HTTP Enum: Automated HTTP Enumeration and Web Server Fingerprinting Tool

Web server enumeration is one of those tasks that every pentester does, but almost nobody enjoys doing manually. Checking HTTP methods, looking for enabled WebDAV, hunting for server-status pages, poking at FrontPage Extensions — it’s repetitive, time-consuming, and easy to miss something when you’re doing it by hand across multiple targets.

This tool automates that. Here’s what it covers.

What HTTP Enum does

At its core, HTTP Enum identifies the HTTP methods enabled on a target web server — GET, POST, PUT, DELETE, OPTIONS, TRACE, and so on. Knowing which methods are enabled matters. An enabled PUT method on the wrong endpoint is a file upload vulnerability. An enabled TRACE can assist with cross-site scripting attacks. These things get missed when enumeration is manual.

Beyond method detection, the tool fingerprints deployed web technologies and checks for common misconfigurations across a range of server types:

Apache — Checks for server-status exposure (a surprisingly common misconfiguration that leaks active connections, request history, and internal IP addresses) and WebDAV support on Apache httpd.

IIS — Checks for WebDAV and Microsoft FrontPage Extensions. FrontPage Extensions are ancient, but they still show up — and when they do, they’re often misconfigured.

Microsoft SharePoint — Added in v0.3. SharePoint installations have their own set of enumeration checks worth running separately.

SSL/TLS scanning — Added in v0.2, along with configurable probing delays for situations where aggressive scanning would trigger rate limiting or alerts.

Why this exists

Manual HTTP fingerprinting across multiple targets in a real engagement is slow enough that things get skipped. The goal with this tool was to make the consistent, repeatable parts of HTTP enumeration fast — so that the time saved goes into actually analysing what’s found rather than collecting it.

It’s not trying to replace tools like Nikto or Nmap’s HTTP scripts. It’s a focused, lightweight option for the specific fingerprinting tasks that come up most often.

Version history

• v0.1 — Initial release. HTTP method enumeration, Apache server-status, IIS WebDAV, and FrontPage Extensions.
• v0.2 — SSL/TLS scanning added. Probing delay option. General bug fixes.
• v0.3 — Microsoft SharePoint support added. WebDAV for Apache httpd added.
• v0.4 — Current release.

Download

The Python script and supporting files are available on GitHub:

https://github.com/nullsecuritynet/tools/blob/main/scanner/http-enum/release/http-enum-0.4.tar.gz

Pull it down, run it against a test environment, and read what it’s actually checking. The value isn’t just in the output — it’s in understanding why each check is there. An Apache server-status exposure that you found automatically means nothing if you don’t know what to do with it next.

Know your tools. Know what they’re looking for. That’s what makes the difference.