Directory Brute Force with Feroxbuster
reconchecklist
Summary
If 302 found, ask why — scan for default creds. Try Feroxbuster.
Walkthrough
Brute-force hidden directories and common file extensions on the web root. A hit is a 200, 301, 403, or suspicious 302 redirect exposing admin panels, config files, or backup paths—follow redirects and try default credentials.
Commands
bash
feroxbuster -u http://<IP> -x php,txt,html,config