Browse Hacknotes

Web Enumeration

December 30, 2025

Identifying security weaknesses and CVEs

On this page

Directory & File Bruteforcing

Directory bruteforcing discovers hidden files and directories by sending requests from a wordlist and analyzing responses.

Gobuster

Basic directory bruteforcing:

gobuster dir -u http://$RHOST -w /usr/share/wordlists/dirb/common.txt

Common options:

gobuster dir -u http://$RHOST -e -r -w wordlist.txt -x html,htm,asp,aspx,cgi,php,txt,zip,bak -t 50
  • -e Expanded mode: shows full URL
  • -r Follow redirects
  • -w wordlist
  • -x file extensions to use
  • -t threads
  • -k Skip SSL certificate verification
  • -s Status codes to include (default: 200,204,301,302,307,401,403)
  • -b Status codes to exclude (blacklist)

With authentication:

gobuster dir -u http://$RHOST -w wordlist.txt -U admin -P password

Ffuf

Fast web fuzzer written in Go

Directory bruteforcing:

ffuf -u http://$RHOST/FUZZ -w wordlist.txt
ffuf -u http://$RHOST/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak

Multiple filters:

ffuf -u http://$RHOST/FUZZ -w wordlist.txt -fs 100,200 -fc 403,404
  • -fs Filter by response size
  • -fc Filter by response code

Dirb

Classic directory bruteforcing tool:

dirb http://$RHOST
dirb http://$RHOST /usr/share/wordlists/dirb/common.txt
dirb http://$RHOST -X .php,.html
dirb http://$RHOST -a "User-Agent: Custom"

Virtual Host Discovery

Virtual host discovery identifies additional websites hosted on the same IP by fuzzing the Host header.

Gobuster VHOST Mode

gobuster vhost -u http://$RHOST -w vhosts.txt --append-domain

Ffuf

Fast fuzzing for host header testing:

ffuf -u http://$RHOST -H "Host: FUZZ.$RDOMAIN.com" -w vhosts.txt

Filter responses by size:

ffuf -u http://$RHOST -H "Host: FUZZ.$RDOMAIN.com" -w vhosts.txt -fs 4242

Filter by status code:

ffuf -u http://$RHOST -H "Host: FUZZ.$RDOMAIN.com" -w vhosts.txt -fc 404

Manual Host Header Testing

HTTP:

curl -H "Host: admin.target.com" http://$RHOST


When HTTPS is used

curl --resolve admin.$RDOMAIN.com:443:$RHOST https://admin.$RDOMAIN.com

API Endpoint Discovery

API Fuzzing with Ffuf

ffuf -u http://$RHOST/api/FUZZ -w api-endpoints.txt
ffuf -u http://$RHOST/api/v1/FUZZ -w api-endpoints.txt -X POST

GraphQL Introspection

curl -X POST http://$RHOST/graphql -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}'

WAF Detection

wafw00f

wafw00f http://$RHOST
wafw00f https://$RHOST

Nuclei

Nuclei is a template-based scanner used to detect web vulnerabilities, misconfigurations, and exposed components.

Basic Scans

nuclei -u http://$RHOST

Using specific template types:

nuclei -u http://$RHOST -t /path/to/templates/cves/
nuclei -u http://$RHOST -t /path/to/templates/misconfiguration/
nuclei -u http://$RHOST -t /path/to/templates/exposures/

Severity Filtering

nuclei -u http://$RHOST -s critical,high
nuclei -u http://$RHOST -s low,medium,high,critical

Rate Limiting & Stealth

Reduce noise and avoid blocking

nuclei -u http://$RHOST -rl 10 -c 5

JavaScript File Analysis

Extract JavaScript Files

curl -s http://$RHOST | grep -oP 'src="[^"]*\.js"' | cut -d'"' -f2

Analyze JS for Endpoints

curl -s http://$RHOST/app.js | grep -oP '["\']/[^"\']*["\']'

LinkFinder

python3 linkfinder.py -i http://$RHOST -o cli

Manual Enumeration Techniques

Check HTTP Methods

curl -X OPTIONS http://$RHOST -v
curl -X TRACE http://$RHOST

Check for HTTP PUT

curl -X PUT http://$RHOST/test.txt -d "test"
Service Enumeration
Vulnerability Scanning