1337skills.com

Appearance

Gobuster Directory/File Brute Forcer Cheat Sheet

Overview

Gobuster is a tool used to brute-force URIs (directories and files) in web sites, DNS subdomains, virtual host names on target web servers, and open Amazon S3 buckets. Written in Go, it's fast, efficient, and supports multiple modes of operation for comprehensive web application reconnaissance.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using against any target.

Installation

Go Installation

bash
# Install via Go
go install github.com/OJ/gobuster/v3@latest

# Verify installation
gobuster version

Package Manager Installation

bash
# Ubuntu/Debian
sudo apt update
sudo apt install gobuster

# Arch Linux
sudo pacman -S gobuster

# macOS with Homebrew
brew install gobuster

# Kali Linux (pre-installed)
gobuster --help

Manual Installation

bash
# Download latest release
wget https://github.com/OJ/gobuster/releases/download/v3.6.0/gobuster_Linux_x86_64.tar.gz
tar -xzf gobuster_Linux_x86_64.tar.gz
sudo mv gobuster /usr/local/bin/

# Make executable
sudo chmod +x /usr/local/bin/gobuster

Docker Installation

bash
# Pull Docker image
docker pull gobuster/gobuster

# Run with Docker
docker run --rm gobuster/gobuster --help

Basic Usage

Command Structure

bash
# Basic syntax
gobuster [mode] [options]

# Get help
gobuster --help
gobuster [mode] --help

# Check version
gobuster version

Available Modes

ModeDescription
dirDirectory/file enumeration mode
dnsDNS subdomain enumeration mode
fuzzFuzzing mode
s3Amazon S3 bucket enumeration
gcsGoogle Cloud Storage enumeration
tftpTFTP enumeration mode
vhostVirtual host enumeration mode

Directory and File Enumeration

Basic Directory Brute Force

bash
# Basic directory enumeration
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# With specific extensions
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

# Multiple extensions
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,js,css

# Custom status codes
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -s 200,204,301,302,307,401,403

Advanced Directory Options

bash
# Increase threads for faster scanning
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50

# Add delay between requests
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -d 100ms

# Follow redirects
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -r

# Include length in output
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -l

# Quiet mode (only show found)
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -q

Authentication and Headers

bash
# Basic authentication
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -U username -P password

# Custom headers
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token"

# Multiple headers
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -H "X-Forwarded-For: 127.0.0.1" -H "User-Agent: CustomAgent"

# Cookies
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -c "PHPSESSID=abc123; auth=token"

Proxy and SSL Options

bash
# Use proxy
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -p http://127.0.0.1:8080

# Skip SSL verification
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -k

# Custom timeout
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --timeout 30s

# Custom user agent
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -a "Mozilla/5.0 (Custom Agent)"

DNS Subdomain Enumeration

Basic DNS Enumeration

bash
# Basic subdomain enumeration
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

# Show IP addresses
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -i

# Custom resolver
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -r 8.8.8.8

# Multiple resolvers
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -r 8.8.8.8,1.1.1.1

Advanced DNS Options

bash
# Increase threads
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 50

# Wildcard detection
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --wildcard

# Custom timeout
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --timeout 5s

# Output to file
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -o subdomains.txt

Virtual Host Enumeration

Basic VHost Enumeration

bash
# Basic virtual host enumeration
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

# Append domain
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

# Custom domain
gobuster vhost -u http://192.168.1.100 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -d target.com

Advanced VHost Options

bash
# Filter by status code
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -s 200,302

# Exclude status codes
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -b 404,403

# Custom headers
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Authorization: Bearer token"

Fuzzing Mode

Basic Fuzzing

bash
# Basic fuzzing with FUZZ keyword
gobuster fuzz -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# Multiple FUZZ positions
gobuster fuzz -u http://target.com/FUZZ/FUZZ2 -w /usr/share/wordlists/dirb/common.txt

# Custom extensions in fuzzing
gobuster fuzz -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

Advanced Fuzzing

bash
# Exclude specific responses
gobuster fuzz -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt --exclude-length 1234

