Skip to content

Go Buster

Gobuster is a tool used to brute-force:

  • URIs (directories and files) in web sites.
  • DNS subdomains (with wildcard support).
  • Virtual Host names on target web servers.

Dir mode

To find directories and files

Syntax:

gobuster dir -u -w -x

Example:

gobuster dir -u http://workers.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,php3,html

vhost mode

Check if subdomain exists by visiting url and verifying the IP address

Sintaxis:

gobuster vhost -v -w -u -o

Example:

gobuster vhost -v -w /home/username/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://workers.htb -o vhosts.txt

Examples of results:

Missed: pgadmin.worker.htb (Status: 200) [Size: 703]

Missed: web3.worker.htb (Status: 200) [Size: 703]

Found: abc.worker.htb (Status: 200) [Size: 6495]

Found: def.worker.htb (Status: 200) [Size: 16045]

dns mode

To find subdomains in a specific domain

Syntax

gobuster dns -d -w -i

Example:

gobuster dns -d workers.htb -w /home/username/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -i

Common Parameters

  • -fw – force processing of a domain with wildcard results.
  • -np – hide the progress output.
  • -m  – which mode to use, either dir or dns (default: dir).
  • -q – disables banner/underline output.
  • -t  – number of threads to run (default: 10).
  • -u <url/domain> – full URL (including scheme), or base domain name.
  • -v – verbose output (show all results).
  • -w  – path to the wordlist used for brute forcing (use – for stdin).

Dir mode Parameter

  • -a  – specify a user agent string to send in the request header.
  • -c  – use this to specify any cookies that you might need (simulating auth).
  • -e – specify the extended mode that renders the full URL.
  • -f – append / for directory brute forces.
  • -k – Skip verification of SSL certificates.
  • -l – show the length of the response.
  • -n – “no status” mode, disables the output of the result’s status code.
  • -o  – specify a file name to write the output to.
  • -p  – specify a proxy to use for all requests (scheme much match the URL scheme).
  • -r – follow redirects.
  • -s  – comma-separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307).
  • -x  – list of extensions to check for, if any.
  • -P  – HTTP Authorization password (Basic Auth only, prompted if missing).
  • -U  – HTTP Authorization username (Basic Auth only).
  • -to  – HTTP timeout. Examples: 10s, 100ms, 1m (default: 10s).

DNS mode Parameters

  • -cn – show CNAME records (cannot be used with ‘-i’ option).
  • -i – show all IP addresses for the result.