Skip to content

Gobuster

Directory/file & DNS busting tool

GoGitHub

Description

Gobuster is a tool used to brute-force URIs (directories and files), DNS subdomains, virtual host names, open Amazon S3 buckets, and more. It's fast, reliable, and widely used in bug bounty and penetration testing.

Installation

BASH 
go install github.com/OJ/gobuster/v3@latest

# Kali/Debian
sudo apt install gobuster

Basic Usage

BASH 
# Directory mode
gobuster dir -u https://target.com -w wordlist.txt

# DNS mode
gobuster dns -d target.com -w wordlist.txt

# Vhost mode
gobuster vhost -u https://target.com -w wordlist.txt

Advanced Usage

BASH 
# With extensions
gobuster dir -u https://target.com -w wordlist.txt -x php,html,txt,bak

# Set threads
gobuster dir -u https://target.com -w wordlist.txt -t 50

# Filter status codes
gobuster dir -u https://target.com -w wordlist.txt -b 404,403

# With cookies
gobuster dir -u https://target.com -w wordlist.txt -c "session=abc123"

# Follow redirects
gobuster dir -u https://target.com -w wordlist.txt -r

# Wildcard mode
gobuster dir -u https://target.com -w wordlist.txt --wildcard

Common Workflows

BASH 
# Standard content discovery
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -x php,html

# DNS subdomain brute force
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
Back to Content Discovery