Path Enumeration
Discover existing files and directories of a web site based on wordlists.
Tip
The website requires client certificate authentication? Either pass the requests through a proxy (such as Burp or ZAP) or use dirb -E.
GoBuster
gobuster dir -k -l -e -r -u [URL] -w [/path/to/wordlist] -a 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' -o [/path/to/output/logfile]
| Option | Description |
|---|---|
-k |
Skip SSL certificate verification |
-l |
Include the length of the body in the output |
-e |
Expanded mode, print full URLs |
-r |
Follow redirects |
-a string |
Set the User-Agent string (default gobuster X.X.X) |
Use the following additional options when required:
| Additional Option | Description |
|---|---|
-s <list,of,status,codes> |
Positive status code (default: 200,204,301,302,307,401,403) |
-b <list,of,status,codes> |
Negative status code (overrides -s if set) |
-p http(s)://host:port |
Proxy to use for requests |
-c string |
Cookies to use for the requests |
-U string |
Username for Basic Auth |
-P string |
Password for Basic Auth |
Wfuzz
wfuzz -w </path/to/wordlist> -f [/path/to/output/logfile] -L -R1 --hc 404 [options] <URL>/FUZZ
| Option | Description |
|---|---|
--hc/hl/hw/hh N[,N]+ |
Hide responses with the specified code/lines/words/chars |
--sc/sl/sw/sh N[,N]+ |
Show responses with the specified code/lines/words/chars |
--ss/hs <regex> |
Show/hide responses with the specified regex within the content |
-L |
Follow HTTP redirections |
-R <depth> |
Recursive path discovery being depth the maximum recursion level |
The User-Agent string is configured in ~/.wfuzz/wfuzz.ini:
[connection]
user-agent = Wfuzz/2.3.4
Use the following additional options when required:
| Additional Option | Description |
|---|---|
--basic/ntlm/digest <user:pass> |
Use HTTP authentication |
-b <cookie> |
Specify cookies |
-H <header> |
Specify additional headers (repeat for more than one) |
-X <method> |
Specify HTTP method |
-d <data> |
Specify POST data (i.e. id=FUZZ&catalogue=1) |
-p <ip:port:type> |
Proxy to use for requests (type could be SOCKS4,SOCKS5 or HTTP if omitted) |
dirb
dirb <base URL> -o <output file>
| Option | Description |
|---|---|
-a |
User-Agent string (default is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)) |
-r |
Don’t search recursively |
-R |
Interactive recursion |
-E [cert.pem] |
Use a client certificate to authenticate (base64 with both key and cert) |
Wordlists
Success of path enumeration only depends on the wordlist content, choose it wisely.
General
These wordlists are good for almost any website no matter the technology being used.
SecLists/Discovery/Web-Content/quickhits.txtSecLists/Discovery/Web-Content/common.txtSecLists/Discovery/Web-Content/big.txtSecLists/Discovery/Web-Content/raft-large-directories.txtSecLists/Discovery/Web-Content/raft-large-files.txtSecLists/Discovery/Web-Content/raft-large-words.txtnode-dirbuster/lists/directory-list-2.3-medium.txt
Use these to find backup files for interpreted languages (s.a. PHP) in order to reveal their source code:
PHP
SecLists/Discovery/Web-Content/Common-PHP-Filenames.txtSecLists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txtSecLists/Discovery/Web-Content/PHP.fuzz.txt