Enumeration

Deep enumeration discovers hidden directories, files, parameters, and API endpoints that expand the attack surface beyond what's publicly visible.

🎯 Why Enumeration Matters

Hidden Attack Surface: Admin panels, debug endpoints, and backup files are often not linked publicly

Forgotten Assets: Development files, old versions, and test pages frequently contain vulnerabilities

API Discovery: Undocumented API endpoints may lack proper authentication or authorization

Parameter Mining: Hidden parameters can expose debugging features or bypass security controls

💡 Pro Tip: Many critical findings come from enumeration - a forgotten `/admin.php.bak` or undocumented `/api/internal` endpoint can lead to complete compromise.

🛠️ Essential Enumeration Tools

ffuf

Fast web fuzzer for directories & params

go install ...ffuf/v2@latest GitHub →

Gobuster

Directory, DNS, and VHost busting tool

go install ...gobuster/v3@latest GitHub →

Feroxbuster

Fast recursive content discovery

brew install feroxbuster GitHub →

Arjun

HTTP parameter discovery for GET/POST

pip install arjun GitHub →

Kiterunner

Contextual API endpoint discovery

go install ...kiterunner@latest GitHub →

WhatWeb

Website fingerprinting & tech detection

brew install whatweb GitHub →

Directory & File Brute-Forcing

ffuf - Fast Web Fuzzer

bash

# Basic directory fuzzing
ffuf -w /usr/share/wordlists/dirb/common.txt -u https://example.com/FUZZ

# With extensions
ffuf -w /usr/share/wordlists/dirb/common.txt -u https://example.com/FUZZ -e .php,.html,.txt,.bak

# Filter by status code
ffuf -w wordlist.txt -u https://example.com/FUZZ -fc 404,403

# Filter by response size
ffuf -w wordlist.txt -u https://example.com/FUZZ -fs 1234

# Filter by word count
ffuf -w wordlist.txt -u https://example.com/FUZZ -fw 42

# Recursive scanning
ffuf -w wordlist.txt -u https://example.com/FUZZ -recursion -recursion-depth 2

# Multiple wordlists
ffuf -w wordlist1.txt:FUZZ1 -w wordlist2.txt:FUZZ2 -u https://example.com/FUZZ1/FUZZ2

# POST data fuzzing
ffuf -w wordlist.txt -u https://example.com/login -X POST -d "user=admin&pass=FUZZ"

# Header fuzzing
ffuf -w wordlist.txt -u https://example.com -H "Host: FUZZ.example.com"

# Output to file
ffuf -w wordlist.txt -u https://example.com/FUZZ -o results.json -of json

# With cookies
ffuf -w wordlist.txt -u https://example.com/FUZZ -b "session=abc123"

# Rate limiting
ffuf -w wordlist.txt -u https://example.com/FUZZ -rate 100

Gobuster

bash

# Directory mode
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt

# With extensions
gobuster dir -u https://example.com -w wordlist.txt -x php,html,txt,bak,old

# Threads and timeout
gobuster dir -u https://example.com -w wordlist.txt -t 50 --timeout 10s

# Ignore SSL errors
gobuster dir -u https://example.com -w wordlist.txt -k

# DNS subdomain mode
gobuster dns -d example.com -w subdomains.txt

# Virtual host discovery
gobuster vhost -u https://example.com -w vhosts.txt

# With authentication
gobuster dir -u https://example.com -w wordlist.txt -U admin -P password

# Status codes to include
gobuster dir -u https://example.com -w wordlist.txt -s 200,204,301,302,307,401

Recommended Wordlists

Wordlist	Use Case	Size
`SecLists/Discovery/Web-Content/common.txt`	Quick general scan	~4,600
`SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt`	Comprehensive scan	~220,000
`SecLists/Discovery/Web-Content/raft-large-files.txt`	File discovery	~37,000
`SecLists/Discovery/Web-Content/api/api-endpoints.txt`	API enumeration	~6,000
`SecLists/Discovery/DNS/subdomains-top1million-5000.txt`	Subdomain fuzzing	5,000

SecLists

Install SecLists for comprehensive wordlists: sudo apt install seclists or clone from GitHub.

Parameter Discovery

Hidden parameters can expose additional functionality and vulnerabilities.

