Website enumeration involves discovering resources that the web server is using, as well as the underlying technology that the web server is running on. This information can help you choose more effective vectors to use in an attack, as well as exploit vulnerabilities in specific versions of web server software.

You can use several tools to enumerate websites, including a browser, Nmap, Metasploit, dirbuster, and many more.


The simplest way to start website enumeration is to open a browser to popular directory names and note the HTTP response code. For example:

  • http://www.example.tld/admin (401)
  • http://www.example.tld/cgi-bin (403)
  • http://www.example.tld/test (404)
  • http://www.example.tld/logs (200)
  • http://www.example.tld/bin (200)
  • http://www.example.tld/content (402)
  • http://www.example.tld/scripts (404)
  • http://www.example.tld/.well-known/

404 = "Not Found", 403 = "Forbidden", 402 = "Payment Required", 401 = "Unauthorized" (Must authenticate first), and 200 = "OK". You can therefore assume that directories which don't return a 404 exist.

Note: For a complete list of HTTP codes, see


Nmap has scripts you can use to enumerate information from popular web applications, including:

  • nmap --script=http-enum <target>
  • nmap --script=http-drupal-enum <target>
  • nmap -–script=http-php-version <target>
  • nmap --script=http-webdav-scan <target>
  • nmap --script=http-wordpress-enum <target>

Some websites are deliberately configured to use non-standard ports. nmap -sV can detect this. If you're not sure of the port, you can scan all of them. The following example will use a TCP connect scan against all open ports on IP It will try to determine what services are bound to these ports, thus (hopefully) identifying the web applications.

nmap –PN –sT –sV –p0-65535

You can then examine the output for web services:Interesting ports on (The 65527 ports scanned but not shown below are in state: closed) PORT      STATE SERVICE     VERSION 22/tcp    open  ssh         OpenSSH 3.5p1 (protocol 1.99) 80/tcp    open  http        Apache httpd 2.0.40 ((Red Hat Linux)) 443/tcp   open  ssl         OpenSSL 901/tcp   open  http        Samba SWAT administration server 1241/tcp  open  ssl         Nessus security scanner 3690/tcp  open  unknown 8000/tcp  open  http-alt? 8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1

The results show that:

  • There is an Apache HTTP server running on port 80.
  • There appears to be an HTTPS server on port 443. You would need to confirm this by opening a browser to
  • There is a Samba SWAT web interface on port 901.
  • The service on port 1241 is not HTTPS, but is the SSL-wrapped Nessus daemon.
  • There is an unspecified service on port 8000. To see if it's HTTP, open a browser to Alternatively, you could use telnet or Netcat to banner grab:

telnet 8000 (After making the connection, press Ctrl+] to break, then enter quit)

echo -en "GET / HTTP/1.0\n\n\n"|nc 80|grep Server

  • Apache Tomcat is running on port 8080.

Dirbuster is a GUI tool that ships with Kali Linux. Created by the OWASP group, it uses word lists to search for possible directory names on websites.

Dirbuster example