darkdisaster08/darkbuster

DarkBuster is a Python command-line tool for web directory and file discovery, used during authorized security testing and bug bounty work. Given a target URL, it systematically requests a large number of possible paths and reports which ones return a valid HTTP response. This process, often called content discovery or directory brute-forcing, helps security researchers find hidden pages, admin panels, backup files, and API endpoints that are not linked from the main site. The tool runs multiple requests in parallel using configurable threads, which makes scanning faster on networks that can handle it. Results are color-coded by HTTP status code: green for accessible pages, yellow for redirects, red for paths that exist but return a blocked response, and blue for paths that exist but require authentication. You can save the output to a file for documentation. DarkBuster ships with a curated set of wordlists, each targeting a different type of content. The general-purpose lists cover a few hundred to a thousand common paths. Specialized lists cover admin panel login pages, REST and GraphQL API endpoints, backup files, subdomains, and specific web frameworks including WordPress, PHP, Django, Drupal, and Laravel. The author describes the wordlists as updated through May 2026, drawing on paths seen in recent bug bounty reports. Options include specifying file extensions to append to each path (so "admin" also tests "admin.php" and "admin.html"), setting a custom user-agent or cookie header for authenticated scans, adjusting the request timeout, and filtering which HTTP status codes appear in the output. The tool requires Python 3.6 or higher and is designed for Linux, including Kali Linux (a distribution commonly used for security research). It is published under the MIT license, and the README includes a disclaimer that it is intended only for authorized testing on systems the user has permission to access.