Advanced Web Directory & File Bruteforcer with Updated Wordlists (May 2026)
⚠️ Disclaimer
DarkBuster is intended for authorized security testing and educational purposes only. Always obtain explicit written permission before testing any system you do not own. Unauthorized use against systems you don't own is illegal and unethical. The author is not responsible for any misuse or damage caused by this tool.
🌟 Features
- ✅ Updated Wordlists — Curated and updated up to May 2026
- ✅ Multi-threaded — Fast scanning with configurable thread count
- ✅ Multiple Wordlists — Common, Admin panels, API endpoints, Backups, Technology-specific
- ✅ Extension Support — Append file extensions (.php, .html, .bak etc.)
- ✅ Color-coded Output — Easy to read results by status code
- ✅ Save Results — Export findings to file
- ✅ Custom Headers — User-agent, cookies support
- ✅ Progress Display — Real-time scan progress and ETA
- ✅ Safe & Stable — No crashes, handles all errors gracefully
- ✅ Easy to Use — Simple CLI interface for all skill levels
📦 Installation
Quick Install (Recommended)
# Clone the repository
git clone https://github.com/darkdisaster08/darkbuster.git
cd darkbuster
# Run installer
chmod +x install.sh
./install.sh
Manual Install
git clone https://github.com/darkdisaster08/darkbuster.git
cd darkbuster
pip3 install -r requirements.txt
python3 darkbuster.py --help
Kali Linux
git clone https://github.com/darkdisaster08/darkbuster.git
cd darkbuster
pip3 install requests
python3 darkbuster.py -u http://target.com
🚀 Usage
Basic Scan
python3 darkbuster.py -u http://target.com
Scan with Extensions
python3 darkbuster.py -u http://target.com -x .php,.html,.bak
Use Specific Wordlist
python3 darkbuster.py -u http://target.com -w admin-panels.txt
Fast Scan with More Threads
python3 darkbuster.py -u http://target.com -t 50
Save Results to File
python3 darkbuster.py -u http://target.com -o results.txt
HTTPS with Cookie
python3 darkbuster.py -u https://target.com --cookie "session=abc123"
Full Options
python3 darkbuster.py -u http://target.com -w common.txt -x .php,.html -t 30 -o output.txt
List All Available Wordlists
python3 darkbuster.py --list-wordlists
⚙️ Options
| Flag | Description | Default |
|---|---|---|
-u, --url |
Target URL | Required |
-w, --wordlist |
Wordlist file | common.txt |
-t, --threads |
Thread count | 20 |
-x, --extensions |
Extensions to test | None |
-o, --output |
Save results to file | None |
-s, --status |
Status codes to show | 200,301,302,307,401,403 |
--timeout |
Request timeout (seconds) | 5 |
--user-agent |
Custom User-Agent | DarkBuster/1.0 |
--cookie |
Cookie header | None |
--list-wordlists |
Show available wordlists | - |
📚 Wordlists
All wordlists are updated to May 2026 and carefully curated for real-world pentesting.
| Wordlist | Entries | Description |
|---|---|---|
common.txt |
300+ | Most common web directories and files |
common-large.txt |
1000+ | Extended discovery wordlist for deeper scans |
admin-panels.txt |
110+ | Admin panel paths across major CMS platforms |
api-endpoints.txt |
120+ | REST API, GraphQL, and common API endpoints |
backup-files.txt |
130+ | Backup, archive, and sensitive file names |
subdomains.txt |
100+ | Common subdomain names |
technology/wordpress.txt |
40+ | WordPress specific paths |
technology/php.txt |
60+ | PHP application files and endpoints |
technology/django.txt |
20+ | Common Django framework paths |
technology/drupal.txt |
20+ | Common Drupal CMS paths |
technology/laravel.txt |
20+ | Laravel framework paths and files |
What Makes These Wordlists Different?
- ✅ Cleaned and deduplicated
- ✅ Organized by category with comments
- ✅ Includes modern framework paths (Laravel, Next.js, etc.)
- ✅ Includes API and GraphQL endpoints
- ✅ Updated with paths discovered in recent bug bounties (2024-2026)
- ✅ Technology-specific lists for targeted scanning
🎯 Example Output
[200] http://target.com/admin (Size: 4521)
[301] http://target.com/backup → http://target.com/backup/ (Size: 0)
[403] http://target.com/.env (Size: 0)
[200] http://target.com/api/v1 (Size: 1203)
[401] http://target.com/admin/dashboard (Size: 512)
[*] Scan Complete!
[*] Time Elapsed : 45.23 seconds
[*] Total Scanned : 1250
[*] Paths Found : 5
🛡️ Status Code Reference
| Code | Color | Meaning |
|---|---|---|
| 200 | 🟢 Green | Found — accessible |
| 301/302 | 🟡 Yellow | Redirect — worth checking |
| 401 | 🔵 Cyan | Unauthorized — exists but needs auth |
| 403 | 🔴 Red | Forbidden — exists but blocked |
🔧 Tips for Best Results
- Start with common.txt for a quick overview
- Add extensions relevant to the target stack:
-x .php,.htmlfor PHP apps - Use admin-panels.txt specifically when looking for login pages
- Use api-endpoints.txt for API testing
- Increase threads (-t 50) on fast networks
- Save results (-o file.txt) for documentation
📁 Repository Structure
darkbuster/
├── darkbuster.py # Main tool
├── requirements.txt # Dependencies
├── install.sh # Quick installer
├── README.md # Documentation
└── wordlists/
├── common.txt # General purpose
├── common-large.txt # Advance purpose
├── admin-panels.txt # Admin paths
├── api-endpoints.txt # API endpoints
├── backup-files.txt # Backup files
├── subdomains.txt # Subdomain names
└── technology/
├── django.txt # Django paths
├── drupal.txt # Drupal paths
├── laravel.txt # Laravel paths
├── wordpress.txt # WordPress paths
├── php.txt # PHP files
└── wordpress.txt # Wordpress files
🤝 Contributing
Contributions are welcome! Especially:
- New wordlist entries (with source/justification)
- Bug fixes
- Feature improvements
- New technology-specific wordlists
Please open an issue or pull request on GitHub.
📜 License
MIT License — see LICENSE file for details.
👤 Author
Manjeet Thakur (darkdisaster08)
- GitHub: github.com/darkdisaster08
- LinkedIn: linkedin.com/in/manjeet-thakur-sec
⭐ Support
If DarkBuster helped you, please consider giving it a star ⭐ on GitHub!
For authorized security testing only. Use responsibly.
Comments