Path Enumeration

Discover existing files and directories of a web site based on wordlists.

Tip

The website requires client certificate authentication? Either pass the requests through a proxy (such as Burp or ZAP) or use dirb -E.

GoBuster

gobuster dir -k -l -e -r -u [URL] -w [/path/to/wordlist] -a 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' -o [/path/to/output/logfile]
Option Description
-k Skip SSL certificate verification
-l Include the length of the body in the output
-e Expanded mode, print full URLs
-r Follow redirects
-a string Set the User-Agent string (default gobuster X.X.X)

Use the following additional options when required:

Additional Option Description
-s <list,of,status,codes> Positive status code (default: 200,204,301,302,307,401,403)
-b <list,of,status,codes> Negative status code (overrides -s if set)
-p http(s)://host:port Proxy to use for requests
-c string Cookies to use for the requests
-U string Username for Basic Auth
-P string Password for Basic Auth

Wfuzz

wfuzz -w </path/to/wordlist> -f [/path/to/output/logfile] -L -R1 --hc 404 [options] <URL>/FUZZ
Option Description
--hc/hl/hw/hh N[,N]+ Hide responses with the specified code/lines/words/chars
--sc/sl/sw/sh N[,N]+ Show responses with the specified code/lines/words/chars
--ss/hs <regex> Show/hide responses with the specified regex within the content
-L Follow HTTP redirections
-R <depth> Recursive path discovery being depth the maximum recursion level

The User-Agent string is configured in ~/.wfuzz/wfuzz.ini:

[connection]
user-agent = Wfuzz/2.3.4

Use the following additional options when required:

Additional Option Description
--basic/ntlm/digest <user:pass> Use HTTP authentication
-b <cookie> Specify cookies
-H <header> Specify additional headers (repeat for more than one)
-X <method> Specify HTTP method
-d <data> Specify POST data (i.e. id=FUZZ&catalogue=1)
-p <ip:port:type> Proxy to use for requests (type could be SOCKS4,SOCKS5 or HTTP if omitted)

dirb

dirb <base URL> -o <output file>
Option Description
-a User-Agent string (default is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))
-r Don’t search recursively
-R Interactive recursion
-E [cert.pem] Use a client certificate to authenticate (base64 with both key and cert)

Wordlists

Success of path enumeration only depends on the wordlist content, choose it wisely.

General

These wordlists are good for almost any website no matter the technology being used.

Use these to find backup files for interpreted languages (s.a. PHP) in order to reveal their source code:

PHP