Websites are often misconfigured in ways that allow an attacker to view directories that are not ordinarily meant to be seen. These directories can contain sensitive information such as private credentials or configuration files that can be used to devise an attack against the server. With a tool called Websploit, hackers can scan targets for these hidden directories without difficulty.
Websploit is an open-source framework used for testing web apps and networks. It is written in Python and uses modules to perform various activities such as directory scanning, man-in-the-middles, and wireless attacks. In this tutorial, we will explore the directory scanner module and use it to find interesting directories on the target.
If you want to follow along with me, I’m using Kali Linux as the attacking machine and Metasploitable 2, an intentionally vulnerable virtual machine, as the target. Real-world scenarios will be very similar.