🌐 Web Enumeration
Web application reconnaissance and content discovery.
INITIAL WEB RECON
Browse manually in browser
Look at the site. Read it. Click around. — Context before tools
http://$IP
https://$IP
http://$IP:8080
Example Output
See a login page, CMS, or custom app
Check footer: 'Powered by WordPress 5.8'
Check URLs: /index.php?page=about (LFI candidate)
Check page source (Ctrl+U)
Comments, hidden fields, JS files, API endpoints — Devs leave secrets in comments
View source on every page
Example Output
<!-- TODO: remove debug credentials -->
<!-- admin:Passw0rd123 -->
<script src='/api/v1/config.js'></script>
<input type='hidden' name='debug' value='true'>
Check robots.txt
Disallowed paths — Paths they don't want indexed
curl http://$IP/robots.txt
Example Output
User-agent: *
Disallow: /admin/
Disallow: /backup/
Disallow: /internal/
Disallow: /wp-admin/
(Now you know hidden paths exist)
Check sitemap.xml
Site structure — Hidden pages and directories
curl http://$IP/sitemap.xml
Example Output
curl http://10.10.10.5/sitemap.xml
<urlset>
<url><loc>/internal-dashboard/</loc></url>
<url><loc>/api/v2/users/</loc></url>
<url><loc>/old-admin/</loc></url>
</urlset>
(Hidden paths revealed)
Check security.txt
Security contact info — May reveal tech stack
curl http://$IP/.well-known/security.txt
Example Output
curl http://10.10.10.5/.well-known/security.txt
Contact: security@corp.local
Preferred-Languages: en
Canonical: https://corp.local/.well-known/security.txt
(Confirms domain, may reveal email format)
Identify technology stack
CMS, framework, language, server — Guides your attack approach
whatweb http://$IP
wappalyzer (browser extension)
Example Output
whatweb http://10.10.10.5
http://10.10.10.5 [200 OK]
Apache[2.4.29], PHP[7.2.10],
WordPress[5.8], jQuery[3.6.0],
Country[US]
Check HTTP headers
Server, X-Powered-By, cookies — Version info, security headers
curl -I http://$IP
Example Output
HTTP/1.1 200 OK
Server: Apache/2.4.29 (Ubuntu)
X-Powered-By: PHP/7.2.10
Set-Cookie: PHPSESSID=abc123
(Versions exposed = search for CVEs)
Check SSL/TLS cert
Certificate details — Hostnames, org info, valid dates
openssl s_client -connect $IP:443
Example Output
openssl s_client -connect 10.10.10.5:443
subject=CN = dev.corp.local
subjectAltName = DNS:dev.corp.local, DNS:staging.corp.local
(Found additional hostnames to add to /etc/hosts)
Add hostname to /etc/hosts
If you discover a hostname — Virtual host routing
echo '$IP hostname.htb' >> /etc/hosts
Example Output
echo '10.10.10.5 target.htb dev.target.htb' >> /etc/hosts
curl http://target.htb -> 'Welcome to Our App'
curl http://10.10.10.5 -> 'Apache Default Page'
(Different content = virtual hosting confirmed)
Screenshot all web ports
Visual record — Quick reference for reporting
gowitness single http://$IP
Example Output
gowitness single http://10.10.10.5
gowitness single https://10.10.10.5
gowitness single http://10.10.10.5:8080
(Visual screenshots saved for reference and reporting)
DIRECTORY / FILE DISCOVERY
Gobuster directory scan
Main directory brute force — Find hidden directories
gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
Example Output
=======================================
/admin (Status: 301)
/uploads (Status: 301)
/backup (Status: 301)
/config (Status: 403)
/phpmyadmin (Status: 200)
/api (Status: 200)
Gobuster with extensions
Find files with extensions — php/txt/bak files are gold
gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak,old,conf,zip -o gobuster_ext.txt
Example Output
/config.php.bak (Status: 200) <- backup config!
/notes.txt (Status: 200) <- dev notes
/shell.php (Status: 200) <- existing shell?
