2. Directory Enumeration and Brute Forcing

Through this technique we find out folders or location that might be hidden from the public or by getting mass information on how the website structure looks like.

We can start with nmap scan to see what is open for the web.

Tools

1. FFUF

ffuf is a directory bruteforce tool

Example of usage non-recursive:

ffuf -w "wordlistlocation":FUZZ -u "link"ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ - u http://10.0.0.10/FUZZ

Useful stuff: -recursion: to scan recursively -recursion-depth: to set how many sub-folders we go into -fc: we can filter HTTP status codes from response

2. Dirb

Another directory bruteforce tool that is built into kali

Dirb is already configured more or less

Example of usage (by default is recursive):

dirb "link"

3. Dirbuster

A more of an old-school tool with GUI. It is very nicely made.

![[Pasted image 20231010015013.png]]

NOTE: It's very important to keep in mind that we focus more on methodology more than the tool itself. We need to figure out what tools we like.

Previous1.Fingerprinting Web Technologies Next3. Subdomain enumeration

hashtagTools

Tools