コンテンツにスキップ

Gobuster Directory/File Brute Forcer Cheat Sheet

Overview

Gobuster is a tool used to brute-force URIs (directories and files) in web sites, DNS subdomains, virtual host names on target web servers, and open Amazon S3 buckets. Written in Go, it's fast, efficient, and supports multiple modes of operation for comprehensive web application reconnaissance.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using against any target.

Installation

Go Installation

# Install via Go
go install github.com/OJ/gobuster/v3@latest

# Verify installation
gobuster version

Package Manager Installation

# Ubuntu/Debian
sudo apt update
sudo apt install gobuster

# Arch Linux
sudo pacman -S gobuster

# macOS with Homebrew
brew install gobuster

# Kali Linux (pre-installed)
gobuster --help

Manual Installation

# Download latest release
wget https://github.com/OJ/gobuster/releases/download/v3.6.0/gobuster_Linux_x86_64.tar.gz
tar -xzf gobuster_Linux_x86_64.tar.gz
sudo mv gobuster /usr/local/bin/

# Make executable
sudo chmod +x /usr/local/bin/gobuster

Docker Installation

# Pull Docker image
docker pull gobuster/gobuster

# Run with Docker
docker run --rm gobuster/gobuster --help

Basic Usage

Command Structure

# Basic syntax
gobuster [mode] [options]

# Get help
gobuster --help
gobuster [mode] --help

# Check version
gobuster version

Available Modes

Mode Description
dir Directory/file enumeration mode
dns DNS subdomain enumeration mode
fuzz Fuzzing mode
s3 Amazon S3 bucket enumeration
gcs Google Cloud Storage enumeration
tftp TFTP enumeration mode
vhost Virtual host enumeration mode

Directory and File Enumeration

Basic Directory Brute Force

# Basic directory enumeration
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# With specific extensions
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

# Multiple extensions
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,js,css

# Custom status codes
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -s 200,204,301,302,307,401,403

Advanced Directory Options

# Increase threads for faster scanning
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50

# Add delay between requests
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -d 100ms

# Follow redirects
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -r

# Include length in output
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -l

# Quiet mode (only show found)
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -q

Authentication and Headers

# Basic authentication
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -U username -P password

# Custom headers
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -H "Authorization: Bearer token"

# Multiple headers
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -H "X-Forwarded-For: 127.0.0.1" -H "User-Agent: CustomAgent"

# Cookies
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -c "PHPSESSID=abc123; auth=token"

Proxy and SSL Options

# Use proxy
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -p http://127.0.0.1:8080

# Skip SSL verification
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -k

# Custom timeout
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --timeout 30s

# Custom user agent
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -a "Mozilla/5.0 (Custom Agent)"

DNS Subdomain Enumeration

Basic DNS Enumeration

# Basic subdomain enumeration
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

# Show IP addresses
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -i

# Custom resolver
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -r 8.8.8.8

# Multiple resolvers
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -r 8.8.8.8,1.1.1.1

Advanced DNS Options

# Increase threads
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 50

# Wildcard detection
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --wildcard

# Custom timeout
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --timeout 5s

# Output to file
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -o subdomains.txt

Virtual Host Enumeration

Basic VHost Enumeration

# Basic virtual host enumeration
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

# Append domain
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

# Custom domain
gobuster vhost -u http://192.168.1.100 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -d target.com

Advanced VHost Options

# Filter by status code
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -s 200,302

# Exclude status codes
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -b 404,403

# Custom headers
gobuster vhost -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Authorization: Bearer token"

Fuzzing Mode

Basic Fuzzing

# Basic fuzzing with FUZZ keyword
gobuster fuzz -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# Multiple FUZZ positions
gobuster fuzz -u http://target.com/FUZZ/FUZZ2 -w /usr/share/wordlists/dirb/common.txt

# Custom extensions in fuzzing
gobuster fuzz -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt

Advanced Fuzzing

# Exclude specific responses
gobuster fuzz -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt --exclude-length 1234

# Filter by response size
gobuster fuzz -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -s 200 --exclude-length 0

# POST data fuzzing
gobuster fuzz -u http://target.com/login -w /usr/share/wordlists/dirb/common.txt -d "username=admin&password=FUZZ"

