Enumerating web directories - PoC script | Penetration testing blog

# your window to the penetration testing business

Enumerating web directories - PoC script

I’ve been looking for a particular script which could be instructed into brute-forcing/enumerating [hidden] directories, simply that, and all I could find was the following Nessus plugin:

http://www.nessus.org/plugins/index.php?view=single&id=11032

Directory Scanner, by Digital Defense @ 2002

I know Nikto supposedly also takes care of enumerating directories but I haven’t yet looked at the code. I also looked for directory name wordlists but it looks like none are public. So I took all those directory names from the Nessus plugin and created a straight list (I’ll paste it below) and then a quick python script that is in a very raw form but will save you the first 2 minutes of programming a script which does the same thing.

Here’s everything, use it for good and educational purposes.

CheckDirs.py

import urllib
import urllib2
import time

mfile = open(”dirs.txt”, “r”)
line = mfile.read(50000)
dirnames = line.split(’\n’)
fileout = open(”output.txt”, “w”)
sitename = “http://whateversite.com/”

for dirname in dirnames:
dirname = dirname.replace(” “, “”)
address = sitename + dirname
request = urllib2.Request(address, None, {’User-Agent’:'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)’} )
str = “Trying.. ” + dirname + “\n”
print str
fileout.write(str)

try:
  urlfile = urllib2.urlopen(request)
  page = urlfile.read(200)
  str = “Found!: ” + page
  print str
  fileout.write(str)
  fileout.write(”\n”)

except urllib2.HTTPError, x:
  if x.code != 404:
   str = ‘It may exist!’ + x.msg + “\n”
   print str
   fileout.write(str)

except urllib2.URLError, x:
print “Time out? “, x
continue

time.sleep(2)

print “Done.”

And the list of directory names that needs further additions but serves the sample purpose:

