is an open-source tool developed in the programming language, primarily used for brute-forcing (directories and files), DNS subdomains Virtual Host
names on target web servers. It is a staple in the toolkit of penetration testers and ethical hackers due to its speed and efficiency in discovering hidden or sensitive assets. Core Operational Modes
Gobuster uses a mode-based approach, where each command is tailored for a specific enumeration task: (Directory/File Mode)
: Used to enumerate web directories and files. It sends HTTP requests to the target and identifies valid resources based on server responses. (DNS Subdomain Mode)
: Used to discover subdomains by brute-forcing DNS resolution. This is critical for mapping a target's broader infrastructure. (Virtual Host Mode)
: Specifically used to find virtual hosts on a server by testing different Host headers. It differs from DNS mode as it verifies the existence of a domain through web requests rather than just DNS resolution.
: Used to enumerate open Amazon S3 or Google Cloud buckets to find potentially exposed files. : Allows for basic fuzzing by replacing the
keyword in a URL, header, or request body with words from a wordlist. Common Commands & Examples The general syntax follows the pattern: gobuster [mode] [options] gobuster.org What is the syntax for running Gobuster scans?.
Gobuster is a high-performance, command-line tool written in Go used by penetration testers to discover hidden paths on web servers and subdomains. Its speed and efficiency make it a staple in the reconnaissance phase of ethical hacking. Core Modes and Usage
Gobuster operates in several distinct modes depending on your target: gobuster commands upd
Directory/File Enumeration (dir): Used to find hidden directories and files on a web server. Syntax: gobuster dir -u .
Example: gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt.
DNS Subdomain Discovery (dns): Brute-forces subdomains for a specific domain. Syntax: gobuster dns -d .
Virtual Host Detection (vhost): Identifies virtual hosts on a target server. Syntax: gobuster vhost -u .
Cloud Storage Enumeration (s3, gcs): Specifically searches for open AWS S3 or Google Cloud buckets. Essential Command Flags
Customising your scan is critical for efficiency and bypassing security measures: Description -x File Extensions Search for specific file types (e.g., -x php,html,txt). -t Threads Sets the number of concurrent connections (default is 10). -k Skip TLS Bypasses SSL/TLS certificate verification. -o Output Saves results to a specific file. -r Custom Resolvers Use specific DNS servers to avoid rate limits. -s Status Codes
Filter results by specific HTTP status codes (e.g., -s "200,204,301,302"). Advanced Fuzzing Mode
The fuzz mode allows for more flexible testing by replacing a FUZZ keyword in URLs, Headers, or request bodies with entries from a wordlist. This is particularly useful for discovering undocumented API endpoints or testing specific parameters. Practical Tips for Better Results
Choose the Right Wordlist: Your results are only as good as your wordlist. Popular choices include the SecLists GitHub repository or the built-in lists in Kali Linux. is an open-source tool developed in the programming
Use Quiet Mode (-q): This removes the banner and extra noise, making the output easier to pipe into other tools.
Handle Authentication: If the target is behind a login, use the --headers flag to include session cookies or authorization tokens.
To provide a comprehensive overview of using Gobuster, a tool used for brute-force testing of directories and files on web servers, let's consider its various commands and options. Gobuster is particularly useful for web developers and penetration testers to discover hidden resources such as directories and files that might not be immediately visible through a website's navigation or sitemap.
Many CDNs (Cloudflare, Fastly) return 200 OK for all vhosts. Use --exclude-length or --exclude-regex to filter:
gobuster vhost -u https://example.com -w vhosts.txt \
--exclude-regex "cloudflare","nginx default"
| Flag | Effect | Example |
|------|--------|---------|
| -s | Show status codes (comma-separated) | -s "200,204,301,302,307" |
| -x | File extensions to append | -x "php,html,asp,js,txt" |
| -X | HTTP methods | -X "GET,POST,HEAD" |
| -r | Follow redirects | -r |
| -b | Hide status codes (negate -s) | -b "404,403" |
| -l | Include response length in output | -l |
Gobuster can be used to brute-force virtual hosts (vHosts) on a web server. The following command is used for vHost brute-forcing:
gobuster vhost -u <target_url> -w <wordlist>
-u: Specifies the target URL.-w: Specifies the wordlist to use for brute-forcing.Example:
gobuster vhost -u http://example.com -w /usr/share/wordlists/vhosts.txt
This command will brute-force vHosts on the target URL http://example.com using the wordlist vhosts.txt.
Useful for finding hidden domains on the same IP: -u : Specifies the target URL
gobuster vhost -u https://target.com -w vhosts.txt --append-domain
If you have Go installed:
go install github.com/OJ/gobuster/v3@latest
On Kali Linux (which often comes with an older version):
sudo apt update
sudo apt install gobuster
Or compile from source:
git clone https://github.com/OJ/gobuster.git
cd gobuster
go build
Verify your version:
gobuster version
Expected output in 2025: v3.6.x or higher.
dns)Basic command:
gobuster dns -d example.com -w /usr/share/wordlists/subdomains-top1million-5000.txt
Flags:
-i – Show IP addresses (A records)-c – Show CNAME records-r – Use custom DNS resolver (e.g., -r 8.8.8.8)Example:
gobuster dns -d example.com -w subdomains.txt -t 50 -i -c -o dns_results.txt
Gobuster is a powerful tool that can be used for various tasks, including web application discovery, vulnerability scanning, and penetration testing. Its versatility and customizability make it a popular choice among security professionals. By mastering Gobuster commands and options, you can improve your skills in web application security testing and vulnerability assessment.
