A blazing fast web directory scanner written in Rust. It's like dirsearch but faster and with less features.
Features
- Multi-threaded
- Recursive directory scanning
- Custom wordlists (merge multiple wordlists, filter out words, etc.)
- Write results to file (JSON, CSV, etc.)
- Configurable request parameters (headers, cookies, etc.)
- Save progress to resume later
- Request throttling
- Proxy support
From crates.io
Installation
Running
From source
Installation
Running
With just
With cargo
Usage
You can run rwalk --help to see the usage information:
Usage: rwalk [OPTIONS] <URL> <WORDLISTS>...
Arguments:
<URL> Target URL
<WORDLISTS>... Wordlist(s)
Options:
-t, --threads <THREADS>
Number of threads to use
-d, --depth <DEPTH>
Maximum depth to crawl [default: 1]
-o, --output <OUTPUT>
Output file
-T, --timeout <TIMEOUT>
Request timeout in seconds [default: 10]
-u, --user-agent <USER_AGENT>
User agent
-q, --quiet
Quiet mode
-m, --method <METHOD>
HTTP method [default: GET]
-d, --data <DATA>
Data to send with the request
-H, --headers <key:value>
Headers to send
-c, --cookies <key=value>
Cookies to send
-I, --case-insensitive
Case insensitive
-F, --follow-redirects <FOLLOW_REDIRECTS>
Follow redirects [default: 0]
-R, --throttle <THROTTLE>
Request throttling (requests per second) per thread [default: 0]
-h, --help
Print help
-V, --version
Print version
Wordlists
You can pass multiple wordlists to rwalk. For example:
rwalk will merge the wordlists and remove duplicates. You can also apply filters and transformations to the wordlists (see below).
Note: A checksum is computed for the wordlists and stored in case you abort the scan. If you resume the scan, rwalk will only load the wordlists if the checksums match. See Saving progress for more information.
Filters
You can filter out words from the wordlist by using the --filter-* flags. For example, to filter out all words that start with admin:
Available filters:
--filter-starts-with<STRING>--filter-ends-with<STRING>--filter-contains<STRING>--filter-regex<REGEX>--filter-length<LENGTH>--filter-min-length<LENGTH>--filter-max-length<LENGTH>
Transformations
To quickly modify the wordlist, you can use the --transform-* flags. For example, to add a prefix to all words in the wordlist:
Available transformations:
--transform-prefix<PREFIX>--transform-suffix<SUFFIX>--transform-upper--transform-lower--transform-capitalize
Throttling
The throttling value will be multiplied by the number of threads. For example, if you have 10 threads and a throttling value of 5, the total number of requests per second will be 50.
Saving and resuming scans
By default, if you abort the scan with Ctrl + C, rwalk will save the progress to a file called .rwalk.json. You can resume the scan by running with --resume:
If you want to save the progress to a different file, you can use the --save-file flag:
# or
The auto-saving behavior can be disabled with --no-save.
Examples
Basic scan
Recursive scan
Warning: Recursive scans can take a long time and generate a lot of traffic. Use with caution.
Custom headers/cookies
Follow redirects
Request throttling
This will send 50 (5×10 threads) requests per second. See Throttling for more information.
Benchmarks
The following benchmarks were run on a 2023 MacBook Pro with an M3 Pro chip on a 10 Gbps connection via WiFi. The target was http://ffuf.me/cd/basic and the wordlist was common.txt.
Each tool was run 10 times with 100 threads. The results are below:
| Command | Mean [s] | Min [s] | Max [s] | Relative |
|---|---|---|---|---|
rwalk |
6.068 ± 0.146 | 5.869 | 6.318 | 1.15 ± 0.03 |
dirsearch |
14.263 ± 0.250 | 13.861 | 14.719 | 2.70 ± 0.07 |
ffuf |
5.285 ± 0.090 | 5.154 | 5.358 | 1.00 |
ffuf is the fastest tool... but not by much. rwalk is only 1.15x slower than ffuf and ~2.5x faster than dirsearch. Not bad for a first release!
License
Licensed under the MIT License.