Web servers are a critical part of any organizations network.  Most companies/organizations have a website and possibly have internal sites that the public is not aware of. We should examine a web server during a pentest because:

1. Attack Surface Assessment: These are publicly accessible and often host web applications, websites, APIs and more! These could all have vulnerabilities or could be misconfigured. When analyzing a web server an ethical hacker could find a potential entry point. 

2. Application Security: A webserver could possibly be hosting a web application and these are great target for an attack. In testing the application security an ethical hacker will test for cross-site scripting, cross-site request forgery and more!

3. Server Misconfigurations: Servers are configured by humans, humans make mistakes. Ethical Hackers should examine the server configuration to identify potential weaknesses such as weak credentials, unneeded services/ports, use of insecure protocols, poor file permissions or use of weak encryption. 

4. File and Directory Enumeration: Web servers often host files and directories that may not be intended for public access. Ethical hackers should perform file and directory enumeration to identify sensitive files, backup files, configuration files, log files, or other resources that may contain valuable information. Accessing these files can provide insights into the server's configuration, reveal sensitive data, or help identify further attack vectors.

5. Server-Side Vulnerabilities: Web servers themselves may have vulnerabilities that can be exploited. Ethical hackers examine the server software, such as Apache HTTP Server, Nginx, Microsoft IIS, or others, to identify known vulnerabilities, outdated versions, or configuration weaknesses. Exploiting these vulnerabilities can provide unauthorized access, privilege escalation, or control over the server.

The video provides a demo of using three different tools to find files and directories on a web server.

• dirb

• dirbuster

• BurpSuite