Skip to content

03. HTTP Apache Enumeration

Apache HTTP server is one of the most common web servers used across the internet. Enumeration of Apache helps identify:

  • Apache version (for CVEs)
  • Directory structure
  • Hidden files (robots.txt, backup files)
  • Accessible content
  • Potential misconfigurations

1. Apache Banner Grabbing Using Nmap

nmap <IP Address> -sV -p 80 --script banner

Purpose:

  • Grabs the service banner from the Apache HTTP server.

  • Helps fingerprint the software version, which can be used for CVE lookup.

Example:

nmap 192.168.1.20 -sV -p 80 --script banner

Output:

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

2. Apache Version Detection Using Metasploit

msfconsole
use auxiliary/scanner/http/http_version
set rhost <IP Address>
run

Purpose:

  • Detects the HTTP server version and banner.

  • Useful for automated version checks and vulnerability matching.

Example:

use auxiliary/scanner/http/http_version
set rhost 192.168.1.20
run

Output:

[+] 192.168.1.20:80 Apache httpd 2.4.29 ((Ubuntu))

3. Retrieve Web Page Using curl

curl <IP Address> | more

Purpose:

  • Retrieves and prints the homepage HTML content.

  • Quick way to view the raw response from Apache server.

Example:

curl 192.168.1.20 | more

4. Download and View Web Page Using wget

wget "http://<IP Address>/index"
cat index | more

Purpose:

  • Downloads a specific file (like /index) and prints its contents.

  • Useful to manually inspect page source or analyze offline.

Example:

wget "http://192.168.1.20/index"
cat index | more

5. Browse Apache Site in Text Mode – Using browsh and lynx

browsh (Graphical text-based browser):

browsh --startup-url <IP Address>

lynx (Simple text-only browser):

lynx http://<IP Address>

Purpose:

  • Allows navigating Apache web content in CLI.

  • Great for low-bandwidth inspection or CTF-style interfaces.

6. Directory Brute-forcing Using Metasploit

msfconsole
use auxiliary/scanner/http/brute_dirs
set rhost <IP Address>
exploit

Purpose:

  • Brute-forces common directories on the Apache server.

  • Reveals hidden or unlisted folders like /admin, /backup, /uploads.

Example:

use auxiliary/scanner/http/brute_dirs
set rhost 192.168.1.20
run

7. Directory Brute-forcing Using dirb

dirb http://<IP Address> /usr/share/seclists/Discovery/Web-Content/common.txt

Some Wordlists: 

/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Purpose:

  • CLI tool for brute-forcing directories and files using wordlists.

  • Helps identify accessible content even if not linked on the homepage.

Example:

dirb http://192.168.1.20 /usr/share/seclists/Discovery/Web-Content/common.txt

8. Discover robots.txt Using Metasploit

msfconsole
use auxiliary/scanner/http/robots_txt
set rhost <IP Address>
run

Purpose:

  • Retrieves the robots.txt file.

  • This file often contains restricted or sensitive paths disallowed for search engines (like /private, /admin, etc.).

Example:

use auxiliary/scanner/http/robots_txt
set rhost 192.168.1.20
run

Summary Table

Tool/Command Purpose What You Discover
nmap --script banner Grabs Apache version Banner info
Metasploit http_version Fingerprint server Apache version
curl, wget View web pages Manual inspection
lynx, browsh CLI browsing Apache site view
Metasploit brute_dirs Directory fuzzing Hidden dirs
dirb Brute force paths Admin, dev, test
Metasploit robots_txt Check disallowed URLs Sensitive folders