Web enumeration in real pentesting


When doing web enumeration, at what point do you consider that you’ve enumerated the whole website (especially in real pentesting)?

I ask this question because it now happened to me a few time on Hack The Box that my enumeration with dirb/dirbuster/wfuzz and whatnot did not reveal to me the things I was looking for. At this point I’m basically stuck and come to the forum to see hints regarding the challenge/box only to see that I just missed a file/directory and try again with so many wordlists until I finally find it.

Obviously, on real pentesting, you do not have such forum to hint you that you missed a file, hence my questions:

What is your approach to enumerate the websites, and at what point do you consider your enumeration done?
Do you always use multiple wordlists, or maybe a particularly good one?
And finally, is your approach similar in a CTF context or are you more aggressive/thorough in that case?

Thank you in advance for your answers!

Edit: When I say enumeration, I’m actually more referring to files/directories discovery using tools such as dirbuster and different wordlists.

Let’s call it research. I think it’s done by writing down what you did and what you did not. Pretty obvious that you cannot just start researching a website and complete everything you need within 2-3 hours for one simple reason: it takes time. It takes time to remind yourself about the rest of the tests you need to complete.

Learning is what you’re doing on HTB. You’re learning about new vulnerabilities so you could apply knowledge about them in a real life scenario, you’re expanding your “enumeration vocabulary” this way.

The more you learn, the larger your “enumeration vocabulary” becomes, and the better you know how things are done and what to do in general.

Thanks for your answer!

I was actually especially interseted in the directory/file discovery part of the enumeration, but I realise my phrasing doesn’t reflect it. I’ll edit my post to be more specific :slight_smile:

As you said, finding and testing the vulnerabilities on a website takes time and practice, I realised that. But I was asking this question regarding the discovery of directories and files (again sorry, it wasn’t clear) because I don’t feel like I’m really learning out of that, I’m just trying wordlists after wordlists until I find the files, because I know there are files to find. But again, in a real engagement you do not know that there are actual files to find, so when do you feel you can stop trying finding hidden files/directories?

so when do you feel you can stop trying finding hidden files/directories?

When I’m sure there are other ways and I can get around directory/files discovery.