Feroxbuster

# Basic scan
feroxbuster -u <url>

# With wordlist
feroxbuster -u <url> -w <wordlist>

# Extensions
feroxbuster -u <url> -x php,html,txt,bak

# Threads
feroxbuster -u <url> -t 50

# Ignore SSL errors
feroxbuster -u <url> -k

# Follow redirects
feroxbuster -u <url> -r

# Output file
feroxbuster -u <url> -o output.txt

# Quiet mode (no banner)
feroxbuster -u <url> -q

# Verbose
feroxbuster -u <url> -v

# No progress bar
feroxbuster -u <url> --no-state

# Enable recursion (follows discovered dirs)
feroxbuster -u <url> -w <wordlist>  # recursion is ON by default

# Set recursion depth
feroxbuster -u <url> -d 3

# Disable recursion
feroxbuster -u <url> -n

# Recursion with depth limit + extensions
feroxbuster -u <url> -d 2 -x php,html

# Set max directories to recurse into
feroxbuster -u <url> -L 10

# Filter (exclude) specific status codes
feroxbuster -u <url> -C 404,400,500

# Match (include) only specific status codes
feroxbuster -u <url> -s 200,301,302

# Show 403s (useful for finding auth-protected dirs)
feroxbuster -u <url> -s 200,301,302,403

# Default is to show 200,204,301,302,307,308,401,403,405,500

# Filter by response size (bytes)
feroxbuster -u <url> -S 1234

# Filter by number of words
feroxbuster -u <url> -W 10

# Filter by number of lines
feroxbuster -u <url> -N 42

# Match by size
feroxbuster -u <url> --filter-size 0

# Regex filter on response body
feroxbuster -u <url> -X "Not Found|Error 404"

# Filter by similarity to a given response (auto-filter false positives)
feroxbuster -u <url> --filter-similar-to <url>/nonexistent_path_xyz

# Auto-tune (detect and filter wildcard responses)
feroxbuster -u <url> --auto-tune
feroxbuster -u <url> --auto-bail   # abort if too many errors

# Limit requests per second
feroxbuster -u <url> --rate-limit 50

# Delay between requests (ms)
feroxbuster -u <url> --time-limit 60s

# Timeout per request (seconds)
feroxbuster -u <url> --timeout 10

# Throttle connections
feroxbuster -u <url> -t 10 --rate-limit 20

# Specify wordlist
feroxbuster -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Multiple wordlists
feroxbuster -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt

# Common wordlist paths
feroxbuster -u <url> -w /usr/share/seclists/Discovery/Web-Content/common.txt
feroxbuster -u <url> -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
feroxbuster -u <url> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# PHP app
feroxbuster -u <url> -x php,html,txt,bak,old,zip

# ASP.NET app
feroxbuster -u <url> -x aspx,asp,html,txt,config,bak

# Java app
feroxbuster -u <url> -x jsp,jspx,do,action,html,txt

# Generic backup/sensitive files
feroxbuster -u <url> -x bak,old,orig,swp,~,zip,tar.gz,sql,conf,config,env,log

# No extension (directories only)
feroxbuster -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Basic auth
feroxbuster -u <url> -u <username> -p <password>

# Cookie
feroxbuster -u <url> -b "session=abc123; auth=xyz"

# Bearer token
feroxbuster -u <url> -H "Authorization: Bearer <password>"

# Multiple headers
feroxbuster -u <url> \
  -H "Authorization: Bearer <password>" \
  -H "X-Api-Key: abc123" \
  -H "Accept: application/json"

# Send ALL requests through proxy
feroxbuster -u <url> --proxy http://127.0.0.1:8080

# Send ONLY matched results through replay proxy (Burp history enrichment)
feroxbuster -u <url> --replay-proxy http://127.0.0.1:8080

# Replay proxy with HTTPS target
feroxbuster -u <url> -k --replay-proxy http://127.0.0.1:8080

# Replay with specific codes to replay
feroxbuster -u <url> --replay-proxy http://127.0.0.1:8080 --replay-codes 200,301,302

# Extract links from response bodies and add to scan queue
feroxbuster -u <url> -e

# Extract links with depth
feroxbuster -u <url> -e -d 3

# Extract links without recursion (just extract, don't recurse dirs)
feroxbuster -u <url> -e -n

# Output to file (feroxbuster native format)
feroxbuster -u <url> -o results.txt

# JSON output
feroxbuster -u <url> --json -o results.json

# Output only 200s
feroxbuster -u <url> -s 200 -o hits.txt

# Grep-friendly (quiet + output)
feroxbuster -u <url> -q -o results.txt

# Silent (only print results, no progress)
feroxbuster -u <url> -q --silent

# Save state to file
feroxbuster -u <url> --state-file /tmp/ferox_state.json

# Resume from state file
feroxbuster --resume-from /tmp/ferox_state.json

# Auto-save state every N seconds
feroxbuster -u <url> --save-state

# The default state file is in current directory: ferox-http_target-TIMESTAMP.state

# Auto-tune: adjust scan based on errors (recommended for CTF)
feroxbuster -u <url> --auto-tune

# Auto-bail: stop scan if error rate too high
feroxbuster -u <url> --auto-bail

# Filter similar responses (anti-wildcard)
feroxbuster -u <url> --filter-similar-to http://<ip>/nonexistent_xyz123

# Combined smart scan
feroxbuster -u <url> --auto-tune --filter-similar-to <url>/xyz123abc

# HTB/CTF quick web recon
feroxbuster -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -x php,html,txt -d 2 -t 50 -C 404 -o /tmp/ferox_<target>.txt

# Full recursive PHP app scan
feroxbuster -u <url> -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -x php,html,txt,bak,zip -d 3 -t 30 -C 404,500 \
  --replay-proxy http://127.0.0.1:8080 -k

# API endpoint discovery
feroxbuster -u <url>/api -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -s 200,201,204,400,401,403,405 -t 30 -n

# Sensitive file hunt
feroxbuster -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt \
  -x bak,old,zip,sql,conf,env,log -s 200 -C 404 -t 30

# Quiet pipeline output
feroxbuster -u <url> -q -C 404 -w <wordlist> | tee /tmp/ferox_output.txt

# With link extraction + replay proxy
feroxbuster -u <url> -e --replay-proxy http://127.0.0.1:8080 -k -C 404 -d 2