Web enumeration techniques for penetration testing using Gobuster, Ffuf, Dirb, and Nuclei to discover directories, files, virtual hosts, API endpoints, and security weaknesses in web applications during security assessments.
Directory bruteforcing discovers hidden files and directories by sending requests from a wordlist and analyzing responses.
Basic directory bruteforcing:
gobuster dir -u http://$RHOST -w /usr/share/wordlists/dirb/common.txt
Common options:
gobuster dir -u http://$RHOST -e -r -w wordlist.txt -x html,htm,asp,aspx,cgi,php,txt,zip,bak -t 50
-e Expanded mode: shows full URL-r Follow redirects-w wordlist-x file extensions to use-t threads-k Skip SSL certificate verification-s Status codes to include (default: 200,204,301,302,307,401,403)-b Status codes to exclude (blacklist)With authentication:
gobuster dir -u http://$RHOST -w wordlist.txt -U admin -P password
Fast web fuzzer written in Go
Directory bruteforcing:
ffuf -u http://$RHOST/FUZZ -w wordlist.txt
ffuf -u http://$RHOST/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak
Multiple filters:
ffuf -u http://$RHOST/FUZZ -w wordlist.txt -fs 100,200 -fc 403,404
-fs Filter by response size-fc Filter by response codeClassic directory bruteforcing tool:
dirb http://$RHOST
dirb http://$RHOST /usr/share/wordlists/dirb/common.txt
dirb http://$RHOST -X .php,.html
dirb http://$RHOST -a "User-Agent: Custom"
Response Code Filtering
- 200: Success (found)
- 301/302: Redirect (may indicate valid path)
- 403: Forbidden (exists but protected)
- 401: Unauthorized (requires auth)
- 404: Not found (doesn’t exist)
Virtual host discovery identifies additional websites hosted on the same IP by fuzzing the Host header.
gobuster vhost -u http://$RHOST -w vhosts.txt --append-domain
Fast fuzzing for host header testing:
ffuf -u http://$RHOST -H "Host: FUZZ.$RDOMAIN.com" -w vhosts.txt
Filter responses by size:
ffuf -u http://$RHOST -H "Host: FUZZ.$RDOMAIN.com" -w vhosts.txt -fs 4242
Filter by status code:
ffuf -u http://$RHOST -H "Host: FUZZ.$RDOMAIN.com" -w vhosts.txt -fc 404
HTTP:
curl -H "Host: admin.target.com" http://$RHOST
When HTTPS is used
curl --resolve admin.$RDOMAIN.com:443:$RHOST https://admin.$RDOMAIN.com
ffuf -u http://$RHOST/api/FUZZ -w api-endpoints.txt
ffuf -u http://$RHOST/api/v1/FUZZ -w api-endpoints.txt -X POST
curl -X POST http://$RHOST/graphql -H "Content-Type: application/json" -d '{"query":"{__schema{types{name}}}"}'
wafw00f http://$RHOST
wafw00f https://$RHOST
Nuclei is a template-based scanner used to detect web vulnerabilities, misconfigurations, and exposed components.
nuclei -u http://$RHOST
Using specific template types:
nuclei -u http://$RHOST -t /path/to/templates/cves/
nuclei -u http://$RHOST -t /path/to/templates/misconfiguration/
nuclei -u http://$RHOST -t /path/to/templates/exposures/
nuclei -u http://$RHOST -s critical,high
nuclei -u http://$RHOST -s low,medium,high,critical
Reduce noise and avoid blocking
nuclei -u http://$RHOST -rl 10 -c 5
curl -s http://$RHOST | grep -oP 'src="[^"]*\.js"' | cut -d'"' -f2
curl -s http://$RHOST/app.js | grep -oP '["\']/[^"\']*["\']'
python3 linkfinder.py -i http://$RHOST -o cli
curl -X OPTIONS http://$RHOST -v
curl -X TRACE http://$RHOST
curl -X PUT http://$RHOST/test.txt -d "test"