You would be surprised at what people leave unprotected on a web server. In our Full Vulnerability Assessment toolkit is a tool that does a simple job and does it very well. DirBuster is a java application that will brute
force web directories and filenames on a web server / virtual host. This can often reveal unprotected web applications, scripts, old configuration files and many other interesting things that should not
be available to the public.
It runs against a dictionary file of known filenames / directories and you are able to specify the dictionary you are hoping to use.
Plenty of documentation on the website over at owasp.
For a quick install guide (you need Java 1.6 or higher), this will work on Linux (Ubuntu / Fedora / Suse) and Windows:
1. Unzip or untar the download
2. cd into the program directory
3. To run the program java -jar DirBuster-0.10.jar (Windows uses should be able to just double click on the jar)
4. Recommended list to use is directory-list-2.3-medium.txt (a number of different word lists come with the package)
You can also test this out on the excellent Samurai Web Application Security Testing LiveCD.
