Lulzbuster - a tool for quickly searching for hidden files and folders on Websites.


Lulzbuster is a very fast and smart web directory and file enumeration tool. Lulzbuster is written in C. Almost every site has files and folders that no links lead to. Among them, very interesting ones may come across, for example, forgotten backup copies of a database or site, phpMyAdmin, entries in administrative panels, and other pages that are not intended for general access.

In this article we will learn how to use the Lulzbuster program, it is very fast, easy to use, and stably performs its function. Moreover, the program has such unique functions as the choice of the request method and the choice of the HTTP version.

How to install Lulzbuster

Install lulzbuster on Kali Linux

sudo apt-get install libcurl4 libcurl4-openssl-dev

git clone

cd lulzbuster

make lulzbuster

sudo make install

Install lulzbuster on BlackArch

sudo pacman -S lulzbuster

How to start a search for hidden files in lulzbuster

Please note: the program makes a lot of requests to the site and can cause a malfunction in its work (as it happens during a DoS attack), therefore, scan other people's sites only with the permission of their owner.

The program has only one required option -s after which you need to specify the target site:

lulzbuster -s <target website>

replace <target website> with your victim website.

The program will start by displaying its settings - many values ​​are set by default, but they can be changed with the options:


Then the program will start outputting data with the following columns:

  • code (HTTP response status code)
  • size (size of received data)
  • size real (actual size)
  • time's resp (response time)
  • URL (address of the found page)

By default, a medium-sized dictionary is used, and in total three dictionaries are supplied with the program:

  • big.txt (big)
  • medium.txt (medium)
  • small.txt (small)
On Kali Linux, these dictionaries are located in the following files:




To select any of these dictionaries, or your own, use the -w option, for example:

lulzbuster -s <target website> -w /usr/local/share/lulzbuster/lists big.txt

note: replace <target website> with your own testing website.

How to exclude responses with specific status codes

By default, links that returned the following HTTP response codes are not shown: 400,404,500,501,502,503 . You can change this list by adding or removing any codes. The -x option is used for this, the response codes themselves must be listed with a comma:

lulzbuster -s <target website> -x 400,404,500,501,502,503,403,405

How to save lulzbuster results to a file

By default, lulzbuster outputs information to standard error output (stderr). You can specify a file to save the results with the -l option :

lulzbuster -s <target website> -w /usr/local/share/lulzbuster/lists/small.txt -l ~/logs.txt

How to add an extension for scanned files

Using the -A <LINE> option, you can add any words separated by a comma (for example, /,.php,~bak ).

How to scan with lulzbuster through Tor

If not already done, install and start the Tor service :

sudo apt-get install tor

sudo systemctl start tor

Now, add -p socks5: // localhost: 9050 to your lulzbuster command, for example:

lulzbuster -s <target website> -p socks5://localhost:9050

Remember that some sites do not accept connections from Tor network IP addresses at all.

How to scan with lulzbuster through a proxy

Several types of proxies are supported. To see the available options, run the command:

lulzbuster -p ?

output example:

[+] available proxy schemes

  •     http
  •     https
  •     socks4
  •     socks4a
  •     socks5
  •     socks5h

For proxies, use the following options:

 -p <addr>      - proxy address (format: <scheme>://<host>:<port>) - ? to
                   list supported schemes

  -P <creds>     - proxy auth credentials (format: <user>:<pass>)

How to scan in lulzbuster if the certificate is invalid

It happens that the certificate is expired, or the IP address is scanned, in this case, web browsers show a warning, and lulzbuster stops the scan with an error:

[-] could not connect to:

To perform a scan even though the certificate is incorrect, use the -i option :

lulzbuster -s <target website> -i

Smart mode lulzbuster

Smart mode, which consists of skipping false positives, shows more information, etc., is enabled by the -S option :

lulzbuster -s <target website> -S

Use smart mode only if speed is not your top priority.

Change User Agent in lulzbuster

Lulzbuster already has a large list of user agents built-in. To list them, run the command:

lulzbuster -X

You can specify any User-Agent value using the -u <LINE> option

You can also use random User Agents from the built-in, for this, specify the -U option.

lulzbuster with Http authentication and header passing

It is possible to perform scans with lulzbuster with HTTP authentication or sending HTTP headers (for example, cookies). This can be done with the following options:

 -c <str>       - pass custom header(s) (e.g. 'Cookie: foo=bar; lol=lulz')

  -a <creds>     - http auth credentials (format: <user>:<pass>)

Scan speed and lulzbuster timeout

Using the -t <NUMBER> option, you can specify the number of threads that will be scanned.

The following timeout options are also available:

timeout options                                                                                       

  -D <num>       - num seconds for delay between requests (default: 0)

  -C <num>       - num seconds for connect timeout (default: 10)

  -R <num>       - num seconds for request timeout (default: 30)

  -T <num>       - num seconds to give up and exit lulzbuster completely

                   (default: none)

Scan by POST, HEAD, PUT, DELETE and others

By default, scanning is performed using the GET method, but you can select a different HTTP request method.

To list all available methods, run the command:

lulzbuster -h ?

Output example:

[+] available HTTP requests types
  •     HEAD
  •     GET
  •     POST
  •     PUT
  •     DELETE
  •     OPTIONS

The desired type of HTTP request is indicated by the -h <TYPE> option.

How to scan different versions of HTTP

The HTTP protocol has several versions and you can choose the one you want to use. To do this, use the option -j <NUMBER>.

To see the available versions of HTTP, run the command:

lulzbuster -j ?

Output example:

[+] available http versions

  •      1.0
  •      1.1
  •      2.0
  •      3.0


So lulzbuster is another great tool for pentester websites. A very fast and smart web-dir/file enumeration tool is written in C. Try this cool tool it works great.

Post a Comment

Previous Post Next Post