Gobuster Masterclass
Mission Brief: “How to Enumerate with Gobuster.”
1. What is Gobuster
Gobuster is a fast, command‑line tool written in Go for brute‑forcing URIs (files and directories), DNS subdomains, virtual hosts, cloud storage buckets (S3/GCS), TFTP files, and HTTP parameter fuzzing using wordlists.
2. Tool Category: Enumeration
Category: Enumeration
Gobuster discovers hidden resources by systematically probing a target with wordlists. It’s ideal for mapping web directories, finding subdomains, testing vhosts, and uncovering exposed buckets or parameters, all core enumeration tasks in pentesting.
3. Tool Overview
- What it does:
Uses customizable wordlists and patterns to brute‑force and enumerate various targets (web paths, DNS names, vhosts, buckets, TFTP, fuzz inputs). - Common use‑cases:
- Web directory/file discovery
- Subdomain brute‑forcing
- Virtual‑host probing
- Cloud bucket enumeration (AWS S3, GCS)
- TFTP file listing
- HTTP parameter fuzzing
Exit Codes:
| Code | Meaning |
|---|---|
0 | Success (found at least one hit) |
1 | Partial success / warnings |
2 | Error (bad flags or syntax) |
4. HTTP Status Codes
Gobuster reports any HTTP status codes encountered. Top 10 commonly seen:
| Status | Meaning |
|---|---|
200 | OK (resource exists) |
301 | Moved Permanently |
302 | Found (temporary redirect) |
307 | Temporary Redirect |
401 | Unauthorized (auth required) |
403 | Forbidden (access denied) |
404 | Not Found |
500 | Internal Server Error |
502 | Bad Gateway |
503 | Service Unavailable |
⚠️ Gobuster can show any HTTP status code—these are just the most frequent.
5. Flags & Options
🎛️ Global Flags
(apply to all modes)
| Flag | Category | Description |
|---|---|---|
-w <file>, --wordlist <file> | Wordlist | Path to wordlist. |
-t <n>, --threads <n> | Performance | Number of concurrent threads (default: 10). |
-o <file>, --output <file> | Output | Write results to a file instead of stdout. |
-q, --quiet | Output | Suppress banner and non‑result output. |
-v, --verbose | Output | Show verbose messages and errors. |
--delay <duration> | Performance | Delay between requests (e.g. 500ms, 1s). |
--timeout <duration> | Performance | Request timeout (default: 10s). |
--wordlist-offset <n> | Wordlist Control | Skip first n entries in wordlist (resume capability). |
-p <file>, --pattern <file> | Wordlist‑Pattern | File of regex patterns for substitution. |
--no-color | Output | Disable colored output. |
--no-error | Output | Suppress error messages. |
-z, --no-progress | Output | Don’t show progress bar. |
-h, --help | Help | Show help for all modes/flags. |
--version | Help | Display Gobuster version. |
📂 Directory Mode Flags (dir)
| Flag | Category | Description |
|---|---|---|
-u <url>, --url <url> | Target | Base URL (e.g. http://<TARGET_IP>/). |
-x <exts>, --extensions <exts> | File Filtering | Try only these extensions (comma‑separated, e.g. php,txt). |
-r, --follow-redirect | HTTP | Follow HTTP redirects. |
-s <codes>, --status-codes <codes> | Filtering | Only report these status codes (e.g. 200,301). |
-b <codes>, --status-codes-blacklist | Filtering | Exclude these status codes (default: 404). |
-e, --expanded | Output | Print full URLs instead of just paths. |
-d, --discover-backup | HTTP | Also look for common backup file extensions on found entries. |
--exclude-length <lens> | Filtering | Ignore responses matching these body lengths. |
-f, --add-slash | HTTP | Append a slash (/) to each word before requesting. |
-H <hdr>, --headers <hdr> | HTTP | Add custom HTTP header(s). |
-c <cookie>, --cookies <cookie> | HTTP | Send cookie(s) with each request. |
-m <method>, --method <method> | HTTP | HTTP method to use (GET, POST, HEAD; default: GET). |
-n, --no-status | Output | Don’t display status codes in results. |
-k, --no-tls-validation | HTTP | Skip TLS certificate verification. |
-U <user>, --username <user> | Auth | Username for HTTP Basic Auth. |
-P <pw>, --password <pw> | Auth | Password for HTTP Basic Auth. |
--proxy <url> | Proxy | Send all requests via this proxy. |
--random-agent | HTTP | Use a random User‑Agent for each request. |
Example: Directory Mode
gobuster dir -u http://<TARGET_IP>/ -w /home/kali/SecLists/Discovery/Web-Content/common.txt -t 50 --timeout 30s -o gobuster_dir_example.txtThis command brute‑forces common web directories on , using 50 threads, a 30 s timeout, and saves results to gobuster_dir_example.txt.
🌐 DNS Mode Flags (dns)
| Flag | Category | Description |
|---|---|---|
-d <domain>, --domain <domain> | Target | Base domain to enumerate (e.g. <TARGET_HOSTNAME>). |
-r <resolver>, --resolver <res> | DNS | Use this DNS resolver (e.g. 8.8.8.8:53). |
--no-fqdn | DNS | Don’t append system search domains to names. |
--wildcard | Filtering | Continue even if wildcard DNS responses are detected. |
-c, --show-cname | DNS | Display CNAME records for found subdomains. |
-i, --show-ips | DNS | Display IP addresses alongside subdomains. |
Example: DNS Mode
gobuster dns -d <TARGET_HOSTNAME> -w /home/kali/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --no-fqdn -t 20 -z -o gobuster_dns_example.txtThis command brute‑forces subdomains of <TARGET_HOSTNAME> (wildcard tolerant), using 20 threads, no progress bar, and writes to gobuster_dns_example.txt.
