I am really thinking out loud here and hopefully either someone can correct me in my thinking or point to a solution. I am scanning my internal corporate network for some standard ports (21,22,23,80,443 etc) to get a better idea of the applications that are running. Is there a tool that exists that will give me all URLs that are listening on port 80? For instance, I find a server named aaaa that has port 80 open. When I browse to http://aaaa I find the default IIS page but if there are pages that exist under the default site http://aaaa/bbbb/index.html I would have to know their exact location. Is my thinking flawed? If not, is there a utility that might be able to show shared folders or pages running under IIS?
As expected, IIS or Apache is installed with no REAL sites being hosted. I cannot wait to hear the reasoning for having webserver software installed without hosting any sites. Thank you gentlemen for your help as I will now add this tool to the arsenal.