Arjun - Parameter Discovery

bash

# GET parameter discovery
arjun -u https://example.com/page

# POST parameter discovery  
arjun -u https://example.com/api -m POST

# JSON parameter discovery
arjun -u https://example.com/api -m JSON

# Custom wordlist
arjun -u https://example.com/page -w params.txt

# Multiple URLs
arjun -i urls.txt

# With headers
arjun -u https://example.com/page --headers "Cookie: session=abc"

# Output to file
arjun -u https://example.com/page -o params.json

x8 - Hidden Parameter Discovery

bash

# Basic parameter discovery
x8 -u "https://example.com/page" -w params.txt

# With custom method
x8 -u "https://example.com/api" -w params.txt -m POST

# Check parameter value reflection
x8 -u "https://example.com/page?existing=1" -w params.txt

API Enumeration

Common API Endpoints

api-endpoints.txt

text

# Documentation endpoints
/api
/api/v1
/api/v2
/swagger
/swagger-ui.html
/swagger/index.html
/api-docs
/api/docs
/openapi.json
/swagger.json
/api/swagger.json
/docs
/redoc
/graphql
/graphiql

# Common REST patterns
/api/users
/api/user/1
/api/admin
/api/config
/api/settings
/api/debug
/api/test
/api/health
/api/status
/api/version
/api/info

# Authentication endpoints
/api/login
/api/auth
/api/token
/api/oauth
/api/register
/api/password/reset

Kiterunner - API Discovery

bash

# Scan with API wordlist
kr scan https://example.com -w routes-large.kite

# Brute force mode
kr brute https://example.com -w wordlist.txt

# With specific HTTP methods
kr scan https://example.com -w routes.kite -m GET,POST,PUT

# Output to file
kr scan https://example.com -w routes.kite -o results.txt

Technology Fingerprinting

bash

# WhatWeb
whatweb https://example.com
whatweb -v https://example.com  # Verbose
whatweb -a 3 https://example.com  # Aggressive

# Wappalyzer CLI
wappalyzer https://example.com

# httpx with tech detection
echo "https://example.com" | httpx -tech-detect -status-code -title

# Manual checks
curl -I https://example.com  # Headers
curl https://example.com/robots.txt
curl https://example.com/sitemap.xml
curl https://example.com/.well-known/security.txt

CMS Detection

bash

# CMSmap - Multi-CMS scanner
cmsmap https://example.com

# WordPress
wpscan --url https://example.com
curl https://example.com/wp-content/
curl https://example.com/wp-includes/version.php

# Joomla
joomscan -u https://example.com
curl https://example.com/administrator/
curl https://example.com/language/en-GB/en-GB.xml  # Version

# Drupal
droopescan scan drupal -u https://example.com
curl https://example.com/CHANGELOG.txt

# Magento
magescan scan https://example.com

Virtual Host Discovery

bash

# ffuf vhost discovery
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
     -u https://example.com \
     -H "Host: FUZZ.example.com" \
     -fs 1234  # Filter default response size

# Gobuster vhost mode
gobuster vhost -u https://example.com -w vhosts.txt

# Manual curl test
curl -H "Host: dev.example.com" https://192.168.1.1

# Using wfuzz
wfuzz -w subdomains.txt -H "Host: FUZZ.example.com" --hc 404 https://192.168.1.1

✅ Enumeration Testing Checklist

🎮 Practice Labs

Practice enumeration techniques on these intentionally vulnerable platforms:

With a complete map of the application structure, proceed to Vulnerability Analysis to systematically test discovered endpoints for security weaknesses.

Enumeration

🎯 Why Enumeration Matters

🛠️ Essential Enumeration Tools

ffuf

Gobuster

Feroxbuster

Arjun

Kiterunner

WhatWeb

Directory & File Brute-Forcing

ffuf - Fast Web Fuzzer

Gobuster

Feroxbuster

Dirsearch

Dirb

Recommended Wordlists

Parameter Discovery

Arjun - Parameter Discovery

x8 - Hidden Parameter Discovery

API Enumeration

Common API Endpoints

Kiterunner - API Discovery

Technology Fingerprinting

CMS Detection

WordPress Enumeration

Drupal Enumeration

Virtual Host Discovery

✅ Enumeration Testing Checklist

📁 Directory Discovery

🔍 API Enumeration

⚙️ Parameter Discovery

🔧 Technology Detection

🎮 Practice Labs

TryHackMe - DVWA

PortSwigger Info Disclosure Labs

Hack The Box

SecLists Repository

Related Topics

Scanning

Vulnerability Analysis

ffuf/Gobuster Cheatsheet

Tools Reference