🏠 Virtual‑Host Mode Flags (vhost)
| Flag | Category | Description |
|---|---|---|
-u <url>, --url <url> | Target | Base URL (e.g. http://<TARGET_IP>/). |
--append-domain | Target Formatting | Auto‑append .<domain> to each word (requires <domain>). |
-r, --follow-redirect | HTTP | Follow HTTP redirects. |
-H <hdr>, --headers <hdr> | HTTP | Add custom HTTP header(s). |
-c <cookie>, --cookies <cookie> | HTTP | Send cookie(s) with each request. |
-k, --no-tls-validation | HTTP | Skip TLS certificate validation. |
-U <user>, --username <user> | Auth | Username for HTTP Basic Auth. |
-P <pw>, --password <pw> | Auth | Password for HTTP Basic Auth. |
--proxy <url> | Proxy | Send requests via this proxy. |
--random-agent | HTTP | Use a random User‑Agent. |
Example: VHost Mode
gobuster vhost -u http://<TARGET_IP>/ -w /home/kali/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain -r -o gobuster_vhost_example.txtThis command probes virtual hosts by appending . to each word, follows redirects, and outputs to gobuster_vhost_example.txt.
☁️ S3 & GCS Modes Flags (s3/gcs)
| Flag | Category | Description |
|---|---|---|
-m <n>, --maxfiles <n> | Bucket Control | Max objects to list per bucket (verbose only). |
--proxy <url> | Proxy | Send requests via this proxy. |
--random-agent | HTTP | Use a random User‑Agent. |
--timeout <duration> | Performance | Request timeout (default: 10s). |
Example: S3 Mode
gobuster s3 <TARGET_IP> -w /home/kali/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -m 20 --random-agent -o gobuster_s3_example.txtExample: GCS Mode
gobuster gcs <TARGET_IP> -w /home/kali/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -m 20 --random-agent -o gobuster_gcs_example.txtThese commands list up to 20 objects in S3 or GCS buckets on , randomizing the User‑Agent.
📡 TFTP Mode Flags (tftp)
| Flag | Category | Description |
|---|---|---|
-s <server>, --server <srv> | Target | TFTP server address. |
-p <port>, --port <port> | TFTP Control | TFTP port (default: 69). |
-w <file>, --wordlist <file> | Wordlist | List of filenames to request. |
--timeout <duration> | Performance | Request timeout (default: 1s). |
Example: TFTP Mode
gobuster tftp -s <TARGET_IP> -w /home/kali/SecLists/Discovery/Web-Content/common.txt --timeout 2s -o gobuster_tftp_example.txtThis command requests common filenames from the TFTP server on , using a 2 s timeout.
🔀 Fuzz Mode Flags (fuzz)
| Flag | Category | Description |
|---|---|---|
-u <url>, --url <url> | Target | URL containing the FUZZ placeholder (e.g. ?id=FUZZ). |
--data <data> | HTTP‑Body | POST body with FUZZ placeholders (e.g. pass=FUZZ). |
-H <hdr>, --headers <hdr> | HTTP | Header(s) with FUZZ placeholders (e.g. -H "X-API: FUZZ"). |
-w <file>, --wordlist <file> | Wordlist | Path to wordlist. |
-m <n>, --maxfiles <n> | Performance | Threads or max items for fuzzing (mode‑dependent). |
--pattern <file> | Wordlist‑Pattern | File of regex patterns for substitution. |
Example: Fuzz Mode
gobuster fuzz -u http://<TARGET_IP>/login --data "user=admin&pass=FUZZ" -w /home/kali/SecLists/Discovery/Web-Content/common.txt --random-agent -o gobuster_fuzz_example.txtThis command fuzzes the login endpoint’s pass parameter with common.txt, randomizes User‑Agent, and saves results.6. Setup & Prerequisites
- Serve DVWA at root of default vhost
Bash
ssh dvwa@192.168.171.131Bash
sudo nano /etc/apache2/sites-available/000-default.conf
# Change:
# DocumentRoot /var/www/html
# To:
# DocumentRoot /var/www/html/dvwaBash
sudo systemctl reload apache2
2. **Configure `/etc/hosts`** **on your attacker machine:**Bash
192.168.171.131 dvwa.local
192.168.171.131 admin.dvwa.local
192.168.171.131 dev.dvwa.local- Burp Proxy
- In Burp → Proxy → Intercept, ensure “Intercept is off” so Gobuster’s traffic flows automatically.
- Increase Gobuster Timeout
- When proxying through Burp, add
--timeout 30s(or higher) to avoid client‑timeout errors.
Build Your Own Command
7. Further Reading & Resources
- Official Gobuster Repo: https://github.com/OJ/gobuster
- Usage & Flags Guide: https://github.com/OJ/gobuster#usage
- SecLists Wordlists: https://github.com/danielmiessler/SecLists
- PDF Cheat Sheet:
8. Final Tips
- 💡 Threading vs. Server Load: Raise
-tfor speed but monitor target stability and IDS/IPS triggers. - 💡 Filter Smartly: Use
-sand-bin tandem to focus on relevant status codes. - 💡 Resume Large Scans: Employ
--wordlist-offsetto pick up where you left off. - ⚠️ Wildcard Detection: Always test with
--wildcardto avoid false positives on catch‑all domains. - ⚠️ Proxying Best Practices: Combine
--timeoutwith--no-progresswhen funneling through intercepting proxies. - 💡 Output Automation: Leverage JSON or CSV outputs for easy integration into scripts and reports.
Happy Hacking!
