Skip to content

How do you enumerate a web server you've never seen before?

Short answer

Identify the stack from headers and source, then brute force directories and files with gobuster or feroxbuster using a good wordlist and relevant extensions. Look for admin panels, backups, config files, and upload points, and check virtual hosts when the site responds to a hostname.

A web service is the most common foothold on OSCP boxes, and the homepage almost never shows the vulnerable component. Web enumeration is about uncovering the parts of the app the developer did not intend you to see.

Fingerprint first

Check response headers, cookies, and page source to identify the server (Apache/IIS/nginx), language (PHP/ASP.NET), and any framework or CMS. The stack decides everything downstream — which extensions to brute force and which exploits apply.

Brute force content

Use gobuster, feroxbuster, or ffuf against a quality wordlist (the SecLists collection is standard). Two details make or break this:

  • Extensions. Pass -x php,txt,bak (or asp,aspx on IIS) so you find config.php, backup.bak, and admin.php, not just directories.
  • Recursion. When you find a directory, brute force inside it too.

You are hunting for admin panels, login pages, file uploads, robots.txt, backup and config files, and version-revealing paths.

Virtual hosts and source

If the app behaves differently when you send a Host: header, fuzz vhosts with a hostname wordlist — many boxes hide a second site behind a virtual host not in DNS. Always read HTML comments and linked JavaScript; credentials, internal paths, and API endpoints leak there constantly.

Why manual matters

Automated scanners miss context. A human notices that an "upload" page paired with a directory-listing folder means you can drop and execute a webshell — a chain no single tool reports.

What interviewers look for

They want directory and file brute forcing with the right extensions, source review, and vhost discovery — described as deliberate steps. "I'd just look at the website" is the answer that fails.

Likely follow-ups

  • Why does the file extension you pass to gobuster matter?
  • How would you discover a virtual host that isn't in DNS?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.