Directory and file enumeration is the process of discovering all publicly accessible paths, files, endpoints, and hidden resources hosted on a web server. These locations often expose sensitive information such as admin panels, backups, configuration files, test code, logs, version control folders, and forgotten development endpoints. Enumerating directories is one of the most direct paths to discovering vulnerabilities because developers frequently leave behind files that should never be exposed externally.
This chapter provides full-length theory and a complete practical workflow with real commands, deep explanations, and step-by-step attack methodology exactly like previous chapters.
Why Directory & File Enumeration Matters
Directories reveal the true structure of a web application. Many security breaches happen because attackers find:
-
/admin
-
/backup
-
/test
-
/dev
-
/old
-
/staging
-
/uploads
-
/config
-
/logs
-
/private
These folders may contain:
-
login portals
-
source code
-
backups of the database
-
unhashed passwords
-
debug tools
-
exposed environment variables
-
old code with vulnerabilities
Most developers never intend users to see these endpoints, but they are reachable if directory enumeration is done properly.
How Directory Enumeration Works
Directory enumeration works by sending requests to possible paths and analyzing responses.
Example:
curl http://target.com/admin
If the server responds with:
200 OK
or
302 Found
Then the directory exists.
If the response is:
404 Not Found
The directory likely does not exist.
Tools automate this process and try thousands of directories in seconds.
Manual Directory Enumeration
Before using tools, try simple manual checks to observe patterns.
Step 1: Basic Common Paths
Test manually:
curl -I http://$IP/admin
curl -I http://$IP/login
curl -I http://$IP/backup
curl -I http://$IP/test
Look for:
-
200 OK
-
302 redirects
-
403 forbidden (exists but restricted)
Step 2: Check for index pages
curl -I http://$IP/index.php
curl -I http://$IP/index.html
Step 3: Try common extensions
curl -I http://$IP/config.php
curl -I http://$IP/settings.ini
curl -I http://$IP/database.yml
Manual probing often reveals low-hanging fruit.
Automated Directory Enumeration (Practical & Full)
Directory enumeration is most effective when done with automated tools.
Below is the full workflow used by professionals.
Tool 1: Gobuster (Fast & Reliable)
Gobuster brute forces directories using wordlists.
Basic scan:
gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt
For larger scans:
gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Adding file extensions
gobuster dir -u http://$IP -w wordlist.txt -x php,txt,bak,zip
This attempts:
-
file.php
-
file.txt
-
file.bak
-
file.zip
Backup files are extremely valuable.
Tool 2: Dirsearch (Python-based, very powerful)
Basic scan:
python3 dirsearch.py -u http://$IP -e php,html,txt
Recursive mode:
python3 dirsearch.py -u http://$IP -r
Recursive enumeration digs deeper into discovered directories.
Tool 3: FFUF (Flexible & Fast)
Basic scan:
ffuf -u http://$IP/FUZZ -w wordlist.txt
Filter response sizes:
ffuf -u http://$IP/FUZZ -w wordlist.txt -fs 0
Extensions:
ffuf -u http://$IP/FUZZ -w wordlist.txt -e .php,.html,.bak
Practical Targets for Enumeration
During enumeration, always target these areas.
1. Admin Panels
Common names:
-
/admin
-
/administrator
-
/admin-panel
-
/cpanel
-
/moderator
Finding admin panels leads directly to authentication testing.
2. Backup Files
Look for:
/backup/
/db/
/old/
/dev/
/test/
/website.zip
/db.sql
/backup.tar.gz
Many real breaches start with exposed backups.
3. Developer Directories
/dev/
/test/
/staging/
/preprod/
/v1/
/v2/
These often contain:
-
debug pages
-
hardcoded credentials
-
unfinished features
4. Config Files
config.php
settings.py
.env
web.config
.htaccess
application.ini
These files often expose secrets.
5. Log Files
debug.log
error.log
access.log
Logs may contain:
-
credentials
-
tokens
-
stack traces
-
SQL errors
6. Upload Directories
/uploads/
/images/
/media/
Use them for file upload attacks or stored XSS payloads.
