Gobuster is a fast, multi-threaded tool for brute-forcing directories, files, DNS subdomains, and virtual hosts. Written in Go, it is significantly faster than alternatives like Dirb and Dirbuster. This tutorial covers installation, usage, and practical examples.
What is Gobuster?
Gobuster is a tool used for brute-forcing URIs (directories and files), DNS subdomains, virtual hostnames, and Amazon S3 buckets. It is a staple in penetration testing and bug bounty hunting for discovering hidden content.
Installing Gobuster
Kali Linux (Pre-installed)
Gobuster comes pre-installed on Kali Linux. Update it with:
sudo apt update && sudo apt install gobusterDebian/Ubuntu
sudo apt install gobusterUsing Go
go install github.com/OJ/gobuster/v3@latestGobuster Modes
Gobuster has several modes of operation:
- dir: Directory and file brute-forcing
- dns: DNS subdomain brute-forcing
- vhost: Virtual host brute-forcing
- s3: Amazon S3 bucket enumeration
- fuzz: Fuzzing mode
Directory Bruteforcing (dir mode)
Basic Directory Scan
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txtCommon Options
# Specify file extensions
gobuster dir -u http://target.com -w wordlist.txt -x php,html,txt,bak
# Increase threads for faster scanning
gobuster dir -u http://target.com -w wordlist.txt -t 50
# Follow redirects
gobuster dir -u http://target.com -w wordlist.txt -r
# Add cookies (for authenticated scanning)
gobuster dir -u http://target.com -w wordlist.txt -c "session=abc123"
# Custom headers
gobuster dir -u http://target.com -w wordlist.txt -H "Authorization: Bearer token"
# Ignore SSL certificate errors
gobuster dir -u https://target.com -w wordlist.txt -k
# Save output to file
gobuster dir -u http://target.com -w wordlist.txt -o results.txtStatus Code Filtering
# Show specific status codes only
gobuster dir -u http://target.com -w wordlist.txt -s "200,204,301,302,307,401,403"
# Hide specific status codes
gobuster dir -u http://target.com -w wordlist.txt -b "404,500"
# Include length in output
gobuster dir -u http://target.com -w wordlist.txt -lExample Output
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://target.com
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
===============================================================
/admin (Status: 301) [Size: 312]
/backup (Status: 403) [Size: 277]
/images (Status: 301) [Size: 313]
/index.php (Status: 200) [Size: 4523]
/login (Status: 200) [Size: 1234]
/uploads (Status: 301) [Size: 314]
===============================================================DNS Subdomain Bruteforcing (dns mode)
Basic DNS Scan
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txtDNS Options
# Show IP addresses
gobuster dns -d target.com -w wordlist.txt -i
# Use specific DNS resolver
gobuster dns -d target.com -w wordlist.txt -r 8.8.8.8
# Increase threads
gobuster dns -d target.com -w wordlist.txt -t 50
# Wildcard detection
gobuster dns -d target.com -w wordlist.txt --wildcardVirtual Host Bruteforcing (vhost mode)
Virtual host enumeration is useful when multiple sites are hosted on the same IP:
gobuster vhost -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Append base domain
gobuster vhost -u http://target.com -w wordlist.txt --append-domain
# Filter by response size
gobuster vhost -u http://target.com -w wordlist.txt --exclude-length 1234Fuzzing Mode (fuzz mode)
The fuzz mode replaces the keyword FUZZ in the URL with wordlist entries:
# Basic fuzzing
gobuster fuzz -u http://target.com/FUZZ -w wordlist.txt
# Fuzz parameters
gobuster fuzz -u "http://target.com/page?id=FUZZ" -w numbers.txt
# Fuzz with exclusions
gobuster fuzz -u http://target.com/FUZZ -w wordlist.txt --exclude-length 0Recommended Wordlists
Directory Bruteforcing
# Quick scans
/usr/share/wordlists/dirb/common.txt
# Comprehensive
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
# Large
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
# CMS-specific
/usr/share/seclists/Discovery/Web-Content/CMS/wordpress.txtDNS Bruteforcing
# Quick
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Medium
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
# Comprehensive
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txtPerformance Tips
- Increase threads: Use -t 50 or higher depending on target capacity
- Use smaller wordlists first: Start with common.txt before larger lists
- Filter noise: Use -b to hide unwanted status codes
- Check for WAF: If getting blocked, reduce threads and add delays
- Save output: Always use -o to save results for later analysis
Gobuster vs Alternatives
Gobuster is faster than Dirb and Dirbuster due to its Go implementation and multi-threading. Other alternatives include:
- ffuf: Very fast, flexible fuzzer with similar capabilities
- feroxbuster: Rust-based recursive content discovery
- dirsearch: Python-based with built-in wordlists
- wfuzz: Flexible web fuzzer for various scenarios
Practical Example: Full Enumeration
# Step 1: Quick directory scan
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o quick-scan.txt
# Step 2: Scan with extensions
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,bak,old,zip -o extensions-scan.txt
# Step 3: Comprehensive scan
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -o full-scan.txt
# Step 4: Subdomain enumeration
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -o subdomains.txtSummary
Gobuster is an essential tool for content discovery during penetration tests and bug bounty hunting. Master its various modes and options to efficiently enumerate directories, subdomains, and virtual hosts. Always ensure you have authorization before running scans against any target.