# Filter by response size
gobuster fuzz -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s 200 --exclude-length 0

# POST data fuzzing
gobuster fuzz -u http://target.com/login -w /usr/share/wordlists/dirb/common.txt -d "username=admin&password=FUZZ"

Amazon S3 Bucket Enumeration

Basic S3 Enumeration

bash
# Basic S3 bucket enumeration
gobuster s3 -w /usr/share/wordlists/dirb/common.txt

# Custom region
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -r us-west-2

# Maximum keys to list
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -m 1000

Advanced S3 Options

bash
# Increase threads
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -t 50

# Output to file
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -o s3_buckets.txt

# Quiet mode
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -q

Google Cloud Storage Enumeration

Basic GCS Enumeration

bash
# Basic Google Cloud Storage enumeration
gobuster gcs -w /usr/share/wordlists/dirb/common.txt

# Maximum keys to list
gobuster gcs -w /usr/share/wordlists/dirb/common.txt -m 1000

# Increase threads
gobuster gcs -w /usr/share/wordlists/dirb/common.txt -t 50

Common Wordlists

bash
# SecLists (comprehensive collection)
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

# DirBuster wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirb/small.txt

# Custom wordlists for specific technologies
/usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wordpress.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/drupal.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/apache.txt

Creating Custom Wordlists

bash
# Combine multiple wordlists
cat /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt | sort -u > custom_wordlist.txt

# Generate wordlist from website
cewl http://target.com -w custom_wordlist.txt

# Technology-specific wordlist
echo -e "admin\nadministrator\nlogin\ndashboard\napi\nv1\nv2\ntest\ndev" > custom_dirs.txt

Output and Reporting

Output Formats

bash
# Save to file
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o results.txt

# JSON output
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o results.json --format json

# Append to existing file
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt >> results.txt

Verbose Output

bash
# Verbose mode
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -v

# Show progress
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --progress

# No progress bar
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --no-progress

Advanced Techniques

Multi-Target Scanning

bash
# Scan multiple targets
for target in $(cat targets.txt); do
    echo "Scanning $target"
    gobuster dir -u $target -w /usr/share/wordlists/dirb/common.txt -o "${target//\//_}_results.txt"
done

# Parallel scanning
parallel -j 5 "gobuster dir -u {} -w /usr/share/wordlists/dirb/common.txt -o {//}_results.txt" :::: targets.txt

Recursive Scanning

bash
# Manual recursive scanning
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt | grep "Status: 200" | awk '{print $1}' > found_dirs.txt

# Scan found directories
while read dir; do
    gobuster dir -u "http://target.com$dir" -w /usr/share/wordlists/dirb/common.txt
done < found_dirs.txt

Rate Limiting Evasion

bash
# Slow scanning to avoid rate limits
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 1 -d 1s

# Random delay
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -d 500ms-2s

# Rotate user agents
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Integration with Other Tools

Burp Suite Integration

bash
# Use Burp as proxy
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -p http://127.0.0.1:8080

# Export Burp findings to wordlist
# From Burp: Target > Site map > Right-click > Copy URLs
# Process URLs to create custom wordlist

Nmap Integration

bash
# Scan web ports first
nmap -p 80,443,8080,8443 target.com --open -oG web_ports.txt

# Extract open ports and scan
grep "80/open\|443/open\|8080/open\|8443/open" web_ports.txt | awk '{print $2}' | while read host; do
    gobuster dir -u "http://$host" -w /usr/share/wordlists/dirb/common.txt
done

Nuclei Integration

bash
# Run gobuster first, then nuclei on found directories
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -q | grep "Status: 200" > found_paths.txt

# Run nuclei on found paths
nuclei -l found_paths.txt -t /path/to/nuclei-templates/

Automation Scripts

Comprehensive Web Enumeration Script

bash
#!/bin/bash

TARGET=$1
OUTPUT_DIR="gobuster_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web enumeration for $TARGET"

