Web Enumeration Tools

Dirb

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.

Gobuster

it tries to find valid directories from a wordlist of possible directories. gobuster can also be used to valid subdomains using the same method.

Nikto

It is commonly used to check for common CVE's such as shellshock, and to get general information about the web server that you're enumerating.

OWASP Zap Scanner

OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.