📌 What is GoBuster?
GoBuster is a fast directory and file brute-forcer used in penetration testing and bug bounty hunting. It is written in Go and is used to enumerate:
- Directories & files on web servers (dir mode)
- Subdomains (dns mode)
- Amazon S3 buckets (s3 mode)
- Virtual hostnames (vhost mode)
🚀 Installation
If you don’t have GoBuster installed, you can get it using:
Tested on Ubuntu/Kali/Parrot/Debian
sudo apt update (optional but recommended)
sudo apt upgrade -y (optional but recommended)
sudo apt install gobuster -y
Tested on Fedora
sudo yup update (optional but recommended)
sudo yum install gobuster
Github
github.com/OJ/gobuster/
🔎 Basic Usage
1️⃣ Directory and File Enumeration
Use GoBuster to find hidden directories or files on a web server.
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
Flags Explanation:
- dir → Directory brute-forcing mode
- -u → Target URL
- -w → Wordlist (common.txt from DirB)
✅ Example Output:
/admin (Status: 200)
/uploads (Status: 403)
/backup (Status: 301)
/config.php (Status: 200)
2️⃣ Using Extensions (Find Specific File Types)
Try to find files like .php, .txt, .bak:
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,txt,bak
- -x php,txt,bak → Check for these extensions
🌐 Subdomain Enumeration
Use GoBuster in DNS mode to brute-force subdomains.
gobuster dns -d target.com -w /usr/share/wordlists/dns/subdomains-top1million-5000.txt
- dns → DNS brute-forcing mode
- -d → Domain name
- -w → Wordlist for subdomains
✅ Example Output:
www.target.com
mail.target.com
admin.target.com
ftp.target.com
🏗️ Virtual Host (VHost) Enumeration
Enumerate virtual hosts (useful for finding dev/staging sites).
gobuster vhost -u http://target.com -w /usr/share/wordlists/commonspeak2/vhosts.txt
✅ Example Output:
staging.target.com
dev.target.com
internal.target.com
⚡ Speeding Up GoBuster
- Increase Threads: -t 50 (default is 10)
- Use Recursive Mode: –wildcard
- Ignore Lengths: –exclude-length 12345
- Save Output: -o results.txt
Example:
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50 -o gobuster_results.txt
🎯 Common Wordlists
🔹 Directories & Files:
- /usr/share/wordlists/dirb/common.txt
- /usr/share/wordlists/rockyou.txt
- https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
🔹 Subdomains:
- /usr/share/wordlists/dns/subdomains-top1million-5000.txt
🔹 Virtual Hosts:
- /usr/share/wordlists/commonspeak2/vhosts.txt
🛠️ Practical Scenarios
🔥 Scenario 1: Finding Admin Panels
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,asp,htm
🔥 Scenario 2: Discovering Backup Files
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/big.txt -x bak,old,zip,tar,gz
🔥 Scenario 3: Checking Virtual Hosts
gobuster vhost -u http://target.com -w /usr/share/wordlists/commonspeak2/vhosts.txt
🏁 Final Thoughts
GoBuster is an essential tool for web enumeration in CTFs, bug bounties, and penetration testing. Pair it with Burp Suite, FFUF, and Nmap for better results.
📌 Want to Learn More?
- Official Repo: https://github.com/OJ/gobuster
- Wordlists: https://github.com/danielmiessler/SecLists