/database.sql (Status: 200) <- DB dump
Feroxbuster (recursive)
Recursive scanning — Finds nested directories
feroxbuster -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
Example Output
feroxbuster -u http://10.10.10.5
200 GET /admin/
200 GET /admin/config/
200 GET /admin/config/database.yml <- nested find!
301 GET /backup/
200 GET /backup/site_2024.zip
Scan discovered directories
Enumerate inside each dir found — Go deeper
gobuster dir -u http://$IP/<found_dir> -w <wordlist> -x php,txt
Example Output
gobuster dir -u http://10.10.10.5/admin -w wordlist.txt -x php
/admin/login.php (Status: 200)
/admin/config.php (Status: 200)
/admin/uploads/ (Status: 301)
/admin/backup.php (Status: 200)
Virtual host / subdomain scan
Find virtual hosts — Different sites on same server
gobuster vhost -u http://<domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
Example Output
Found: dev.domain.htb (Status: 200) [Size: 5432]
Found: staging.domain.htb (Status: 200) [Size: 1234]
Found: admin.domain.htb (Status: 302) [Size: 0]
(Add each to /etc/hosts and browse)
FFUF for fuzzing
Fast fuzzer — Flexible filtering
ffuf -u http://$IP/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -mc 200,301,302
Example Output
ffuf -u http://10.10.10.5/FUZZ -w wordlist.txt -mc 200,301
admin [Status: 301, Size: 312]
backup [Status: 301, Size: 314]
api [Status: 200, Size: 1543]
.env [Status: 200, Size: 256]
Check for common files
Manual checks for sensitive files — Backup configs, git repos, env files
curl http://$IP/wp-config.php.bak
curl http://$IP/.git/HEAD
curl http://$IP/.env
curl http://$IP/web.config
curl http://$IP/config.php
Example Output
curl http://10.10.10.5/.git/HEAD
ref: refs/heads/master
(GIT REPO EXPOSED! Use git-dumper)
curl http://10.10.10.5/.env
DB_PASSWORD=s3cretDBp@ss
APP_KEY=base64:abc123...
Nikto web scanner
Vulnerability scanner — Quick scan for known issues
nikto -h http://$IP
Example Output
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The X-Content-Type-Options header is not set
+ /config.php: PHP Config file found
+ /backup/: Directory indexing found
+ OSVDB-3233: /icons/README: Apache default file found
CMS DETECTION & ENUMERATION
WordPress scan
Plugins, themes, users — WP is full of vuln plugins
wpscan --url http://$IP --enumerate ap,at,u --api-token <token>
Example Output
wpscan output:
[+] WordPress version 5.8 identified
[!] 3 vulnerabilities identified
[+] Plugin: wp-file-manager 6.9
| [!] CVE-2020-25213 - Unauthenticated RCE
[+] Users found: admin, editor
WordPress user enum
Find usernames — Then brute force wp-login
wpscan --url http://$IP --enumerate u
Example Output
wpscan --url http://10.10.10.5 --enumerate u
[+] admin
| Found By: Author Posts
[+] editor
| Found By: Wp Json Api
(Now brute force these usernames)
WordPress brute force
Login brute force — Weak admin passwords
wpscan --url http://$IP --usernames <user> --passwords /usr/share/wordlists/rockyou.txt
Example Output
wpscan --url http://10.10.10.5 --usernames admin --passwords rockyou.txt
[+] Performing password attack on Xmlrpc against 1 user(s)
[SUCCESS] - admin / sunshine1
(Login at /wp-admin with admin:sunshine1)
Joomla scan
Joomla enumeration — Version, plugins, vulns
joomscan -u http://$IP
Example Output
[+] Joomla 3.7.0
[++] Joomla 3.7.0 - SQL Injection
CVE: CVE-2017-8917
URL: /index.php?option=com_fields&view=fields&layout=modal
Drupal scan
Drupal enumeration — Drupalgeddon exploits
droopescan scan drupal -u http://$IP
Example Output
droopescan scan drupal -u http://10.10.10.5
[+] Version: 7.54
[+] Plugins: php_filter, views
[!] Drupal < 7.58 - Drupalgeddon2 (CVE-2018-7600)
(Unauthenticated RCE if vulnerable)
Check /wp-admin, /administrator, /admin
Manual CMS detection — Find login panels
Browse to common admin paths
Example Output
http://10.10.10.5/wp-admin -> WordPress login
http://10.10.10.5/administrator -> Joomla login
http://10.10.10.5/admin -> Custom admin panel
(Found login page = try defaults, SQLi, brute force)
Check CMS version
Exact version for exploit search — Version-specific exploits
View source for generator meta tag
curl http://$IP/readme.html
curl http://$IP/CHANGELOG.txt
Example Output
View source: <meta name='generator' content='WordPress 5.8'/>
curl http://10.10.10.5/readme.html -> WordPress 5.8
curl http://10.10.10.5/CHANGELOG.txt -> Drupal 7.54
(Exact version for exploit search)