You would be surprised at what people leave unprotected on a web server. In our Full Vulnerability Assessment toolkit is a tool that does a simple job and does it very well. DirBuster is a java application that will brute
force web directories and filenames on a web server / virtual host. This can often reveal unprotected web applications, scripts, old configuration files and many other interesting things that should not
be available to the public.
It runs against a dictionary file of known filenames / directories and you are able to specify the dictionary you are hoping to use.
Plenty of documentation on the website over at owasp.
For a quick install guide (you need Java 1.6 or higher), this will work on Linux (Ubuntu / Fedora / Suse) and Windows:
1. Unzip or untar the download
2. cd into the program directory
3. To run the program java -jar DirBuster-0.10.jar (Windows uses should be able to just double click on the jar)
4. Recommended list to use is directory-list-2.3-medium.txt (a number of different word lists come with the package)
You can also test this out on the excellent Samurai Web Application Security Testing LiveCD.
Membership Benefits
Knowledge is Power
. 
