This is an open source web scanner that looks for outdated versions, specific version problems, and other things

Syntax: nikto -host http://x.x.x.x
Through a proxy: nikto -host -useproxy http://<ip>:<port>


Gobuster is a command line tool that can brute force URI’s in websites. Gobuster is usually faster than Dirbuster, fwiw.

Syntax: gobuster dir -u http://x.x.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Through a Proxy: gobuster dir -u -p http://kalamari:[email protected]:3128 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40

Common Kali Wordlist Locations

  • /usr/share/wordlists/
  • /usr/share/wordlists/dirbuster/
  • /usr/share/wordlists/dirb/



Wfuzz is a tool for bruteforcing web applications. Documentation is available here:

Syntax: wfuzz -c -w <wordlist> <http://x.x.x.x/FUZZ>

wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -z list,-.pdf –hc 404,403 https://intra.redcross.htb/documentation/FUZZFUZ2Z

  • -c = output with colors
  • You need to specify the word FUZZ where you want the wordlist to hit in the URL.


python3 -u http://<IP address> -e php,html -x 400,401,403

WebDAV / davtest

WebDAV is an extension of HTTP that allows clients to perform remove Web content authoring. If you see it on a target, you can use a tool called davtest to try to enumerate.

Syntax: /usr/bin/davtest -url http://x.x.x.x

Leave a Reply

Your email address will not be published. Required fields are marked *