Amazon S3 Bucket Enumeration

Basic S3 Enumeration

# Basic S3 bucket enumeration
gobuster s3 -w /usr/share/wordlists/dirb/common.txt

# Custom region
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -r us-west-2

# Maximum keys to list
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -m 1000

Advanced S3 Options

# Increase threads
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -t 50

# Output to file
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -o s3_buckets.txt

# Quiet mode
gobuster s3 -w /usr/share/wordlists/dirb/common.txt -q

Google Cloud Storage Enumeration

Basic GCS Enumeration

# Basic Google Cloud Storage enumeration
gobuster gcs -w /usr/share/wordlists/dirb/common.txt

# Maximum keys to list
gobuster gcs -w /usr/share/wordlists/dirb/common.txt -m 1000

# Increase threads
gobuster gcs -w /usr/share/wordlists/dirb/common.txt -t 50

Common Wordlists

# SecLists (comprehensive collection)
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

# DirBuster wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirb/small.txt

# Custom wordlists for specific technologies
/usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wordpress.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/drupal.txt
/usr/share/wordlists/SecLists/Discovery/Web-Content/apache.txt

Creating Custom Wordlists

# Combine multiple wordlists
cat /usr/share/wordlists/dirb/common.txt /usr/share/wordlists/dirb/big.txt|sort -u > custom_wordlist.txt

# Generate wordlist from website
cewl http://target.com -w custom_wordlist.txt

# Technology-specific wordlist
echo -e "admin\nadministrator\nlogin\ndashboard\napi\nv1\nv2\ntest\ndev" > custom_dirs.txt

Output and Reporting

Output Formats

# Save to file
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o results.txt

# JSON output
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o results.json --format json

# Append to existing file
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt >> results.txt

Verbose Output

# Verbose mode
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -v

# Show progress
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --progress

# No progress bar
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --no-progress

Advanced Techniques

Multi-Target Scanning

# Scan multiple targets
for target in $(cat targets.txt); do
    echo "Scanning $target"
    gobuster dir -u $target -w /usr/share/wordlists/dirb/common.txt -o "$\\\\{target//\//_\\\\}_results.txt"
done

# Parallel scanning
parallel -j 5 "gobuster dir -u \\\\{\\\\} -w /usr/share/wordlists/dirb/common.txt -o \\\\{//\\\\}_results.txt" :::: targets.txt

Recursive Scanning

# Manual recursive scanning
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt|grep "Status: 200"|awk '\\\\{print $1\\\\}' > found_dirs.txt

# Scan found directories
while read dir; do
    gobuster dir -u "http://target.com$dir" -w /usr/share/wordlists/dirb/common.txt
done < found_dirs.txt

Rate Limiting Evasion

# Slow scanning to avoid rate limits
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 1 -d 1s

# Random delay
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -d 500ms-2s

# Rotate user agents
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Integration with Other Tools

Burp Suite Integration

# Use Burp as proxy
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -p http://127.0.0.1:8080

# Export Burp findings to wordlist
# From Burp: Target > Site map > Right-click > Copy URLs
# Process URLs to create custom wordlist

Nmap Integration

# Scan web ports first
nmap -p 80,443,8080,8443 target.com --open -oG web_ports.txt

# Extract open ports and scan
grep "80/open\|443/open\|8080/open\|8443/open" web_ports.txt|awk '\\\\{print $2\\\\}'|while read host; do
    gobuster dir -u "http://$host" -w /usr/share/wordlists/dirb/common.txt
done

Nuclei Integration

# Run gobuster first, then nuclei on found directories
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -q|grep "Status: 200" > found_paths.txt

# Run nuclei on found paths
nuclei -l found_paths.txt -t /path/to/nuclei-templates/

Automation Scripts

Comprehensive Web Enumeration Script

#!/bin/bash

TARGET=$1
OUTPUT_DIR="gobuster_results_$(date +%Y%m%d_%H%M%S)"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_url>"
    exit 1
fi

mkdir -p $OUTPUT_DIR

echo "[+] Starting comprehensive web enumeration for $TARGET"

