GoBuster Cheat Sheet

by

📌 What is GoBuster?

GoBuster is a fast directory and file brute-forcer used in penetration testing and bug bounty hunting. It is written in Go and is used to enumerate:

  • Directories & files on web servers (dir mode)
  • Subdomains (dns mode)
  • Amazon S3 buckets (s3 mode)
  • Virtual hostnames (vhost mode)

🚀 Installation

If you don’t have GoBuster installed, you can get it using:

sudo apt update && sudo apt install gobuster -y

Or install it manually:

go install github.com/OJ/gobuster/v3@latest

🔎 Basic Usage

1️⃣ Directory and File Enumeration

Use GoBuster to find hidden directories or files on a web server.

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

Flags Explanation:

  • dir → Directory brute-forcing mode
  • -u → Target URL
  • -w → Wordlist (common.txt from DirB)

Example Output:

/admin (Status: 200)
/uploads (Status: 403)
/backup (Status: 301)
/config.php (Status: 200)

2️⃣ Using Extensions (Find Specific File Types)

Try to find files like .php, .txt, .bak:

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,txt,bak
  • -x php,txt,bak → Check for these extensions

🌐 Subdomain Enumeration

Use GoBuster in DNS mode to brute-force subdomains.

gobuster dns -d target.com -w /usr/share/wordlists/dns/subdomains-top1million-5000.txt
  • dns → DNS brute-forcing mode
  • -d → Domain name
  • -w → Wordlist for subdomains

Example Output:

www.target.com
mail.target.com
admin.target.com
ftp.target.com

🏗️ Virtual Host (VHost) Enumeration

Enumerate virtual hosts (useful for finding dev/staging sites).

gobuster vhost -u http://target.com -w /usr/share/wordlists/commonspeak2/vhosts.txt

Example Output:

staging.target.com
dev.target.com
internal.target.com

Speeding Up GoBuster

  1. Increase Threads: -t 50 (default is 10)
  2. Use Recursive Mode: –wildcard
  3. Ignore Lengths: –exclude-length 12345
  4. Save Output: -o results.txt

Example:

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50 -o gobuster_results.txt

🎯 Common Wordlists

🔹 Directories & Files:

  • /usr/share/wordlists/dirb/common.txt
  • /usr/share/wordlists/rockyou.txt
  • https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content

🔹 Subdomains:

  • /usr/share/wordlists/dns/subdomains-top1million-5000.txt

🔹 Virtual Hosts:

  • /usr/share/wordlists/commonspeak2/vhosts.txt

🛠️ Practical Scenarios

🔥 Scenario 1: Finding Admin Panels

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,asp,htm

🔥 Scenario 2: Discovering Backup Files

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/big.txt -x bak,old,zip,tar,gz

🔥 Scenario 3: Checking Virtual Hosts

gobuster vhost -u http://target.com -w /usr/share/wordlists/commonspeak2/vhosts.txt

🏁 Final Thoughts

GoBuster is an essential tool for web enumeration in CTFs, bug bounties, and penetration testing. Pair it with Burp Suite, FFUF, and Nmap for better results.

📌 Want to Learn More?