How To Find Hidden Files/Folders On A Web Server

This tutorial will help you find some hidden gems in a web server, that may come in handy.

There is a great tool for this task, called DirBuster. It is included in Kali Linux. This is designed to brute force web and application servers. The tool can brute force directories and files.

So if you start the app, you’ll see a lot of options to play with.
If you’re not a pro, who wants to tweak stuff, just enter the target URL and hit start.
Then It’ll use a list, and the findings will be shown to you.

Some options, you can tweak:

Number of threads. If you got a good internet connection, you can set it a bit up, if there is no defence on the server against brute-forcing.

Scanning type. You can go with pre-defined lists, or you can choose pure brute force. The last will give more result but will take way longer.

Be Recursive. This option will let the app scan in subdirs like they were the root. This will take longer but could give more results. I usually tick this in.

File extension. If you’re looking for specific stuff, you can filter for the extensions.

NOTE: DirBuster is a little old, you can use dirstalk instead: