Gobuster

Fast directory/file, DNS subdomain, and virtual host brute forcing tool written in Go.

Installation

# Kali Linux (pre-installed)
apt install gobuster

# Go install
go install github.com/OJ/gobuster/v3@latest

# GitHub release
wget https://github.com/OJ/gobuster/releases/download/v3.8.2/gobuster_Linux_x86_64.tar.gz
tar -xzvf gobuster_Linux_x86_64.tar.gz

Directory/File Brute Forcing

Basic Directory Enumeration

# Basic scan
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# Common directory wordlists
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# SecLists common
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt

File Extension Scanning

# Scan for specific extensions
gobuster dir -u http://target.com -w wordlist.txt -x php,html,txt,asp,aspx

# Multiple extensions with backup files
gobuster dir -u http://target.com -w wordlist.txt -x php,bak,old,zip,tar.gz

# Configuration files
gobuster dir -u http://target.com -w wordlist.txt -x conf,config,xml,json,yml

Advanced Options

# Custom status codes
gobuster dir -u http://target.com -w wordlist.txt -s "200,204,301,302,307,401,403"

# Exclude specific status codes
gobuster dir -u http://target.com -w wordlist.txt -b "404,403"

# Follow redirects
gobuster dir -u http://target.com -w wordlist.txt -r

# Increase threads for faster scanning
gobuster dir -u http://target.com -w wordlist.txt -t 50

# Timeout configuration
gobuster dir -u http://target.com -w wordlist.txt --timeout 10s

# Custom User-Agent
gobuster dir -u http://target.com -w wordlist.txt -a "Mozilla/5.0"

Authentication

# Basic authentication
gobuster dir -u http://target.com -w wordlist.txt -U username -P password

# Cookie-based authentication
gobuster dir -u http://target.com -w wordlist.txt -c "session=abc123"

# Custom headers
gobuster dir -u http://target.com -w wordlist.txt -H "Authorization: Bearer token"

Output Options

# Save to file
gobuster dir -u http://target.com -w wordlist.txt -o results.txt

# Verbose output
gobuster dir -u http://target.com -w wordlist.txt -v

# Quiet mode (only show found)
gobuster dir -u http://target.com -w wordlist.txt -q

# No color output
gobuster dir -u http://target.com -w wordlist.txt --no-color

# Pattern matching
gobuster dir -u http://target.com -w wordlist.txt --pattern "backup.*"

SSL/TLS Options

# HTTPS target
gobuster dir -u https://target.com -w wordlist.txt

# Skip certificate verification
gobuster dir -u https://target.com -w wordlist.txt -k

# Specify CA certificate
gobuster dir -u https://target.com -w wordlist.txt --cacert /path/to/ca.crt

DNS Subdomain Enumeration

Basic Subdomain Discovery

# Basic DNS mode
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Show CNAMEs
gobuster dns -d target.com -w wordlist.txt -c

# Show IP addresses
gobuster dns -d target.com -w wordlist.txt -i

Advanced DNS Options

# Custom resolvers
gobuster dns -d target.com -w wordlist.txt -r 8.8.8.8,1.1.1.1

# Wildcard domain handling
gobuster dns -d target.com -w wordlist.txt --wildcard

# Timeout for DNS queries
gobuster dns -d target.com -w wordlist.txt --timeout 3s

# Output to file
gobuster dns -d target.com -w wordlist.txt -o subdomains.txt

Large-Scale Subdomain Enumeration

# All subdomains wordlist
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50

# Bitquark wordlist
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

Virtual Host Discovery

Basic VHost Enumeration

# VHost mode
gobuster vhost -u http://target.com -w wordlist.txt

# Append domain
gobuster vhost -u http://target.com -w wordlist.txt --append-domain

# Filter by status code
gobuster vhost -u http://target.com -w wordlist.txt -r

Advanced VHost Options

# Exclude specific response lengths
gobuster vhost -u http://target.com -w wordlist.txt --exclude-length 1234

# Custom headers
gobuster vhost -u http://target.com -w wordlist.txt -H "Authorization: Bearer token"

# With cookies
gobuster vhost -u http://target.com -w wordlist.txt -c "session=xyz"

S3 Bucket Enumeration

# S3 bucket discovery
gobuster s3 -w wordlist.txt

# Specific region
gobuster s3 -w wordlist.txt -r us-east-1

# Max files to list
gobuster s3 -w wordlist.txt -m 1000

Google Cloud Storage (GCS)