# Directory enumeration with common extensions
echo "[+] Running directory enumeration..."
gobuster dir -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,js,css,xml,json -t 50 -o "$OUTPUT_DIR/directories.txt"

# Common file enumeration
echo "[+] Running common file enumeration..."
gobuster dir -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x php,html,txt,js,css,xml,json,bak,old,tmp -t 50 -o "$OUTPUT_DIR/files.txt"

# Admin panel enumeration
echo "[+] Running admin panel enumeration..."
gobuster dir -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/Web-Content/CMS/wordpress.txt -t 50 -o "$OUTPUT_DIR/admin.txt"

# API enumeration
echo "[+] Running API enumeration..."
gobuster dir -u $TARGET -w /usr/share/wordlists/SecLists/Discovery/Web-Content/api/api-endpoints.txt -t 50 -o "$OUTPUT_DIR/api.txt"

# Subdomain enumeration (if domain provided)
if [[ $TARGET =~ ^https?://([^/]+) ]]; then
    DOMAIN=$\\\\{BASH_REMATCH[1]\\\\}
    echo "[+] Running subdomain enumeration for $DOMAIN..."
    gobuster dns -d $DOMAIN -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -o "$OUTPUT_DIR/subdomains.txt"
fi

echo "[+] Enumeration complete. Results saved in $OUTPUT_DIR/"

Multi-Extension Scanner

#!/bin/bash

TARGET=$1
WORDLIST="/usr/share/wordlists/dirb/common.txt"

# Common web extensions
EXTENSIONS=("php" "html" "htm" "txt" "js" "css" "xml" "json" "asp" "aspx" "jsp" "do" "action" "cgi" "pl" "py" "rb" "bak" "old" "tmp" "log")

for ext in "$\\\\{EXTENSIONS[@]\\\\}"; do
    echo "[+] Scanning for .$ext files..."
    gobuster dir -u $TARGET -w $WORDLIST -x $ext -t 30 -q|grep "Status: 200"
done

Recursive Directory Scanner

#!/bin/bash

TARGET=$1
WORDLIST="/usr/share/wordlists/dirb/common.txt"
MAX_DEPTH=3
CURRENT_DEPTH=0

scan_directory() \\\\{
    local url=$1
    local depth=$2

    if [ $depth -gt $MAX_DEPTH ]; then
        return
    fi

    echo "[+] Scanning $url (depth: $depth)"

    # Scan current directory
    gobuster dir -u "$url" -w $WORDLIST -t 30 -q|grep "Status: 200"|while read line; do
        found_path=$(echo $line|awk '\\\\{print $1\\\\}')
        full_url="$url$found_path"

        echo "Found: $full_url"

        # If it's a directory, scan recursively
        if [[ $found_path == */ ]]; then
            scan_directory "$full_url" $((depth + 1))
        fi
    done
\\\\}

scan_directory $TARGET 0

Performance Optimization

Threading and Speed

# Optimal thread count (usually 20-50)
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 30

# Adjust timeout for slow servers
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --timeout 10s

# Disable progress bar for better performance
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --no-progress

Memory Management

# For large wordlists, use streaming
gobuster dir -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 20

# Monitor memory usage
watch -n 1 'ps aux|grep gobuster'

Troubleshooting

Common Issues

# SSL certificate issues
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -k

# Connection timeout
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --timeout 30s

# Rate limiting
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 1 -d 1s

# DNS resolution issues
gobuster dns -d target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -r 8.8.8.8

Debug Mode

# Enable debug output
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt --debug

# Verbose output
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -v

Best Practices

Reconnaissance Strategy

  1. Start with common directories: Use small, common wordlists first
  2. Technology-specific enumeration: Use CMS-specific wordlists when applicable
  3. Extension enumeration: Always include relevant file extensions
  4. Recursive scanning: Scan found directories for deeper enumeration
  5. Rate limiting awareness: Adjust threads and delays to avoid detection

Stealth Considerations

# Slow and stealthy scanning
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 1 -d 2s -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use proxy for anonymity
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -p http://proxy:8080

# Random user agent rotation
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -a "$(shuf -n1 user_agents.txt)"

Resources

This cheat sheet provides a comprehensive reference for using Gobuster. Always ensure you have proper authorization before conducting web application security testing.