Introduction
Gobuster is a tool written in Go that helps you brute-force web directories and files, DNS subdomains, virtual host names, open Amazon S3 buckets, open Google Cloud buckets, and TFTP servers. It is fast, flexible, and scalable, and can perform parallel scans with multiple threads. It is useful for pentesters, ethical hackers, and forensics experts who want to discover hidden web assets and attack vectors.
download gobuster
Download and installation
Depending on your operating system, there are different ways to download and install gobuster. Here are some of the most common ones:
If you are using Kali Linux or Parrot OS, gobuster is already pre-installed. You can check the version by typing gobuster -v in the terminal.
If you are using Ubuntu or Debian-based OS, you can use apt to install gobuster. Just type sudo apt install gobuster in the terminal.
If you are using Mac OS, you can use Homebrew to install gobuster. Just type brew install gobuster in the terminal.
If you are using Windows or other versions of Linux, you can download the binary releases from the official Github repository: [Gobuster releases](^2^). Extract the ZIP file to a directory of your choice, and add the path to the gobuster executable to your system's environment variables.
Once you have finished installing, you can check your installation by typing gobuster -h in the terminal. This will show you the available commands and flags for gobuster.
Usage examples
Gobuster has several modes that you can use for different purposes. To use a mode, you need to type gobuster [mode], followed by the options and arguments for that mode. Here are some examples of how to use gobuster for different modes and scenarios:
Directory/file enumeration mode
This mode allows you to brute-force directories and files on a web server. You need to specify the URL of the target website with the -u flag, and the path to a wordlist with the -w flag. You can also use other flags to customize your scan, such as -e to print full URLs of discovered paths, -x to append extensions to each wordlist entry, -s to specify status codes to show or hide, -t to set the number of threads, etc.
For example, if you want to scan a website ( for directories using a wordlist (/usr/share/wordlists/dirb/common.txt) and print the full URLs of discovered paths, you can type:
gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e
This will produce an output like this:
Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) ===================================================== [+] Url: [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Expanded [+] Expanded: true ===================================================== (Status: 301) (Status: 301) (Status: 301) (Status: 200) (Status: 301) ===================================================== Finished =====================================================
If you want to scan the same website for PHP files using a wordlist (/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt) and hide the status codes 403 and 404, you can type:
gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -s '200,301,302' -t 20
This will produce an output like this:
How to download gobuster on Kali Linux
Download gobuster source code from GitHub
Download gobuster binary releases for Windows
Download gobuster Docker image
Download gobuster wordlist for directory brute-forcing
Download gobuster tutorial PDF
Download gobuster cheat sheet
Download gobuster examples and usage
Download gobuster latest version
Download gobuster alternative tools
Download gobuster for Mac OS X
Download gobuster for Ubuntu
Download gobuster for web application testing
Download gobuster for DNS enumeration
Download gobuster for virtual host discovery
Download gobuster for AWS S3 bucket scanning
Download gobuster for Google Cloud bucket scanning
Download gobuster for TFTP server scanning
Download gobuster for fuzzing mode
Download gobuster for custom HTTP headers
Download gobuster with proxy support
Download gobuster with pattern support
Download gobuster with status code filtering
Download gobuster with wildcard detection
Download gobuster with color output
Download gobuster with verbose mode
Download gobuster with quiet mode
Download gobuster with output file option
Download gobuster with delay option
Download gobuster with threads option
How to install and use gobuster after download
How to update and upgrade gobuster after download
How to uninstall and remove gobuster after download
How to troubleshoot and fix errors with gobuster after download
How to optimize and improve performance with gobuster after download
How to compare and benchmark results with gobuster after download
How to customize and configure settings with gobuster after download
How to integrate and automate tasks with gobuster after download
How to report and share findings with gobuster after download
How to contribute and support development of gobuster after download
Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) ===================================================== [+] Url: [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 403,404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Timeout: 10s ===================================================== /config.php (Status: 200) /login.php (Status: 200) /upload.php (Status: 200) ===================================================== Finished =====================================================
DNS subdomain enumeration mode
This mode allows you to brute-force subdomains of a given domain using a DNS resolver of your choice. You need to specify the domain name with the -d flag, and the path to a wordlist with the -w flag. You can also use other flags to customize your scan, such as -r to specify the DNS server to use, -i to show IP addresses, -c to show CNAME records, -t to set the number of threads, etc.
