Gobuster
Gobuster is a fast and flexible command-line tool written in Go, used to brute-force:
- URIs (directories and files) on web servers
- DNS subdomains
- Virtual hosts
- S3 buckets
- Open directories in file systems
It is commonly used during web application enumeration to find hidden resources or endpoints.
βοΈ How Gobuster Works
Section titled ββοΈ How Gobuster WorksβGobuster works by taking a wordlist and appending each word to the target URL or domain. It sends HTTP requests to check if each resource exists. Itβs multithreaded, making it much faster than traditional tools like dirb.
π Basic Usage (Directory Scan)
Section titled βπ Basic Usage (Directory Scan)βgobuster dir -u <URL> -w <wordlist>β Example:
Section titled ββ Example:βgobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txtThis will scan the target URL for common directories/files.
π§ Common Options
Section titled βπ§ Common Optionsβ| Option | Description |
|---|---|
dir | Use directory/file brute-forcing mode |
dns | Brute-force DNS subdomains |
vhost | Brute-force virtual hostnames |
s3 | Brute-force S3 buckets |
-u | Target URL or domain |
-w | Path to wordlist |
-t | Number of concurrent threads (default: 10) |
-x | File extensions to append (e.g., .php,.html) |
-o | Output results to file |
-q | Quiet mode (only shows results) |
-e | Show full URLs in output |
--timeout | Timeout per request |
π Examples by Mode
Section titled βπ Examples by Modeβπ Directory Scan
Section titled βπ Directory Scanβgobuster dir -u http://example.com -w /path/to/wordlist.txtπ§ With Extensions
Section titled βπ§ With Extensionsβgobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt -x php,htmlπ Subdomain Scan
Section titled βπ Subdomain Scanβgobuster dns -d example.com -w /usr/share/wordlists/dns/namelist.txtπ Virtual Host Scan
Section titled βπ Virtual Host Scanβgobuster vhost -u http://example.com -w /usr/share/wordlists/vhosts.txtπ Pro Tips
Section titled βπ Pro Tipsβ- Use with Burp Suite to intercept suspicious or 403 responses.
- Combine Gobuster with
wfuzzfor parameter fuzzing. - Use different status codes to identify potential hidden pages (e.g., 301, 403, 200).
β οΈ Limitations
Section titled ββ οΈ Limitationsβ- Does not support recursive directory discovery (yet).
- Can be blocked by WAFs and rate-limiting mechanisms.
- Wordlist quality directly impacts results.
β When to Use Gobuster
Section titled ββ When to Use Gobusterβ- To enumerate directories and files on a web server
- To discover subdomains of a target domain
- To check for hidden or sensitive resources during a web app pentest
π‘ Pro Tip
Section titled βπ‘ Pro TipβUse Gobuster with well-known wordlists like those from SecLists, such as:
/usr/share/seclists/Discovery/Web-Content/common.txtCombine it with -x for extension testing and -t for speed tuning.