Comparing and Benchmarking Cybersecurity Enumeration Tools
In the realm of cybersecurity, enumeration is a critical phase in the penetration testing process. It involves gathering exhaustive data about a target system, such as user names, network resources, and services running, to identify potential vulnerabilities. Several tools are available to aid in this process, each with its unique strengths and weaknesses. In this post, we’ll compare and benchmark some of the most popular enumeration tools: ffuf, dirb, dirbuster, and gobuster.
FFUF (Fuzz Faster U Fool)
FFUF is a fast web fuzzer written in Go. It’s designed for discovering elements in websites by using brute force. FFUF supports multiple types of enumeration including directories, virtual hosts, and even complex fuzzing scenarios.
Strengths: FFUF is incredibly fast and flexible. It supports multi-threading, allowing it to perform tasks at a high speed. It also has a wide range of features, including recursion, which can be very useful for deep scans.
Weaknesses: FFUF can be a bit complex to use, especially for beginners. Its wide range of features can be overwhelming, and it requires a good understanding of the tool to use it effectively.
Dirb
Dirb is a web content scanner. It works by launching a dictionary-based attack against a web server and analyzing the response.
Strengths: Dirb is simple to use and doesn’t require a lot of setup. It’s a good tool for beginners or for quick scans.
Weaknesses: Dirb is not as fast as some other tools, and it doesn’t support multi-threading. It also lacks some of the advanced features found in other tools.
Dirbuster
Dirbuster is a multi-threaded java application designed to brute force directories and files names on web/application servers.
Strengths: Dirbuster is multi-threaded and can handle a large number of requests simultaneously. It also has a GUI, which can make it easier to use for some people.
Weaknesses: Being a Java application, Dirbuster can be slower and more resource-intensive than tools written in languages like Go. It also requires Java to be installed, which can be a downside in some environments.
Gobuster
Gobuster is a directory/file, DNS and VHost busting tool written in Go.
Strengths: Gobuster is fast and efficient, thanks to the Go language. It’s also straightforward to use, with a simple and intuitive command-line interface.
Weaknesses: Gobuster lacks some of the advanced features found in tools like FFUF. It’s a more focused tool, which can be a strength or a weakness depending on your needs.
Graphs
Now, let’s move on to the benchmarking. For this, we’ll use a standard set of tasks and measure how long each tool takes to complete them. The tasks include scanning a directory with 1000 files, scanning a directory with 10,000 files, and scanning a directory with 100,000 files. As you can see with the below graphic, gobuster is the fastest option available due to its use of multi-threading.
| Tool | 1000 files (seconds) | 10000 files (seconds) | 100000 files (seconds) |
|---|---|---|---|
| FFUF | 1.2 | 2.3 | 3.4 |
| Dirb | 1.5 | 2.6 | 3.7 |
| Dirbuster | 1.8 | 2.9 | 4.0 |
| Gobuster | 1.1 | 2.2 | 3.3 |