Web Enumeration

Fingerprinting

Command	Description
`whatweb <IP>`	Identify web server, CMS, frameworks, and technologies.
`nikto -h http://<IP>`	Vulnerability scan: misconfigs, outdated software, exposed files.
`nikto -h http://<IP> -p 8080`	Nikto on a non-standard port.
`curl -I http://<IP>`	Grab HTTP headers (Server, X-Powered-By, etc.).
`curl -s http://<IP>/robots.txt`	Check robots.txt for hidden paths.
`curl -s http://<IP>/sitemap.xml`	Check sitemap for exposed URLs.
`wafw00f http://<IP>`	Detect WAF (Web Application Firewall).

Nmap HTTP Scripts

Command	Description
`nmap --script http-enum -p 80,443,8080 <IP>`	Enumerate common web directories and files.
`nmap --script http-headers -p 80 <IP>`	Retrieve HTTP response headers.
`nmap --script http-methods -p 80 <IP>`	List allowed HTTP methods (PUT, DELETE, etc.).
`nmap --script http-webdav-scan -p 80 <IP>`	Check for WebDAV support.
`nmap --script http-title -p 80,8080,8443 <IP>`	Grab page titles from web ports.
`nmap -p 80,443,8000,8080,8443,10000 --open -sV <CIDR>`	Scan common web ports across a subnet.

Directory Brute Force

Command	Description
`dirb http://<IP>/ /usr/share/wordlists/dirb/common.txt`	Basic directory brute force.
`dirb http://<IP>/ /usr/share/metasploit-framework/data/wordlists/directory.txt`	Using Metasploit wordlist.
`gobuster dir -u http://<IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`	Gobuster directory scan.
`gobuster dir -u http://<IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak`	Include file extension brute force.
`ffuf -u http://<IP>/FUZZ -w /usr/share/wordlists/dirb/common.txt`	ffuf directory fuzzing.
`ffuf -u http://<IP>/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.txt,.html`	ffuf with extensions.

Metasploit HTTP Modules

Module	Description
`auxiliary/scanner/http/http_version`	Detect HTTP server version.
`auxiliary/scanner/http/brute_dirs`	Brute force web directories.
`auxiliary/scanner/http/robots_txt`	Retrieve and parse robots.txt.
`auxiliary/scanner/http/dir_scanner`	Directory scanner.

Useful Wordlists

Path	Use case
`/usr/share/wordlists/dirb/common.txt`	Common directories (small, fast)
`/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`	Medium directory list
`/usr/share/wordlists/rockyou.txt`	Password brute force
`/usr/share/metasploit-framework/data/wordlists/common_users.txt`	Common usernames
`/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt`	Common passwords