Gobuster
/ Update
5 min read
Gobuster is an open-source cli tool written in Go, primarily used by penetration testers to brute-force and discover hidden URIs (directories and files), DNS subdomains, and virtual hosts.
Features#
- High Performance: Multi-threaded scanning with configurable concurrency
- Multiple Modes: Directory, DNS, virtual host, S3, GCS, TFTP, and fuzzing modes
- Security Focused: Built for penetration testing and security assessments - Docker Support: Available as a Docker container
- Extensible: Pattern-based scanning and custom wordlists
What Can Gobuster Do?#
- Web Directory/File Enumeration: Discover hidden directories and files on web servers
- DNS Subdomain Discovery: Find subdomains with wildcard support
- Virtual Host Detection: Identify virtual hosts on target web servers
- Cloud Storage Enumeration: Discover open Amazon S3 and Google Cloud Storage buckets
- TFTP File Discovery: Find files on TFTP servers
- Custom Fuzzing: Flexible fuzzing with customizable parameters
Usage#
Installation:
go install github.com/OJ/gobuster/v3@latestSyntax:
gobuster [mode] [options]Examples:
# Basic directory enumeration
gobuster dir -u https://example.com -w /path/to/wordlist.txt
# DNS subdomain enumeration
gobuster dns -do example.com -w /path/to/wordlist.txt
# Virtual host discovery
gobuster vhost -u https://example.com -w /path/to/wordlist.txt
# S3 bucket enumeration
gobuster s3 -w /path/to/bucket-names.txtAvailable modes:
dir: Uses directory/file enumeration modevhost: Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)dns: Uses DNS subdomain enumeration modefuzz: Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request bodytftp: Uses TFTP enumeration modes3: Uses aws bucket enumeration modegcs: Uses gcs bucket enumeration mode
| Short Flag | Long Flag | Description |
|---|---|---|
-t | --threads | This flag configures the number of threads to use for the scan. Each of these threads sends out requests with a slight delay. The default number of threads is 10. This number may be slow when using large wordlists. You can increase or decrease the number of threads depending on the available system resources. |
-w | --wordlist | The flag configures a wordlist to use for iterating. Each wordlist entry is attached to the URL you included in the command. |
--delay | This flag defines the amount of time to wait between sending requests. Some web servers include mechanisms to detect enumeration by looking at how many requests are received in a certain period of time. We can increase the delay between subsequent requests to make it look like normal web traffic. | |
--debug | This flag helps us to troubleshoot when our command gives unexpected errors. | |
-o | --output | This flag writes the enumeration results to a file we choose. |
Directory and File Enumeration (dir)#
Enumerate directories and files on web servers.
gobuster dir -u https://example.com -w wordlist.txt
# With file extensions
gobuster dir -u https://example.com -w wordlist.txt -x php,html,js,txt
# Show response length
gobuster dir -u https://example.com -w wordlist.txt -l| Flag | Long Flag | Description |
|---|---|---|
-c | --cookies | This flag configures a cookie to pass along each request, such as a session ID. |
-x | --extensions | This flag specifies which file extensions you want to scan for. E.g., .php, .js |
-H | --headers | This flag configures an entire header to pass along with each request. |
-k | --no-tls-validation | This flag skips the process that checks the certificate when https is used. It often happens for CTF events or test rooms like the ones on THM a self-signed certificate is used. This causes an error during the TLS check. |
-n | --no-status | You can set this flag when you don’t want to see status codes of each response received. This helps keep the output on the screen clear. |
-P | password | You can set this flag together with the —username flag to execute authenticated requests. This is handy when you have obtained credentials from a user. |
-s | --status-codes | With this flag, you can configure which status codes of the received responses you want to display, such as 200, or a range like 300-400. |
-b | --status-codes-blacklist | This flag allows you to configure which status codes of the received responses you don’t want to display. Configuring this flag overrides the -s flag. |
-U | --username | You can set this flag together with the --password flag to execute authenticated requests. This is handy when you have obtained credentials from a user. |
-r | --followredirect | This flags configures Gobuster to follow the redirect that it received as a response to the sent request. A HTTP redirect status code (e.g., 301 or 302) is used to redirect the client to a different URL. |
DNS Mode (dns)#
Discover subdomains through DNS resolution.
gobuster dns -d example.com -w wordlist.txt
# Use custom DNS server
gobuster dns -do example.com -w wordlist.txt -r 8.8.8.8:53| Flag | Long Flag | Description |
|---|---|---|
-c | --show-cname | Show CNAME Records (cannot be used with the -i flag). |
-i | --show-ips | Including this flag shows IP addresses that the domain and subdomains resolve to. |
-r | --resolver | This flag configures a custom DNS server to use for resolving. |
-d | --domain | This flag configures the domain you want to enumerate. |
Virtual Host Mode (vhost)#
Discover virtual hosts on web servers.
Virtual hosts are different websites on the same machine.
vhostmode will navigate to the URL created by combining the configured HOSTNAME (-u flag) with an entry of a wordlist.dnsmode will do a DNS lookup to the FQDN created by combining the configured domain name (-d flag) with an entry of a wordlist.
gobuster vhost -u https://example.com --append-domain -w wordlist.txt| Short Flag | Long Flag | Description |
|---|---|---|
-u | --url | Specifies the base URL (target domain) for brute-forcing virtual hostnames. |
--append-domain | Appends the base domain to each word in the wordlist (e.g., word.example.com). | |
-m | --method | Specifies the HTTP method to use for the requests (e.g., GET, POST). |
--domain | Appends a domain to each wordlist entry to form a valid hostname (useful if not provided explicitly). | |
--exclude-length | Excludes results based on the length of the response body (useful to filter out unwanted responses). | |
-r | --follow-redirect | Follows HTTP redirects (useful for cases where subdomains may redirect). |
Gobuster appends each entry in the wordlist to the configured domain. If no domain is explicitly configured with the --domain flag, Gobuster will extract it from the URL. E.g., test.example.thm, help.example.thm, etc. If any subdomains are found, Gobuster will report them to you in the terminal. |
S3 Mode (s3)#
Enumerate Amazon S3 buckets.
gobuster s3 -w bucket-names.txtTFTP Mode (tftp)#
Enumerate files on tftp servers.
gobuster tftp -s 10.0.0.1 -w wordlist.txtGCS Mode (gcs)#
Enumerate Google Cloud Storage Buckets.
gobuster gcs -w bucket-names.txtgobuster gcs -w bucket-names.txt --debugFuzz Mode (fuzz)#
Custom fuzzing with the FUZZ keyword.
gobuster fuzz -u https://example.com?FUZZ=test -w wordlist.txt
# Fuzz URL parameters
gobuster fuzz -u https://example.com?param=FUZZ -w wordlist.txt
# Fuzz POST data
gobuster fuzz -u https://example.com -d "username=admin&password=FUZZ" -w passwords.txtGobuster
https://nahil.xyz/vault/tools/gobuster/
Author Nahil Rasheed
Published at June 8, 2026
Copyright
CC BY-NC-SA 4.0
Disclaimer This content is provided strictly for educational purposes only.