Here are some common options that can be used with Gobuster:
Example:
gobuster dir -u http://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 20 -v -o output.txt
This command will brute-force directories on the target URL http://example.com using the wordlist directory-list-2.3-small.txt, with 20 threads, verbose output, and output to a file named output.txt.
Here are some key commands and options you might find useful:
| Feature | Gobuster < v3.0 | Gobuster v3.6+ (updated) | |---------|----------------|----------------------------| | Concurrency model | Simple goroutines | Dynamic worker pools | | TLS handling | Slow, each request fresh | Connection pooling | | Output formats | Text only | Text, JSON, CSV | | Wildcard DNS | Basic | AI-based threshold detection | | Fuzzing mode | Not available | Full support |
Benchmark: On a medium wordlist (50k entries), updated Gobuster completes directory busting 2.3x faster than version 2.x due to HTTP/2 keep-alive and better thread management.
Gobuster can be run from the command line, and its basic syntax is as follows: gobuster commands upd
gobuster [options] [target]
| Tip | Command/Flag |
|-----|--------------|
| Increase speed | -t 100 or -t 200 |
| Use better wordlists | Seclists, Dirbuster, raft (from Kali) |
| Add common extensions | -x php,asp,aspx,jsp,html,txt,js,bak,old,sql |
| Handle large outputs | Use -o results.txt |
| Avoid false positives | Use --wildcard for wildcard DNS detection |
| Proxy traffic | Set HTTP_PROXY env var or use --proxy (not native, use proxychains) |
| Cookie/auth support | -c "session=abc123" or -H "Authorization: Bearer token" |
| Rate limiting bypass | Add delays with --delay 1s |
| Aspect | Rating (out of 5) |
|--------|------------------|
| Speed | ⭐⭐⭐⭐⭐ (very fast with threading) |
| Ease of use | ⭐⭐⭐⭐ (intuitive flags, good help) |
| Features | ⭐⭐⭐ (missing recursion & advanced fuzzing) |
| Documentation | ⭐⭐⭐⭐ (man page + --help sufficient) |
| Stability | ⭐⭐⭐⭐⭐ (rarely crashes) |
Overall: 4.2/5 – A must-have tool for web penetration testers, especially for initial reconnaissance. For complex fuzzing, pair it with ffuf.
Gobuster is a high-performance, command-line tool written in Go used by penetration testers to discover hidden paths on web servers and subdomains. Its speed and efficiency make it a staple in the reconnaissance phase of ethical hacking. Core Modes and Usage
Gobuster operates in several distinct modes depending on your target:
Directory/File Enumeration (dir): Used to find hidden directories and files on a web server. Syntax: gobuster dir -u . Here are some common options that can be used with Gobuster:
Example: gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt.
DNS Subdomain Discovery (dns): Brute-forces subdomains for a specific domain. Syntax: gobuster dns -d .
Virtual Host Detection (vhost): Identifies virtual hosts on a target server. Syntax: gobuster vhost -u .
Cloud Storage Enumeration (s3, gcs): Specifically searches for open AWS S3 or Google Cloud buckets. Essential Command Flags
Customising your scan is critical for efficiency and bypassing security measures: Description -x File Extensions Search for specific file types (e.g., -x php,html,txt). -t Threads Sets the number of concurrent connections (default is 10). -k Skip TLS Bypasses SSL/TLS certificate verification. -o Output Saves results to a specific file. -r Custom Resolvers Use specific DNS servers to avoid rate limits. -s Status Codes
Filter results by specific HTTP status codes (e.g., -s "200,204,301,302"). Advanced Fuzzing Mode Example:
gobuster dir -u http://example
The fuzz mode allows for more flexible testing by replacing a FUZZ keyword in URLs, Headers, or request bodies with entries from a wordlist. This is particularly useful for discovering undocumented API endpoints or testing specific parameters. Practical Tips for Better Results
Choose the Right Wordlist: Your results are only as good as your wordlist. Popular choices include the SecLists GitHub repository or the built-in lists in Kali Linux.
Use Quiet Mode (-q): This removes the banner and extra noise, making the output easier to pipe into other tools.
Handle Authentication: If the target is behind a login, use the --headers flag to include session cookies or authorization tokens.
gobuster dir -u https://example.com -w wordlist.txt -x php,txt -t Use code with caution. Copied to clipboard 🌐 DNS Mode ( Used for subdomain enumeration. Target domain gobuster dns -d example.com Subdomain wordlist -w subdomains.txt Show IP addresses Use custom DNS resolver -r 8.8.8.8 Show CNAME records --wildcard Force scan even if wildcard DNS is found --wildcard Example Command:
gobuster dns -d example.com -w /path/to/subdomains.txt -i -t Use code with caution. Copied to clipboard 🖥️ VHost Mode ( Identifies virtual hosts by changing the gobuster vhost -u