Gobuster Guide and Examples


Last updated: march 28th 2024

Author: OJ Reeves
License: Apache-2.0
Software: Gobuster
Written in: Go
Date created: July 21, 2015
Updated: Yes
GitHub: Gobuster
  1. Description
  2. Gobuster is a tool used to brute force URLs (directories and files) from websites, DNS subdomains, Virtual Host names and open Amazon S3 buckets. It can be particularly useful during CTF challenges that require you to brute force webserver data, but also during pentest engagements.

  3. Installation on Linux (Kali)
  4. GoBuster is not on Kali by default. In case you have to install it, this is how.

    1. Since Gobuster is written in the Go language, we need to install the Go environment on our Kali machine. Download the Go installer file here from their official site. At the time of writing, the file is called "go1.16.7.linux-amd64.tar.gz". You will need at least version 1.16.0 to compile Gobuster.

    2. Navigate to the directory where the file you just downloaded is stored, and run the following command:

    # Don't forget to change the filename in this command to the version you downloaded. rm -rf /usr/local/go && tar -C /usr/local -xzf go1.16.7.linux-amd64.tar.gz

    3. Add /usr/local/bin/go to your PATH environment variable.

    export PATH=$PATH:/usr/local/go/bin

    4. Check if the Go environment was properly installed with the following command:

    go version

    5. Finally it's time to install Gobuster. Make sure your Go version is >1.16.0, else this step will not work. The easiest way to install Gobuster now is to run the following command, this will install the latest version of Gobuster:

    go install github.com/OJ/gobuster/v3@latest

    In case you want to compile Gobuster yourself, please refer to the instructions on the Gobuster Github page.

  5. Cheatsheet
  6. # Syntax gobuster [mode] -u [target ip] -w [wordlist]

    Gobuster can run in multiple scanning modes, at the time of writing these are: dir, dns and vhost.

    DIR mode - Used for directory/file bruteforcing

    # Syntax gobuster dir -u [target ip] -w [wordlist] # Example gobuster dir -u http://192.168.0.1:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt # Example to search for specific file extensions, like PHP. For multiple extensions: -x .php, .txt, ... gobuster dir -u http://192.168.0.1:8080 -x .php -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt # Example which excludes pages with a certain length gobuster dir -u http://192.168.0.1:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --exclude-length 9265

    DNS mode - Used for DNS subdomain bruteforcing

    # Syntax gobuster dns -d [target site] -w [wordlist] # Standard example gobuster dns -d example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt # Example with show ip gobuster dns -d example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -i # Example of force processing of a domain that has wildcard entries gobuster dns -d 0.0.1.example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --wildcard

    VHOST mode - Used for VHOST bruteforcing

    # Syntax gobuster vhost -u [target site] -w [vhost list] # Example gobuster vhost -u https://example.com -w common-vhosts.txt

    Global flags

    -h : (--help) Print the global help menu.

    -z : (--noprogress) Don't display progress.

    -o : (--output [filename]) Output results to a file.

    -q : (--quiet) Don't print banner and other noise.

    -t : (--threads [number]) Number of concurrent threads (default 10).

    -v : (--verbose) Verbose output (errors).

    -w : (--wordlist [wordlist]) Path to wordlist.

    DIR mode flags

    -h : (--help) Print the DIR mode help menu.

    -f : (--addslash) Append "/" to each request.

    -c : (--cookies [string]) Cookies to use for the requests.

    -e : (--expanded) Expanded mode, print full URLs.

    -x : (--extensions [string]) File extension(s) to search for.

    -r : (--followredirect) Follow redirects.

    -H : (--headers [stringArray]) Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'.

    -l : (--includelength) Include the length of the body in the output.

    -k : (--insecuressl) Skip SSL certificate verification.

    -n : (--nostatus) Don't print status codes.

    -U : (--username [string]) Username for Basic Auth.

    -P : (--password [string]) Password for Basic Auth.

    -p : (--proxy [string]) Proxy to use for requests [http(s)://host:port].

    -s : (--statuscodes [string])Positive status codes (will be overwritten with statuscodesblacklist if set) (default "200,204,301,302,307,401,403").

    -b : (--statuscodesblacklist [string]) Negative status codes (will override statuscodes if set).

    -u : (--url [string]) The target URL.

    -a : (--useragent [string]) Set the User-Agent string (default "gobuster/3.0.1").

    --timeout [duration] : HTTP Timeout (default 10s).

    --wildcard : Force continued operation when wildcard found.

    DNS mode flags

    -h : (--help) Print the DNS mode help menu.

    -d : (--domain [string]) The target domain.

    -r : (--resolver [string]) Use custom DNS server (format server.com or server.com:port).

    -c : (--showcname) Show CNAME records (cannot be used with '-i' option).

    -i : (--showips) Show IP addresses.

    --timeout [duration] : DNS resolver timeout (default 1s).

    --wildcard : Force continued operation when wildcard found.

    VHOST mode flags

    -h : (--help) Print the VHOST mode help menu.

    -r : (--followredirect) Follow redirects.

    -H : (--headers [stringArray]) Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'.

    -c : (--cookies [string]) Cookies to use for the requests.

    -k : (--insecuressl) Skip SSL certificate verification.

    -U : (--username [string]) Username for Basic Auth.

    -P : (--password [string]) Password for Basic Auth.

    -u : (--url [string]) The target URL.

    -p : (--proxy [string]) Proxy to use for requests [http(s)://host:port].

    -a : (--useragent [string]) Set the User-Agent string (default "gobuster/3.0.1").

    --timeout [duration] : HTTP Timeout (default 10s).


** For more information, check out the extra links and sources. **

50URC35: