Directory and File Enumeration
Serving Files From a Web Server
NGINX
/etc/nginx/sites-available/example.com.conf
server {
listen 80;
server_name www.example.com;
root /var/www/example.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
- Server Block
- Listens on
TCP/80
- Answer any HTTP request with
HOST: www.example.com
- Serve the contents out of
/var/www/example.com
- Home page (index) is
/var/www/example.com/index.html
- When hitting the server name, try files in:
/var/www/example.com/
+user/requested/resource
- Listens on
Apache
/etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
- Server Block
- Listens on
TCP/80
- Answer any HTTP request with
HOST: www.example.com
- Serve the contents out of
/var/www/example.com
- Home page (index) is
/var/www/example.com/index.html
- When hitting the server name, try files in:
/var/www/example.com/
+user/requested/resource
- Listens on
Enumeration
- Given the domain
example.com
, we know the following:www.example.com exists
- If we go to
http://www.example.com
in our web browser, we will be served anindex
file - The
index
file is probably something likehttp://www.example.com/index.html
- We don't know the following:
- What other files and directories -- if any -- are being served by this web server?
- How would we discover this?
- Use DNS to resolve
www.example.com
to an IP address - Open a TCP connection to the IP address of the web server on
TCP/80
- Send an HTTP request to the remote server
GET / HTTP/1.2
Host: www.example.com
...
...
...
The web server receives the HTTP data and inspects the Host
header.
- This is how it knows which
VirtualHost
to forward it to. - The web site for
www.example.com
is being served out of/var/www/example.com
on the remote server. - When you send
HTTP GET /
to the server, the server understands you are requesting the top-level document of the web server and sends you the/var/www/example.com/index.html
page.
Automation
site='http://www.example.com'
wordlist='/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt'
fileExtensions='html,php'
gobuster dir -u $site -w $wordlist -x $fileExtensions
Using a tool like gobuster
you can automate a series of HTTP requests to the server. Effectively, what you are doing is this:
GET /[wordlist-item1]
.......... Server respondsHTTP 200
, the file existsGET /[wordlist-item1].html
..... Server respondsHTTP 404
, file is not foundGET /[wordlist-item1].php
...... Server respondsHTTP 200
, the file existsGET /[wordlist-item2]
.......... Server respondsHTTP 301 /[wordlist-item2]/
, this is a directoryGET /[wordlist-item2].html
...... Server respondsHTTP 200
, the file existsGET /[wordlist-item2].php
...... Server respondsHTTP 404
, file is not found