In web application security assessments, discovery is the precursor to exploitation. Developers often assume that if a directory isn’t explicitly linked on a website’s homepage, it cannot be accessed. However, attackers use directory enumeration tools to search for hidden endpoints, administrative panels, development backups, and configuration files.
Gobuster is a high-performance, multithreaded command-line tool written in Go, specifically designed to brute-force URLs, folders, DNS subdomains, virtual hosts, and cloud storage buckets.
In this tutorial, you will learn how to install Gobuster, master its various running modes, and run effective scans to audit your web infrastructure.
We will cover:
- Why Gobuster is faster than Python or Java alternatives.
- Installation guides for all platforms.
- The 4 core modes of Gobuster.
- Running directory and DNS scans with advanced filtering.
- Understanding HTTP status response codes.
Why Use Gobuster?
Historically, security researchers relied on tools like DirBuster (written in Java) or Dirb (written in C). Gobuster improves upon these by:
- Concurrency in Go: Gobuster leverages Go’s native goroutines to run hundreds of threads concurrently, making it significantly faster.
- Resource Efficiency: Low memory overhead compared to heavy graphical interfaces.
- Versatility: Combines directory discovery, DNS enumeration, and virtual host fuzzing in a single binary.
For general server auditing, Gobuster is best paired with scanners like Nikto Web Vulnerability Scanner (to identify server-wide versions and configuration issues) and OWASP ZAP (for testing input fields and APIs).
How to Install Gobuster
Gobuster can be installed easily using pre-built binaries or compiled from its Go source code.
🐧 Linux
On Debian, Ubuntu, or Kali Linux:
sudo apt update
sudo apt install gobuster -y🍎 macOS
macOS users can install it via Homebrew:
brew install gobuster🐹 From Source Code (Any OS with Go installed)
If you have the Go runtime installed, compile the latest release directly:
go install github.com/OJ/gobuster/v3@latestMake sure your $GOPATH/bin is in your environment’s PATH to execute it globally.
Understanding Gobuster’s 4 Core Modes
Gobuster uses a sub-command structure to trigger different scanning engines:
| Sub-command | Mode | Core Purpose |
|---|---|---|
dir | Directory Mode | Classic web folder and file brute-forcing. |
dns | DNS Mode | Subdomain discovery via DNS lookups. |
vhost | Virtual Host Mode | Discovering virtual host configurations on a single IP. |
s3 | Amazon S3 Mode | Probing AWS S3 storage buckets for public exposure. |
Step-by-Step Tutorial: Running Directory Scanning (dir)
The directory brute-force engine needs two things: a target URL (-u) and a wordlist file (-w).
gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txtAdvanced Flags for Real-World Auditing:
1. Searching for Specific File Extensions (-x)
Often, directories contain scripts or backups (like .php, .zip, .env, .git). Use the -x flag to append these extensions to every word in the wordlist:
gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt -x php,txt,zip,jsonIf a word in the list is “admin”, Gobuster will check admin, admin.php, admin.txt, admin.zip, and admin.json.
2. Running Faster with Multi-Threading (-t)
Increase the thread count to speed up directory searches. The default is 10 threads. For fast connections, you can raise this:
gobuster dir -u http://example.com -w common.txt -t 503. Skipping SSL Validation (-k)
If you are testing a local development server with self-signed SSL certificates, Gobuster will error out. Pass the -k flag to bypass verification checks:
gobuster dir -u https://192.168.1.50 -w common.txt -k4. Filtering Status Codes (-b or -s)
By default, Gobuster displays status codes. You can tell it to hide specific status codes (like 404 Not Found) using -b (blacklist) or only show specific ones using -s (whitelist):
# Show only OK and Redirect status codes
gobuster dir -u http://example.com -w common.txt -s "200,204,301,302,307"Step-by-Step Tutorial: Subdomain Discovery (dns)
If you want to discover subdomains (like admin.example.com or dev.example.com), use the dns mode.
gobuster dns -d example.com -w /usr/share/wordlists/subdomains.txtNote: In DNS mode, the target option changes from -u (URL) to -d (domain).
Useful DNS Flag:
-i: Displays the resolved IP address of the discovered subdomains, helping you quickly identify server clusters.
Interpreting Gobuster Results
Gobuster outputs responses in real-time, displaying the path, the HTTP status code, and the content length:
/index.php (Status: 200) [Size: 1543]
/admin (Status: 301) [Size: 312] --> Redirect to /admin/
/config.php.bak (Status: 200) [Size: 421]
/uploads (Status: 403) [Size: 220]Response Code Breakdown:
Status: 200 (OK): The resource exists and is public. Check.php.bak,.zip, or configuration backups immediately.Status: 301/302 (Redirect): Indicates a redirection. Often leads to a login portal.Status: 403 (Forbidden): The directory exists, but you do not have permission to view directory index listings. However, specific files inside it may still be readable directly.
Conclusion
Gobuster is a fast, robust directory brute-forcer. Its Go runtime integration enables security analysts to discover hidden web interfaces and subdomains at speeds traditional Java-based or single-threaded tools cannot match. Ensure you limit thread rates when testing active production environments to prevent Denial of Service (DoS) conditions.
Discussion
Loading comments...