Gobuster

Spider tool to scan website for hidden pages.

Installation
Help
Recommended scans
dir mode
fuzz mode
s3 mode
vhost mode
dns mode

Update Wordlist

Word list should be updated to add the current year.

sudo nano /usr/share/dirb/wordlists/common.txt
2015
2016
2017
2018
2019
2020
2021
2022
2023

Installation

Prerequisites: Install Go.

sudo apt install gobuster

Or:

cd /usr/bin
git clone https://github.com/OJ/gobuster.git
cd /gobuster
go run main.go

Help

gobuster dir --help
gobuster dns --help
gobuster vhost --help

Available commands

dir: Uses directory/file bruteforcing mode
dns: Uses DNS subdomain bruteforcing mode
help: Help about any command
vhost: Uses VHOST bruteforcing mode

Check if you find any sections restricted to certain roles. Scan using the GET method, then rescan using POST.

Directory scan for metadata

Use wordlist metadata.txt.

URL="https://example.com"
WL=/home/kali/Wordlists/web/metadata.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z

Directory scan without extensions

Use the small list (~80K words) from SecLists.

URL="https://example.com"
WL=/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z -m POST

Directory scan with extensions

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z -x txt,xml,json,php,jsp,asp,aspx,old,bak,conf,config,log,db,sql
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z -x txt,xml,json,php,jsp,asp,aspx,old,bak,conf,config,log,db,sql -m POST

vhost scan – when infra is in scope

URL="https://example.com"
WL=/usr/share/wordlists/subdomains-top1million-20000.txt
gobuster vhost -u $URL -w $WL --append-domain
gobuster vhost -u $URL -w $WL --append-domain -m POST

dir mode

Search for directories listed in a wordlist on a website URL.

Skip invalid certificates error by adding “-k” option. Use option “-z” to remove status progress and get cleaner screenshots. Use “-d” also search for backup files.

To whitelist specific status code, unset blacklist (-b). See this note.

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z
gobuster dir -k -u $URL -w $WL -b "404" -e -d -z

When using Microsoft IIS, MUST set asp,aspx because Gobuster will NOT find them otherwise.

gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -d -z -x php,txt,bak,old,aspx,asp

Exclude specific response length (size)

--exclude-length <size>

Using a proxy

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -z -p "http://127.0.0.1:3128"

Instead of adding proxychains in front of command, use the –proxy option.

gobuster --proxy socks5://127.0.0.1:8082 dir ...

Using cookies

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -z --cookies "cookie1=value1; cookie2=value2; cookie3=value3"

Using credentials over HTTP Basic Authentication & Proxy

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" -e -z -p "http://proxyserver:8080" -k -U username -P password

Using JWT token

URL="https://example.com"
WL=/usr/share/dirb/wordlists/common.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
TOKEN="jwt token here"
gobuster dir -k -u $URL -w $WL -H "Authorization: Bearer $TOKEN" -s '200,204,301,302,307,403,500' -b "" -e -z

Search for directories listed in cgi.txt on website URL

URL="https://example.com"
WL=/usr/share/seclists/Discovery/Web-Content/CGIs.txt
#WL=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
gobuster dir -k -u $URL -w $WL -s '200,204,403,500' -b "" -e -z

When HTTP 404 always returns 200

Exclude requests with the same body lenght.

gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -b "" --exclude-length 23898,23868,23856,23850

fuzz mode

Add the keyword “FUZZ” in the URL and gobuster will replace it with the words from the wordlist.

wget https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_windows.txt
wget https://gist.githubusercontent.com/korrosivesec/a339e376bae22fcfb7f858426094661e/raw/ec7d1167816a1b6a4a7843ddb72c94e1858d1b3a/lfi_windows.txt
wget https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_linux.txt
URL="http://x.x.x.x/index.php?p=source&file=FUZZ"
WL=file_inclusion_windows.txt
gobuster --proxy socks5://127.0.0.1:8082 fuzz -u $URL -w $WL --timeout 30s -z -o gobuster-lfi.txt

s3 mode

See Amazon Simple Storage Service (Amazon S3).

Find S3 public buckets

gobuster s3 -w wordlist-of-bucket-names.txt

vhost mode

Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter).

sudo wget -O /usr/share/wordlists/subdomains-top1million-20000.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-20000.txt
URL="https://example.com"
WL=/usr/share/wordlists/subdomains-top1million-20000.txt
gobuster vhost -u $URL -w $WL --append-domain

dns mode

Uses DNS subdomain enumeration mode.

sudo wget -O /usr/share/wordlists/subdomains-top1million-20000.txt https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-20000.txt
DOMAIN=example.com
WL=/usr/share/wordlists/subdomains-top1million-20000.txt
gobuster dns -q -r 8.8.8.8 -d $DOMAIN -w $WL