For example, if you want to scan a domain (example.com) for subdomains using a wordlist (/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt) and show IP addresses and CNAME records, you can type:
gobuster dns -d example.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -i -c
This will produce an output like this:
Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) ===================================================== [+] Domain: example.com [+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt [+] Show IP addresses: true [+] Show CNAME records: true [+] Threads: 10 [+] Timeout: 1s ===================================================== Found: www.example.com [93.184.216.34] Found: mail.example.com [CNAME] [example-com.mail.protection.outlook.com] Found: ftp.example.com [CNAME] [www.example.com] Found: blog.example.com [198.51.100.123] ===================================================== Finished ===================================================== Tips and tricks
Gobuster is a powerful tool that can help you discover hidden web assets and attack vectors. However, there are some tips and tricks that can help you use it more effectively and efficiently. Here are some of them:
Use a good wordlist. The quality of your wordlist can make a huge difference in the results of your scan. You should use a wordlist that is relevant to your target, has a reasonable size, and covers common terms and extensions. You can find many wordlists online, such as [SecLists](^9^) or [Dirbuster](^10^) wordlists. You can also create your own wordlist using tools like [CeWL](^11^) or [crunch](^12^).
Use the right mode. Gobuster has several modes that you can use for different purposes. You should choose the mode that suits your goal and target. For example, if you want to brute-force directories and files on a web server, use the dir mode. If you want to brute-force subdomains of a domain, use the dns mode. If you want to brute-force virtual host names on a web server, use the vhost mode. If you want to brute-force open S3 buckets or Google Cloud buckets, use the s3 or gcs mode respectively. If you want to brute-force TFTP servers, use the tftp mode.
Use the right flags. Gobuster has many flags that you can use to customize your scan. You should use the flags that match your needs and preferences. For example, if you want to print full URLs of discovered paths, use the -e flag. If you want to append extensions to each wordlist entry, use the -x flag. If you want to specify status codes to show or hide, use the -s or -b flag. If you want to set the number of threads, use the -t flag.
Use output redirection. Gobuster can write its results to an output file using the -o flag. However, you can also redirect its output to other tools or commands using pipes or redirection operators. For example, if you want to filter out some results based on a keyword, you can pipe the output of gobuster to grep. If you want to save the output of gobuster to a text file, you can use the > operator.
Use patterns. Gobuster supports patterns that allow you to replace a keyword with each wordlist entry. This can be useful for fuzzing parameters or values in URLs or requests. You need to create a file with one pattern per line, and use the GOBUSTER keyword where you want the wordlist entry to be replaced. Then, you need to use the -p flag to specify the path to the pattern file.
These are some of the tips and tricks that can help you use gobuster more effectively and efficiently. Of course, there are more options and features that gobuster offers, so you should always check its documentation and help page for more information.
Conclusion
In this article, we have learned what gobuster is and what it can do. We have also learned how to download, install, and use gobuster for different modes and scenarios. We have also seen some of its features and benefits, as well as some alternatives and tips and tricks.
Gobuster is a fast and flexible tool for brute-forcing web directories and files, DNS subdomains, virtual host names, open S3 buckets, open Google Cloud buckets, and TFTP servers. It is useful for pentesters, ethical hackers, and forensics experts who want to discover hidden web assets and attack vectors.
Gobuster is not a magic tool that can find everything on a web server or domain. It depends on the quality of your wordlist, the configuration of your target, and the security measures in place. You should always use gobuster with caution and permission, as it can be noisy and intrusive.
FAQs
Here are some frequently asked questions about gobuster:
Q: How do I update gobuster?
A: Depending on how you installed gobuster, there are different ways to update it. If you used apt or brew, you can simply run sudo apt update && sudo apt upgrade or brew update && brew upgrade. If you used go install, you can run go install github.com/OJ/gobuster/v3@latest. If you downloaded the binary release from Github, you can download the latest version from [here](^13^) and replace your old executable.
Q: How do I stop gobuster?
A: If you want to stop gobuster, you can press Ctrl+C in the terminal. This will interrupt the scan and show you the results so far. You can also use the -q flag to suppress the banner and other output, and only show the results.
Q: How do I use proxies with gobuster?
A: If you want to use proxies with gobuster, you can use the -P flag to specify the proxy URL. For example, if you want to use a SOCKS5 proxy at 127.0.0.1:9050, you can type gobuster -P socks5://127.0.0.1:9050. You can also use other types of proxies, such as HTTP or HTTPS.
Q: How do I use cookies with gobuster?
A: If you want to use cookies with gobuster, you can use the -c flag to specify the cookie string. For example, if you want to use a cookie named session with a value of 123456, you can type gobuster -c "session=123456". You can also use multiple cookies by separating them with semicolons.
Q: How do I use headers with gobuster?
A: If you want to use headers with gobuster, you can use the -H flag to specify the header string. For example, if you want to use a header named User-Agent with a value of Mozilla/5.0, you can type gobuster -H "User-Agent: Mozilla/5.0". You can also use multiple headers by separating them with commas.
I hope this article has helped you learn more about gobuster and how to use it. If you have any questions or feedback, please feel free to leave a comment below. Happy hacking! 44f88ac181