You would be surprised at what people leave unprotected on a web server.
What is Dirbuster
DirBuster is a project by OWASP that will brute force web directories and filenames on a web server / virtual host. This can often reveal unprotected web applications, scripts, old configuration files and many other interesting things that should not be available to the public.
It runs against a dictionary file of known filenames / directories and you are able to specify the dictionary you are hoping to use.
Wordlist location
In kali, wordlists are located /usr/share/wordlists/dirbuster
apache-user-enum-1.0.txt apache-user-enum-2.0.txt directory-list-1.0.txt directory-list-2.3-small.txt directory-list-2.3-medium.txt directory-list-lowercase-2.3-small.txt directory-list-lowercase-2.3-medium.txt directories.jbrofuzz
NOTE: Dirbuster retired by OWASP. Although, still available to use on Kali, it is no longer updated. The
OWASP ZAP : Forced Browse option is based on the code from the OWASP Dirbuster Project. Read the OWASP documentation here