7. Hidden Version Control Folders
/.git/
/svn/
/hg/
If accessible, they can expose the entire source code.
Extracting source code from exposed .git:
git clone http://$IP/.git/
Identifying Directory Discovery Patterns
200 OK → Directory/File Exists
403 Forbidden → Directory exists but restricted
301/302 → Redirect (path exists)
404 Not Found → Usually doesn't exist
500 Internal Server Error → Misconfigured but exists
403 responses are gold because:
-
They confirm directory existence
-
Suggest sensitive content
-
Often bypassable (later chapters)
File Enumeration: Finding Sensitive Files
Tools find files as well as directories.
File extensions to target:
-
.php
-
.html
-
.txt
-
.zip
-
.tar.gz
-
.sql
-
.bak
-
.old
-
.conf
-
.env
Command Example
ffuf -u http://$IP/FUZZ -w files.txt -e .bak,.zip,.tar,.sql,.old
Backup files often contain database dumps.
Enumerating HTTP Methods
Check which methods are enabled:
curl -I -X OPTIONS http://$IP
Look for:
-
PUT
-
DELETE
-
TRACE
-
PATCH
If PUT is allowed, you might upload files.
Enumerating Default Pages for Frameworks
PHP apps:
/phpinfo.php
/server-status
WordPress:
/wp-admin/
/wp-json/
/xmlrpc.php
Node.js:
/debug/
/api-docs
Django:
/admin/
/static/
Framework-specific directories reveal technologies.
Using Nmap for Directory Discovery
Nmap NSE scripts:
nmap -p80 --script http-enum $IP
It finds:
-
directories
-
admin panels
-
hidden endpoints
-
comments
Recursive Directory Enumeration Workflow
-
Run gobuster on root
-
For each discovered directory:
Run gobuster again inside that directory
Example:
gobuster dir -u http://$IP/admin -w wordlist.txt
Repeat for:
-
/api
-
/test
-
/dev
-
/v1
-
/uploads
Recursive enumeration is how you uncover deep hidden paths.
Handling Large Web Applications
For huge sites:
Step 1: Crawl the site
python3 dirsearch.py -u http://$IP -w big.txt
Step 2: Feed crawling results into ffuf
ffuf -u http://$IP/FUZZ -w crawl.txt
Combining crawlers and brute force gives maximum visibility.
Interpreting Results to Find Vulnerable Points
Examples:
Found /backup.zip
→ Extract credentials inside.
Found /admin
→ Begin authentication testing.
Found /dev
→ Look for debug interfaces.
Found /test
→ Code or features not intended for production.
Found /config.php showing 403
→ Indicates existence, try bypass methods later.
Directory enumeration leads you to direct exploitation.
Full Practical Workflow Summary
-
Manual checks
curl -I http://$IP/admin
curl -I http://$IP/backup
-
Gobuster primary enumeration
gobuster dir -u http://$IP -w wordlist.txt
-
FFUF deeper probe
ffuf -u http://$IP/FUZZ -w biglist.txt
-
Dirsearch recursive scan
python3 dirsearch.py -u http://$IP -r
-
Check for file extensions
gobuster dir -u http://$IP -w list.txt -x php,zip,sql
-
Framework-specific paths
Look for CMS or backend signatures. -
Document everything
Create a list of vulnerable or interesting directories.
This produces every possible entry point for exploitation.
Intel Dump
-
Directory & file enumeration reveals hidden, sensitive, and development paths.
-
Manual checks identify obvious admin panels or backups.
-
Gobuster, FFUF, and Dirsearch are primary brute-force tools.
-
Prioritize admin, backup, config, log, and test directories.
-
File enumeration targets extensions like .bak, .zip, .sql, .conf.
-
HTTP method testing reveals dangerous capabilities like PUT.
-
403 responses confirm directory existence and become bypass targets.
-
Recursive enumeration is essential for deep discovery.
-
Results provide direct exploitation paths like credential leaks or debug endpoints.