A blazing fast web directory scanner written in Rust. It's like dirsearch but faster and with less features.
Features
- Multi-threaded
- Recursive directory scanning
- Save progress to resume later
- Cherry-pick responses (filter by status code, length, etc.)
- Custom wordlists (merge multiple wordlists, filter out words, etc.)
- Write results to file (JSON, CSV, etc.)
- Configurable request parameters (headers, cookies, etc.)
- Request throttling
- Proxy support
From crates.io
Installation
Running
From source
Installation
Running
With just
With cargo
Usage
You can run rwalk --help to see the usage information:
Usage: rwalk [OPTIONS] <URL> <WORDLISTS>...
Arguments:
<URL> Target URL
<WORDLISTS>... Wordlist(s)
Options:
-t, --threads <THREADS> Number of threads to use
-d, --depth <DEPTH> Maximum depth to crawl [default: 1]
-o, --output <FILE> Output file
-T, --timeout <TIMEOUT> Request timeout in seconds [default: 10]
-u, --user-agent <USER_AGENT> User agent
-q, --quiet Quiet mode
-m, --method <METHOD> HTTP method [default: GET]
-d, --data <DATA> Data to send with the request
-H, --headers <key:value> Headers to send
-c, --cookies <key=value> Cookies to send
-R, --follow-redirects <COUNT> Follow redirects [default: 0]
--throttle <THROTTLE> Request throttling (requests per second) per thread [default: 0]
--no-color Don't use colors You can also set the NO_COLOR environment variable
-h, --help Print help
-V, --version Print version
Resume:
--resume Resume from a saved file
-f, --save-file <FILE> Custom save file [default: .rwalk.json]
--no-save Don't save the state in case you abort
Transformations:
-L, --transform-lower Wordlist to uppercase
-U, --transform-upper Wordlist to lowercase
-P, --transform-prefix <PREFIX> Append a prefix to each word
-S, --transform-suffix <SUFFIX> Append a suffix to each word
-C, --transform-capitalize Capitalize each word
Wordlist Filtering:
--wordlist-filter-contains <STRING>
Contains the specified string [aliases: wfc]
--wordlist-filter-starts-with <STRING>
Start with the specified string [aliases: wfs]
--wordlist-filter-ends-with <STRING>
End with the specified string [aliases: wfe]
--wordlist-filter-regex <REGEX>
Match the specified regex [aliases: wfr]
--wordlist-filter-length <RANGE>
Length range e.g.: 5, 5-10, 5,10,15, >5, <5 [aliases: wfl]
Response Filtering:
--filter-status-code <RANGE> Reponse status code, e.g.: 200, 200-300, 200,300,400, >200, <200 [aliases: fsc]
--filter-contains <STRING> Contains the specified string [aliases: fc]
--filter-starts-with <STRING> Start with the specified string [aliases: fs]
--filter-ends-with <STRING> End with the specified string [aliases: fe]
--filter-regex <REGEX> Match the specified regex [aliases: fr]
--filter-length <RANGE> Response length e.g.: 100, >100, <100, 100-200, 100,200,300 [aliases: fl]
--filter-time <RANGE> Response time range in milliseconds e.g.: >1000, <1000, 1000-2000 [aliases: ft]
Passing parameters as environment variables
You can pass parameters as environment variables. For example, to set the number of threads to 10:
THREADS=10
is equivalent to:
The env file located at ~/.config/rwalk/.env will be loaded automatically.
Inputting ranges
In some cases , you may want to input a <RANGE> of values.
You can use the following formats:
| Format | Description |
|---|---|
5 |
Exactly 5 |
5-10 |
Between 5 and 10 (inclusive) |
5,10 |
Exactly 5 or 10 |
>5 |
Greater than 5 |
<5 |
Less than 5 |
5,10,15 |
Exactly 5, 10, or 15 |
>5,10,15 |
Greater than 5, or exactly 10 or 15 |
5-10,15-20 |
Between 5 and 10 or between 15 and 20 (inclusive) |
Response Filtering
To cherry-pick the responses, you can use the --filter-* flags to filter specific responses. For example, to only show responses that contain admin:
or only requests that took more than 1 second:
Available filters:
--filter-starts-with<STRING>or--fs--filter-ends-with<STRING>or--fe--filter-contains<STRING>or--fc--filter-regex<REGEX>or--fr--filter-length<LENGTH>or--fl--filter-status-code<CODE>or--fsc
Wordlists
You can pass multiple wordlists to rwalk. For example:
rwalk will merge the wordlists and remove duplicates. You can also apply filters and transformations to the wordlists (see below).
[!NOTE] A checksum is computed for the wordlists and stored in case you abort the scan. If you resume the scan, rwalk will only load the wordlists if the checksums match. See Saving progress for more information.
Wordlist Filters
You can filter words from the wordlist by using the --wordlist-filter-* (--wf*) flags. For example, to only use words that start with admin:
Available filters:
--wordlist-filter-starts-with<STRING>or--wfs--wordlist-filter-ends-with<STRING>or--wfe--wordlist-filter-contains<STRING>or--wfc--wordlist-filter-regex<REGEX>or--wfr--wordlist-filter-length<LENGTH>or--wfl--wordlist-filter-min-length<LENGTH>or--wfm--wordlist-filter-max-length<LENGTH>or--wfx
Wordlist Transformations
To quickly modify the wordlist, you can use the --transform-* flags. For example, to add a prefix to all words in the wordlist:
Available transformations:
--transform-prefix<PREFIX>or-P--transform-suffix<SUFFIX>or-S--transform-upperor-U--transform-loweror-L--transform-capitalizeor-C
Interactive mode
You can use the --interactive (-i) flag to enter interactive mode. In this mode, you can set parameters one by one and run the scan when you're ready.
Available commands:
set <PARAM> <VALUE>: Set a parameterunset <PARAM>: Unset a parameterlist: Show the current parametersrun: Run the scanexit: Exit interactive modehelp: Show helpclear: Clear the screen
Output
By default, rwalk will print the results to the terminal. You can also save the results to a file with the --output (-o) flag:
Available output formats:
*.json*.csv*.md*.txt
Throttling
The throttling value will be multiplied by the number of threads. For example, if you have 10 threads and a throttling value of 5, the total number of requests per second will be 50.
Saving and resuming scans
By default, if you abort the scan with Ctrl + C, rwalk will save the progress to a file called .rwalk.json. You can resume the scan by running with --resume:
If you want to save the progress to a different file, you can use the --save-file flag:
# or
The auto-saving behavior can be disabled with --no-save.
Examples
Basic scan
Recursive scan
Warning: Recursive scans can take a long time and generate a lot of traffic. Use with caution.
Custom headers/cookies
Follow redirects
Request throttling
This will send 50 (5×10 threads) requests per second. See Throttling for more information.
Custom request body
FAQ
Where can I find wordlists?
Benchmarks
The following benchmarks were run on a 2023 MacBook Pro with an M3 Pro chip on a 10 Gbps connection via WiFi. The target was http://ffuf.me/cd/basic and the wordlist was common.txt.
Each tool was run 10 times with 100 threads. The results are below:
| Command | Mean [s] | Min [s] | Max [s] | Relative |
|---|---|---|---|---|
rwalk |
6.068 ± 0.146 | 5.869 | 6.318 | 1.15 ± 0.03 |
dirsearch |
14.263 ± 0.250 | 13.861 | 14.719 | 2.70 ± 0.07 |
ffuf |
5.285 ± 0.090 | 5.154 | 5.358 | 1.00 |
License
Licensed under the MIT License.