRING | --http-method | HTTP method (default: GET) |
| nmap-report | FILE | --nmap-report | Load targets from nmap report (Ensure the inclusion of the -sV flag during nmap scan for comprehensive results) |
| exclude-text | STRING | --exclude-text | Exclude responses by text, can use multiple flags |
| headers-file | BOOLEAN | --headers-file | File contains HTTP request headers |
| proxies-file | FILE | --proxies-file | File contains proxy servers |
| random-agent | BOOLEAN | --random-agent | Choose a random User-Agent for each request |
| replay-proxy | STRING | --replay-proxy | Proxy to replay with found paths |
| exclude-regex | STRING | --exclude-regex | Exclude responses by regular expression |
| exclude-sizes | STRING | --exclude-sizes | Exclude responses by sizes, separated by commas (e.g. 0B,4KB) |
| exit-on-error | BOOLEAN | --exit-on-error | Exit whenever an error occurs |
| deep-recursive | BOOLEAN | --deep-recursive | Perform recursive scan on every directory depth (e.g. api/users -> api/) |
| exclude-status | STRING | --exclude-status | Exclude status codes, separated by commas, support ranges (e.g. 301,500-599) |
| include-status | STRING | --include-status | Include status codes, separated by commas, support ranges (e.g. 200,300-399) |
| skip-on-status | STRING | --skip-on-status | Skip target whenever hit one of these status codes, separated by commas, support ranges |
| exclude-subdirs | STRING | --exclude-subdirs | Exclude the following subdirectories during recursive scan (separated by commas) |
| force-recursive | BOOLEAN | --force-recursive | Do recursive brute-force for every found path, not only directories |
| exclude-redirect | STRING | --exclude-redirect | Exclude responses if this regex (or text) matches redirect URL (e.g. '/index.html') |
| exclude-response | STRING | --exclude-response | Exclude responses similar to response of this page, path as input (e.g. 404.html) |
| follow-redirects | BOOLEAN | --follow-redirects | Follow HTTP redirects |
| force-extensions | BOOLEAN | --force-extensions | Add extensions to the end of every wordlist entry. By default dirsearch only replaces the %EXT% keyword with extensions |
| recursion-status | STRING | --recursion-status | Valid status codes to perform recursive scan, support ranges (separated by commas) |
| max-response-size | STRING | --max-response-size | Maximum response length |
| min-response-size | STRING | --min-response-size | Minimum response length |
| redirects-history | BOOLEAN | --redirects-history | Show redirects history |
| remove-extensions | BOOLEAN | --remove-extensions | Remove extensions in all paths (e.g. admin.php -> admin) |
| exclude-extensions | STRING | --exclude-extensions | Exclude extension list separated by commas (e.g. asp,jsp) |
| max-recursion-depth | STRING | --max-recursion-depth | Maximum recursion depth |
| overwrite-extensions | BOOLEAN | --overwrite-extensions | Overwrite other extensions in the wordlist with your extensions (selected via `-e`) |
example
# brute-force a live host, recurse, filter noise, JSON reportdirsearch -u https://example.com -w /wordlists/content.txt -e php,asp,json -r -i 200,301,403 -x 404 --format jsonTarget: https://example.com/ [13:24:05] Starting: [13:24:11] 301 - 178B - /admin -> https://example.com/admin/[13:24:13] 200 - 4KB - /admin/login.php[13:24:19] 403 - 279B - /.git/HEAD[13:24:26] 200 - 12KB - /backup.zip[13:24:31] 200 - 1KB - /config.php.bak[13:24:44] 301 - 178B - /api -> https://example.com/api/[13:24:52] 200 - 2KB - /robots.txt Task Completedguidance
Use dirsearch to brute-force paths on a host you already know is live. Filter by status and size to cut soft-404 noise, and recurse to map deeper trees. For a more general FUZZ engine across parameters and vhosts, use ffuf; to discover links by crawling rather than guessing, use katana.
General FUZZ engine for paths, parameters, and vhosts. dirsearch is purpose-built for path discovery with built-in report formats.
Recursive content discovery with smart defaults. dirsearch offers richer include and exclude filtering.
Fast, simple directory brute-forcing. dirsearch adds recursion control and more output formats.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A live URL and a wordlist feed dirsearch, which brute-forces paths and writes the discovered files and directories as a queryable output.
Facts on this page come from the live Trickest tool library.