> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/reconnaissance/web-server/directory-and-file-enumeration.md).

# Directory & File Enumeration

{% hint style="success" %}
Follow the link for more [Web Hacking Techniques](/web-application-hacking/web-techniques.md) other than basic enumeration.
{% endhint %}

## Methodology

### Directory Enumeration (fuzzing) vs Directory Spidering

There are 2 basic methods that we can use here. We can either take a list of common directories crafted for our target (Check [SecLists](https://github.com/danielmiessler/SecLists)) and enumerate the domain with tools like [gobuster](/reconnaissance/web-server/directory-and-file-enumeration/enumeration/gobuster.md), [dirb](/reconnaissance/web-server/directory-and-file-enumeration/enumeration/dirb.md), dirbuster, [nikto](/reconnaissance/web-server/directory-and-file-enumeration/enumeration/nikto.md), wfuzz, and burp.&#x20;

Or we can [spider/crawl](/reconnaissance/web-server/directory-and-file-enumeration/crawling.md) the site following links and using burp to build a site scope of linked pages. This second method can be better if we want to test for files that we can see after a login and then check if they are still accessible after a logoff.&#x20;

{% hint style="info" %}
Server-side scripting files like PHP, .NET, JSP may not display correctly without params passed.  Make sure to test them with different combinations to see if authorization is broken for these files.
{% endhint %}

## Directory Enumeration with Params:

{% hint style="danger" %}
Note this for <mark style="color:red;">**302**</mark>'s
{% endhint %}

Often times if we request a file it can give us a 302 to the page. If you see these response codes in your enumeration results. Make a new list of the results and then try [fuzzing](/reconnaissance/web-server/directory-and-file-enumeration/fuzzing.md) that second list with param value combinations. Below we see that if we add a param to the same unauth request we can then change the 302 to a viewable 200 page.&#x20;

### <mark style="color:red;">302</mark>:

![getPersonalData.php](/files/-MeS_wydjStajsgRWMDk)

### 200:

![getPersonalData.php?user=angela](/files/-MeSa-HnNjXQhGor7S-i)
