While most of the files within a web server are directly handled by the server itself, it isn’t uncommon to find unreferenced or forgotten files that can be used to obtain important information about the infrastructure or the credentials.
- Look in HTML code to see if display is conditional (e.g. menu display for admin only)
- Look in url/robots.txt
Backup files (.bak, .old, etc.)
Backup files (.bak, .old): use Nmap or Dirbuster.
Find web backup files with nmap script
IP=x.x.x.x
DIR_SPIDER="/"
nmap -sV -p 80,443 --script=/usr/share/nmap/scripts/http-backup-finder.nse --script-args "http-backup-finder.url=${DIR_SPIDER}" $IP
Manually from nmap script code
{basename}.bak
{basename}.{suffix}~ -- emacs
{basename} copy.{suffix} -- mac copy
Copy of {basename}.{suffix} -- windows copy
Copy (2) of {basename}.{suffix} -- windows second copy
{basename}.{suffix}.1") -- generic backup
{basename}.{suffix}.~1~") -- bzr --revert residue