Path Enumeration

Discover existing files and directories of a web site based on wordlists.

GoBuster

gobuster -k -l -e -r -u [URL] -w [/path/to/wordlist] -a 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' -o [/path/to/output/logfile]
Option Description
-k Skip SSL certificate verification
-l Include the length of the body in the output
-e Expanded mode, print full URLs
-r Follow redirects
-a string Set the User-Agent string (default gobuster X.X.X)

Use the following additional options when required:

Additional Option Description
-p http(s)://host:port Proxy to use for requests
-c string Cookies to use for the requests
-U string Username for Basic Auth
-P string Password for Basic Auth

The website requires client certificate authentication? Either pass the requests through a proxy (such as Burp or ZAP) or use dirb -E.

dirb

dirb <base URL> -o <output file>
Option Description
-a User-Agent string (default is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1))
-r Don’t search recursively
-R Interactive recursion
-E [cert.pem] Use a client certificate to authenticate (base64 with both key and cert)

Prefer GoBuster over dirb when possible as the later is quite slower.

Wordlists

Success of path enumeration only depends on the wordlist content, choose it carefully.

Wordlist Description
/usr/share/dirb/wordlists/common.txt Very small (~4600) but find most common files and directories
/usr/share/dirb/wordlists/big.txt Large (~20500)
github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content Many wordlists dedicated to specific applications