Gobuster

Spider tool to scan website for hidden pages.

Installation
Help
Recommended scans
dir mode
fuzz mode
s3 mode
vhost mode
dns mode

Update Wordlist

💡 Word list should be updated to add the current year.

sudo nano /usr/share/dirb/wordlists/common.txt
2015
2016
2017
2018
2019
2020
2021
2022
2023

Installation

Prerequisites: Install Go.

sudo apt install gobuster

Or:

cd /usr/bin
git clone https://github.com/OJ/gobuster.git
cd /gobuster
go run main.go

Help

gobuster dir --help
gobuster dns --help
gobuster vhost --help

Available commands

dir: Uses directory/file bruteforcing mode
dns: Uses DNS subdomain bruteforcing mode
help: Help about any command
vhost: Uses VHOST bruteforcing mode

💡 Check if you find any sections restricted to certain roles. Scan using the GET method, then rescan using POST.

Directory scan for metadata

Use wordlist metadata.txt.

URL="https://example.com"
WL=/home/kali/Wordlists/web/metadata.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z

Directory scan without extensions

Use the small list (~80K words) from SecLists.

URL="https://example.com"
WL=/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z -m POST

Directory scan with extensions

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z -x txt,xml,json,php,jsp,asp,aspx,old,bak,conf,config,log,db,sql
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z -x txt,xml,json,php,jsp,asp,aspx,old,bak,conf,config,log,db,sql -m POST

vhost scan – when infra is in scope

URL="https://example.com"
WL=/usr/share/wordlists/subdomains-top1million-20000.txt
gobuster vhost -u $URL -w $WL --append-domain
gobuster vhost -u $URL -w $WL --append-domain -m POST

dir mode

Search for directories listed in a wordlist on a website URL.

💡 Skip invalid certificates error by adding “-k” option. Use option “-z” to remove status progress and get cleaner screenshots. Use “-d” also search for backup files.

To whitelist specific status code, unset blacklist (-b). See this note.

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z
gobuster dir -k -u $URL -w $WL -b "404" -e -d -z

❗ When using Microsoft IIS, MUST set asp,aspx because Gobuster will NOT find them otherwise.

gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z -x php,txt,bak,old,aspx,asp

Exclude specific response length (size)

--exclude-length <size>

Using a proxy

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -z -p "http://127.0.0.1:3128"

Instead of adding proxychains in front of command, use the –proxy option.

gobuster --proxy socks5://127.0.0.1:8082 dir ...

Using cookies

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -z --cookies "cookie1=value1; cookie2=value2; cookie3=value3"

Using credentials over HTTP Basic Authentication & Proxy

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -z -p "http://proxyserver:8080" -k -U username -P password

Using JWT token

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
TOKEN="jwt token here"
gobuster dir -k -u $URL -w $WL -H "Authorization: Bearer $TOKEN" -s '200,204,301,302,307,403,500' -b "" -e -z

Search for directories listed in cgi.txt on website URL

URL="https://example.com"
WL=/usr/share/seclists/Discovery/Web-Content/CGIs.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -k -u $URL -w $WL -s '200,204,403,500' -b "" -e -z

When HTTP 404 always returns 200

Exclude requests with the same body lenght.

gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" --exclude-length 23898,23868,23856,23850

fuzz mode

Add the keyword “FUZZ” in the URL and gobuster will replace it with the words from the wordlist.

wget https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_windows.txt
wget https://gist.githubusercontent.com/korrosivesec/a339e376bae22fcfb7f858426094661e/raw/ec7d1167816a1b6a4a7843ddb72c94e1858d1b3a/lfi_windows.txt
wget https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_linux.txt
URL="http://x.x.x.x/index.php?p=source&file=FUZZ"
WL=file_inclusion_windows.txt
gobuster --proxy socks5://127.0.0.1:8082 fuzz -u $URL -w $WL --timeout 30s -z -o gobuster-lfi.txt

s3 mode

💡 See Amazon Simple Storage Service (Amazon S3).

Find S3 public buckets

gobuster s3 -w wordlist-of-bucket-names.txt

vhost mode

Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter).

sudo wget -O /usr/share/wordlists/subdomains-top1million-20000.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-20000.txt
URL="https://example.com"
WL=/usr/share/wordlists/subdomains-top1million-20000.txt
gobuster vhost -u $URL -w $WL --append-domain

dns mode

Uses DNS subdomain enumeration mode.

sudo wget -O /usr/share/wordlists/subdomains-top1million-20000.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-20000.txt
DOMAIN=example.com
WL=/usr/share/wordlists/subdomains-top1million-20000.txt
gobuster dns -q -r 8.8.8.8 -d $DOMAIN -w $WL