# GCS bucket enumeration
gobuster gcs -w wordlist.txt

Practical Workflows

Web Application Assessment

# Phase 1: Quick common directories
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50 -q

# Phase 2: Medium wordlist with extensions
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 30

# Phase 3: Backup files and configs
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt -x bak,old,zip,conf

# Phase 4: API endpoints
gobuster dir -u http://target.com/api -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -t 20

Subdomain Discovery Workflow

# Small wordlist first
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -o subs-5k.txt

# Medium wordlist
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o subs-20k.txt

# Large wordlist if scope permits
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 -o subs-110k.txt

Multi-Target Scanning

# Scan multiple targets from file
while read target; do
    echo "Scanning $target"
    gobuster dir -u "$target" -w /usr/share/wordlists/dirb/common.txt -q -o "results-${target//[:\/]/_}.txt"
done < targets.txt

Useful Wordlists

Directory/File Wordlists

# Dirb
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt

# Dirbuster
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

# SecLists
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
/usr/share/seclists/Discovery/Web-Content/quickhits.txt

DNS Wordlists

# SecLists DNS
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
/usr/share/seclists/Discovery/DNS/fierce-hostlist.txt

Tips and Best Practices

Performance Optimization

1. Thread Management: Start with 10-20 threads, increase to 50+ for fast targets
2. Timeouts: Adjust based on target response time (default 10s)
3. Wordlist Selection: Start small, expand based on findings
4. Status Codes: Filter irrelevant codes to reduce noise

Stealth Considerations

# Slower, less aggressive scan
gobuster dir -u http://target.com -w wordlist.txt -t 5 --delay 100ms

# Randomize User-Agent
gobuster dir -u http://target.com -w wordlist.txt -a "$(shuf -n1 useragents.txt)"

# Custom request delay
gobuster dir -u http://target.com -w wordlist.txt --delay 200ms

Handling Rate Limiting

# Reduce threads and add delay
gobuster dir -u http://target.com -w wordlist.txt -t 5 --delay 500ms

# Increase timeout
gobuster dir -u http://target.com -w wordlist.txt -t 5 --timeout 30s

Error Handling

# Continue on errors
gobuster dir -u http://target.com -w wordlist.txt --no-error

# Retry on failure
gobuster dir -u http://target.com -w wordlist.txt -t 10 --retry

Common Use Cases

Finding Admin Panels

gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x php,asp,aspx,jsp -s "200,301,302" | grep -i "admin"

API Discovery

gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -t 20

Backup File Hunting

gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -x bak,backup,old,zip,tar.gz,sql,7z

Configuration Files

gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt -x conf,config,xml,json,yml,yaml,ini,env

Comparison with Other Tools

Feature	Gobuster	Dirb	Dirbuster	ffuf
Speed	Fast	Slow	Medium	Very Fast
DNS Mode	Yes	No	No	Yes
VHost Mode	Yes	No	No	Yes
Recursive	No	Yes	Yes	Yes
Written In	Go	C	Java	Go
Active Dev	Yes	No	No	Yes

Common Errors and Solutions

Connection Timeouts

# Increase timeout
gobuster dir -u http://target.com -w wordlist.txt --timeout 30s

# Reduce threads
gobuster dir -u http://target.com -w wordlist.txt -t 5

False Positives

# Filter by length
gobuster dir -u http://target.com -w wordlist.txt --exclude-length 1234

# Filter by status code
gobuster dir -u http://target.com -w wordlist.txt -b "301,302"

SSL Certificate Errors

# Skip verification (testing only)
gobuster dir -u https://target.com -w wordlist.txt -k

Integration with Other Tools

With Burp Suite

# Use Burp as proxy
gobuster dir -u http://target.com -w wordlist.txt --proxy http://127.0.0.1:8080

With Nmap Results

# Extract HTTP services and scan
nmap -p- -oG - target.com | grep "80/open" | awk '{print $2}' | while read ip; do
    gobuster dir -u "http://$ip" -w wordlist.txt -q
done

Piping to Other Tools

# Find directories and spider with wget
gobuster dir -u http://target.com -w wordlist.txt -q | grep -E "Status: 200" | awk '{print $1}' | while read path; do
    wget -r -l 1 "http://target.com$path"
done

Useful Resources

• Gobuster GitHub
• SecLists Wordlists
• Gobuster Documentation
• Web Content Discovery Guide