Use this as a fast reference during web server enumeration and review.
Fingerprint
nmap -sV -sC -p80,443,8080,8000,8443 target
curl -i http://target/
curl -I http://target/
curl -i http://target/does-not-exist
whatweb http://target/
nikto -h http://target/
Host header check:
curl -i -H "Host: test.example.local" http://TARGET_IP/
Virtual host fuzz:
ffuf -u http://TARGET_IP/ -H "Host: FUZZ.example.local" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Directory fuzz:
gobuster dir -u http://target/ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt
Interesting Paths
Generic:
/.git/
/.env
/backup.zip
/backup.tar.gz
/config.php.bak
/database.sql
/admin/
/uploads/
/static/
/api/
Apache:
/server-status
/server-info
/cgi-bin/
/.htaccess
/.htpasswd
/icons/
/manual/
NGINX:
/nginx_status
/stub_status
/status
/uploads/
/static/
IIS:
/aspnet_client/
/trace.axd
/elmah.axd
/web.config
/App_Data/
/bin/
Apache Files
Config:
/etc/apache2/apache2.conf
/etc/apache2/envvars
/etc/apache2/ports.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/
Logs:
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/apache2/other_vhosts_access.log
/var/log/httpd/access_log
/var/log/httpd/error_log
Webroots:
/var/www/html/
/srv/www/
/usr/local/apache2/htdocs/
Local commands:
apache2ctl -S
apache2ctl -M
apache2ctl -t
NGINX Files
Config:
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default
/etc/nginx/sites-available/default
/etc/nginx/conf.d/
/usr/local/etc/nginx/nginx.conf
/usr/local/nginx/conf/nginx.conf
Logs:
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/nginx/access_log
/var/log/nginx/error_log
Webroots:
/usr/share/nginx/html/
/var/www/html/
/var/www/
Local commands:
nginx -t
nginx -T
systemctl status nginx
IIS Files
Config:
C:\Windows\System32\inetsrv\config\applicationHost.config
C:\Windows\System32\inetsrv\config\administration.config
web.config
Logs:
C:\inetpub\logs\LogFiles\
C:\Windows\System32\LogFiles\HTTPERR\
Webroots:
C:\inetpub\wwwroot\
C:\inetpub\
Local commands:
Import-Module WebAdministration
Get-Website
Get-WebBinding
Get-WebApplication
Get-ChildItem IIS:\AppPools
Appcmd:
%windir%\system32\inetsrv\appcmd.exe list site
%windir%\system32\inetsrv\appcmd.exe list apppool
%windir%\system32\inetsrv\appcmd.exe list config
Log Poisoning
Safe marker:
curl -A "ootw-log-marker" http://target/
Common logs:
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
C:\inetpub\logs\LogFiles\
Required chain:
controlled input reaches log
+ application can include/read that log
+ runtime interprets included content as code
Upload And Handler Checks
Ask:
Where is the upload stored?
Is the upload path under the webroot?
Can the file be requested directly?
Which extensions execute?
Are per-directory config files allowed?
Can handlers be changed?
Apache risk:
.htaccess upload + AllowOverride + handler remap
IIS risk:
web.config upload + permissive directory config + handler/staticContent changes
NGINX risk:
uploaded .php + global PHP-FPM location + upload path under webroot
IIS Tilde
Concept:
Long filename: SecretDocuments
Short name: SECRET~1
Tools:
IIS-ShortName-Scanner
shortscan
sns
Metasploit iis_shortname_scanner
Follow-up:
gobuster dir -u http://target/ -w candidates.txt -x asp,aspx,config,txt,zip,bak
Detection:
requests containing ~1
requests containing *~1*
large bursts of 404/400 during name probing
Dangerous HTTP Verbs
Check:
curl -i -X OPTIONS http://target/
Review if enabled:
PUT
MOVE
COPY
DELETE
PROPFIND
MKCOL
TRACE
TRACK
These are not automatically exploitable. They become findings when they allow writes, disclosure, cross-site tracing, or unexpected file operations.
Defensive Review
Confirm:
- Directory listing is disabled.
- Server status pages are restricted.
- Config files are not web-accessible.
- Logs are not readable through the application.
- Uploads are outside executable paths.
- Script execution is blocked in upload directories.
- Apache
AllowOverrideis disabled unless required. - IIS
web.configupload is blocked. - NGINX
aliasandproxy_passrules are reviewed. - Forwarded headers are trusted only from known proxies.
- WebDAV and unused modules are disabled.
- App pools and worker processes run with least privilege.
- Suspicious enumeration patterns are monitored.