Skip to content
Boxer: A fast directory bruteforce tool written in Python with concurrency.
Branch: master
Clone or download
Latest commit 06ef2c6 May 28, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Update May 27, 2019


Boxer is a directory bruteforcing tool. It was designed primarily for a red team and for a large network of systems to scan. Not only can it run a directory bruteforce, but it can save the results and allow you to query them locally or from a HTTPS server that Boxer provides.

(5/11/2019) Some testing has indicated results of finishing in roughly a fourth of the time as Gobuster on one URL with the same wordlist.

  • There is no recursion currently implemented. There is some code commented out to possibly allow this in the future.

Why another directory bruteforce tool?

  • I put this tool together to implement and work with OOP and polymorphism.
  • I also wanted to implement concurrency and coroutines.
  • This should aid in process improvements for my job.
  • As a security professional and hobbyist, I like putting helpful software together for this domain.


This code was created with Python 3.7.3. Other versions of Python 3 might also work.

Make sure to install all requirements:

$ pip3 install -r requirements.txt

Quick start

Run a scan:

$ python3 -u -w common.txt 

Run a scan and setup a database for persistent results:

$ python3 -u -w common.txt -d database

Run a scan with a 'urls.txt' file (with or without a database).

$ python3 -u urls.txt -w common.txt -d database

Query the local database for available urls:

$ python3 -urlsavailable -d database.json

Query the local database for the url's directories:

$ python3 -u -d database.json

Setup server to serve up the urls' database:

$ python3 -server -d database.json

Query the server for available urls:

$ python3 -urlsavailable -s

Query the server for the url's directories:

$ python3 -u -s


This code is licensed under the terms of the MIT License (see the file LICENSE).

You can’t perform that action at this time.