.cobalt
1
10
2
3
4
5
6
7
8
9
AdminWeb
Admin_files
Administration
AdvWebAdmin
Agent
Agents
Album
CS
CVS
DMR
DocuColor
GXApp
HB
HBTemplates
IBMWebAS
Install
JBookIt
Log
Mail
Msword
NSearch
NetDynamic
NetDynamics
News
PDG_Cart
README
ROADS
Readme
SilverStream
Stats
StoreDB
Templates
ToDo
WebBank
WebCalendar
WebDB
WebShop
WebTrend
Web_store
XSL
_ScriptLibrary
_backup
_derived
_errors
_fpclass
_mem_bin
_notes
_objects
_old
_pages
_passwords
_private
_scripts
_sharedtemplates
_tests
_themes
_vti_bin
_vti_bot
_vti_log
_vti_pvt
_vti_shm
_vti_txt
a
acceso
access
accesswatch
acciones
account
accounting
activex
adm
admcgi
admentor
admin
admin-bak
admin-old
admin.back
admin_
administration
administrator
adminuser
adminweb
admisapi
agentes
analog
anthill
apache
app
applets
application
applications
apps
ar
archive
archives
asp
atc
auth
authadmin
aw
ayuda
b
b2-include
back
backend
backup
backups
bak
banca
banco
bank
banner
banner01
banners
batch
bb-dnbd
bbv
bdata
bdatos
beta
billpay
bin
boadmin
boot
btauxdir
bug
bugs
bugzilla
buy
buynow
c
cache-stats
caja
card
cards
cart
cash
caspsamp
catalog
cbi-bin
ccard
ccards
cd
cd-cgi
cdrom
ce_html
cert
certificado
certificate
cfappman
cfdocs
cfide
cgi
cgi-auth
cgi-bin
cgi-bin2
cgi-csc
cgi-lib
cgi-local
cgi-scripts
cgi-shl
cgi-shop
cgi-sys
cgi-weddico
cgi-win
cgibin
cgilib
cgis
cgiscripts
cgiwin
class
classes
cliente
clientes
cm
cmsample
cobalt-images
code
comments
common
communicator
compra
compras
compressed
conecta
conf
config
connect
console
controlpanel
core
corp
correo
counter
credit
cron
crons
crypto
csr
css
cuenta
cuentas
currency
customers
cvsweb
cybercash
d
darkportal
dat
data
database
databases
datafiles
dato
datos
db
dbase
dcforum
ddreport
ddrint
demo
demoauct
demomall
demos
design
dev
devel
development
dir
directory
directorymanager
dl
dm
dms
dms0
dmsdump
doc
doc-html
doc1
docs
docs1
document
documents
down
download
downloads
dump
durep
e
easylog
eforum
ejemplo
ejemplos
email
emailclass
employees
empoyees
empris
envia
enviamail
error
errors
es
estmt
etc
example
examples
exc
excel
exchange
exe
exec
export
external
f
fbsd
fcgi-bin
file
filemanager
files
foldoc
form
form-totaller
forms
formsmgr
forum
forums
foto
fotos
fpadmin
fpdb
fpsample
framesets
ftp
ftproot
g
gfx
global
grocery
guest
guestbook
guests
help
helpdesk
hidden
hide
hit_tracker
hitmatic
hlstats
home
hostingcontroller
ht
htbin
htdocs
html
hyperstat
ibank
ibill
icons
idea
ideas
iisadmin
iissamples
image
imagenes
imagery
images
img
imp
import
impreso
inc
include
includes
incoming
info
information
ingresa
ingreso
install
internal
intranet
inventory
invitado
isapi
japidoc
java
javascript
javasdk
javatest
jave
jdbc
job
jrun
js
jserv
jslib
jsp
junk
kiva
labs
lcgi
lib
libraries
library
libro
links
linux
loader
log
logfile
logfiles
logg
logger
logging
login
logon
logs
lost+found
mail
mail_log_files
mailman
mailroot
makefile
mall_log_files
manage
manual
marketing
members
message
messaging
metacart
misc
mkstats
movimientos
mqseries
msql
mysql
mysql_admin
ncadmin
nchelp
ncsample
netbasic
netcat
netmagstats
netscape
netshare
nettracker
new
nextgeneration
nl
noticias
objects
odbc
old
old_files
oldfiles
oprocmgr-service
oprocmgr-status
oracle
oradata
order
orders
outgoing
owners
pages
passport
password
passwords
payment
payments
pccsmysqladm
perl
perl5
personal
pforum
phorum
php
phpBB
phpMyAdmin
phpPhotoAlbum
phpSecurePages
php_classes
phpclassifieds
phpimageview
phpnuke
phpprojekt
piranha
pls
poll
polls
postgres
ppwb
printers
priv
privado
private
prod
protected
prueba
pruebas
prv
pub
public
publica
publicar
publico
publish
purchase
purchases
pw
random_banner
rdp
register
registered
report
reports
reseller
restricted
retail
reviews
root
rsrc
sales
sample
samples
save
script
scripts
search
search-ui
secret
secure
secured
sell
server-info
server-status
server_stats
servers
serverstats
service
services
servicio
servicios
servlet
servlets
session
setup
share
shared
shell-cgi
shipping
shop
shopper
site
siteadmin
sitemgr
siteminder
siteminderagent
sites
siteserver
sitestats
siteupdate
smreports
smreportsviewer
soap
soapdocs
software
solaris
source
sql
squid
src
srchadm
ssi
ssl
sslkeys
staff
stat
statistic
statistics
stats
stats-bin-p
stats_old
status
storage
store
storemgr
stronghold-info
stronghold-status
stuff
style
styles
stylesheet
stylesheets
subir
sun
super_stats
support
supporter
sys
sysadmin
sysbackup
system
tar
tarjetas
te_html
tech
technote
temp
template
templates
temporal
test
test-cgi
testing
tests
testweb
ticket
tickets
tmp
tools
tpv
trabajo
transito
transpolar
tree
trees
updates
upload
uploads
us
usage
user
userdb
users
usr
ustats
usuario
usuarios
util
utils
vfs
w-agora
w3perl
way-board
web
web800fo
webMathematica
web_usage
webaccess
webadmin
webalizer
webapps
webboard
webcart
webcart-lite
webdata
webdb
webimages
webimages2
weblog
weblogs
webmaster
webmaster_logs
webpub
webpub-ui
webreports
webreps
webshare
website
webstat
webstats
webtrace
webtrends
windows
word
work
wsdocs
wstats
wusage
www
www-sql
wwwjoin
wwwlog
wwwstat
wwwstats
xGB
xml
xtemp
zb41
zipfiles
~1
~admin
~log
~root
~stats
~webstats
~wsdocs
track
tracking
BizTalkTracking
BizTalkServerDocs
BizTalkServerRepository
MessagingManager
iisprotect
mp3
mp3s
acid
chat
eManager
keyserver
search97
tarantella
webmail
flexcube@
flexcubeat
ganglia
sitebuildercontent
sitebuilderfiles
sitebuilderpictures
WSsamples
mercuryboard
tdbin
AlbumArt_
faq
ref
cmp
cgi-bim
cgi-isapi
wavemaster.internal
urchin
urchin3
urchin5
publisher
en
en-US
fr
intl
about
aspx
Boutiques
business
content
Corporate
company
client
DB4Web
dll
frameset
howto
legal
member
myaccount
obj
offers
personal_pages
rem
Remote
serve
shopping
slide
solutions
v4
wws
squirrelmail
dspam
cacti
themes
xampp
manager
balancer
lampp
tor

Hope that helps you start a basic script!

Posted in Code on 03/02/2008 07:07 am by Consultant

Add your security tools, company, blogs, etc to the directory!

Enumerating web directories - PoC script

Categories