Directory and File Enumeration

Serving Files From a Web Server

NGINX

/etc/nginx/sites-available/example.com.conf

server {
       listen 80;
       server_name www.example.com;
       root /var/www/example.com;
       index index.html;

       location / {
               try_files $uri $uri/ =404;
       }
}

• Server Block
  • Listens on TCP/80
  • Answer any HTTP request with HOST: www.example.com
  • Serve the contents out of /var/www/example.com
  • Home page (index) is /var/www/example.com/index.html
  • When hitting the server name, try files in:
    • /var/www/example.com/ + user/requested/resource

Apache

/etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
        ServerName www.example.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

• Server Block
  • Listens on TCP/80
  • Answer any HTTP request with HOST: www.example.com
  • Serve the contents out of /var/www/example.com
  • Home page (index) is /var/www/example.com/index.html
  • When hitting the server name, try files in:
    • /var/www/example.com/ + user/requested/resource

Enumeration

• Given the domain example.com, we know the following:
  • www.example.com exists
  • If we go to http://www.example.com in our web browser, we will be served an index file
  • The index file is probably something like http://www.example.com/index.html
• We don't know the following:
  • What other files and directories -- if any -- are being served by this web server?
• How would we discover this?

When you navigate to http://www.example.com in your browser, the following happens

• Use DNS to resolve www.example.com to an IP address
• Open a TCP connection to the IP address of the web server on TCP/80
• Send an HTTP request to the remote server

GET / HTTP/1.2
Host: www.example.com
...
...
...

The web server receives the HTTP data and inspects the Host header.

• This is how it knows which VirtualHost to forward it to.
• The web site for www.example.com is being served out of /var/www/example.com on the remote server.
• When you send HTTP GET / to the server, the server understands you are requesting the top-level document of the web server and sends you the /var/www/example.com/index.html page.

Automation

site='http://www.example.com'
wordlist='/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt'
fileExtensions='html,php'

gobuster dir -u $site -w $wordlist -x $fileExtensions

Using a tool like gobuster you can automate a series of HTTP requests to the server. Effectively, what you are doing is this:

• GET /[wordlist-item1] .......... Server responds HTTP 200, the file exists
• GET /[wordlist-item1].html ..... Server responds HTTP 404, file is not found
• GET /[wordlist-item1].php ...... Server responds HTTP 200, the file exists
• GET /[wordlist-item2] .......... Server responds HTTP 301 /[wordlist-item2]/, this is a directory
• GET /[wordlist-item2].html...... Server responds HTTP 200, the file exists
• GET /[wordlist-item2].php ...... Server responds HTTP 404, file is not found