Dirbuster

Medium word list is a good place to start. SecLists fuzzing lists as well; raft is a good one.

If target is linux (apache, etc); use the following extensions

php,htm,html,txt,zip

If target is Windows; use the following extensions

php,aspx,txt,zip

GOBUSTER

gobuster -w /usr/share/wordlists/directory-list-lowercase-2.3-medium.txt -h http://<target> -o gobustlist 

WFUZZ

wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://<target>/?FUZZ

Tee that out to a file to grep later. 

OTHERS

OWASP ZAP tool is a decent free spidering tool.

Burp Suite Intruder and plugins are very useful for discovery.

References

http://www.whitelist1.com/2018/04/http-basic-authentication-bruteforce.html