# Directory enumeration with common extensions
echo "[+] Running directory enumeration..."
gobuster dir -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,js,css,xml,json -t 50 -o "$OUTPUT_DIR/directories.txt"

# Common file enumeration
echo "[+] Running common file enumeration..."
gobuster dir -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x php,html,txt,js,css,xml,json,bak,old,tmp -t 50 -o "$OUTPUT_DIR/files.txt"

# Admin panel enumeration
echo "[+] Running admin panel enumeration..."
gobuster dir -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wordpress.txt -t 50 -o "$OUTPUT_DIR/admin.txt"

# API enumeration
echo "[+] Running API enumeration..."
gobuster dir -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -t 50 -o "$OUTPUT_DIR/api.txt"

# Subdomain enumeration (if domain provided)
if [[ $TARGET =~ ^https?://([^/]+) ]]; then
    DOMAIN=${BASH_REMATCH[1]}
    echo "[+] Running subdomain enumeration for $DOMAIN..."
    gobuster dns -d $DOMAIN -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -o "$OUTPUT_DIR/subdomains.txt"
fi

echo "[+] Enumeration complete. Results saved in $OUTPUT_DIR/"

Multi-Extension Scanner

bash
#!/bin/bash

TARGET=$1
WORDLIST="/usr/share/wordlists/dirb/common.txt"

# Common web extensions
EXTENSIONS=("php" "html" "htm" "txt" "js" "css" "xml" "json" "asp" "aspx" "jsp" "do" "action" "cgi" "pl" "py" "rb" "bak" "old" "tmp" "log")

for ext in "${EXTENSIONS[@]}"; do
    echo "[+] Scanning for .$ext files..."
    gobuster dir -u $TARGET -w $WORDLIST -x $ext -t 30 -q | grep "Status: 200"
done

Recursive Directory Scanner

bash
#!/bin/bash

TARGET=$1
WORDLIST="/usr/share/wordlists/dirb/common.txt"
MAX_DEPTH=3
CURRENT_DEPTH=0

scan_directory() {
    local url=$1
    local depth=$2
    
    if [ $depth -gt $MAX_DEPTH ]; then
        return
    fi
    
    echo "[+] Scanning $url (depth: $depth)"
    
    # Scan current directory
    gobuster dir -u "$url" -w $WORDLIST -t 30 -q | grep "Status: 200" | while read line; do
        found_path=$(echo $line | awk '{print $1}')
        full_url="$url$found_path"
        
        echo "Found: $full_url"
        
        # If it's a directory, scan recursively
        if [[ $found_path == */ ]]; then
            scan_directory "$full_url" $((depth + 1))
        fi
    done
}

scan_directory $TARGET 0

Performance Optimization

Threading and Speed

bash
# Optimal thread count (usually 20-50)
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 30

# Adjust timeout for slow servers
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --timeout 10s

# Disable progress bar for better performance
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --no-progress

Memory Management

bash
# For large wordlists, use streaming
gobuster dir -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 20

# Monitor memory usage
watch -n 1 'ps aux | grep gobuster'

Troubleshooting

Common Issues

bash
# SSL certificate issues
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -k

# Connection timeout
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --timeout 30s

# Rate limiting
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 1 -d 1s

# DNS resolution issues
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -r 8.8.8.8

Debug Mode

bash
# Enable debug output
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --debug

# Verbose output
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -v

Best Practices

Reconnaissance Strategy

  1. Start with common directories: Use small, common wordlists first
  2. Technology-specific enumeration: Use CMS-specific wordlists when applicable
  3. Extension enumeration: Always include relevant file extensions
  4. Recursive scanning: Scan found directories for deeper enumeration
  5. Rate limiting awareness: Adjust threads and delays to avoid detection

Stealth Considerations

bash
# Slow and stealthy scanning
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 1 -d 2s -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use proxy for anonymity
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -p http://proxy:8080

# Random user agent rotation
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -a "$(shuf -n1 user_agents.txt)"

Resources

This cheat sheet provides a comprehensive reference for using Gobuster. Always ensure you have proper authorization before conducting web application security testing.