From aldeid
Jump to navigation Jump to search


Gobuster is a tool used to brute-force:

  • URIs (directories and files) in web sites.
  • DNS subdomains (with wildcard support).
  • Virtual Host names on target web servers.


$ sudo apt install gobuster



gobuster [options]


-P string
Password for Basic Auth (dir mode only)
-U string
Username for Basic Auth (dir mode only)
-a string
Set the User-Agent string (dir mode only)
-c string
Cookies to use for the requests (dir mode only)
Show CNAME records (dns mode only, cannot be used with '-i' option)
Expanded mode, print full URLs
Append a forward-slash to each directory request (dir mode only)
Force continued operation when wildcard found
Show IP addresses (dns mode only)
Skip SSL certificate verification
Include the length of the body in the output (dir mode only)
-m string
Directory/File mode (dir) or DNS mode (dns) (default "dir")
Don't print status codes
Don't display progress
-o string
Output file to write results to (defaults to stdout)
-p string
Proxy to use for requests [http(s)://host:port] (dir mode only)
Don't print the banner and other noise
Follow redirects
-s string
Positive status codes (dir mode only) (default "200,204,301,302,307,403")
-t int
Number of concurrent threads (default 10)
-to duration
HTTP Timeout in seconds (dir mode only) (default 10s)
-u string
The target URL or Domain
Verbose output (errors)
-w string
Path to the wordlist
-x string
File extension(s) to search for (dir mode only)


$ gobuster -w /data/src/wordlists/apache.txt -u

Gobuster v2.0.1              OJ Reeves (@TheColonial)
[+] Mode         : dir
[+] Url/Domain   :
[+] Threads      : 10
[+] Wordlist     : /data/src/wordlists/apache.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
2020/04/29 07:45:07 Starting gobuster
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
2020/04/29 07:45:07 Finished


Keywords: gobuster directory reconnaissance bruteforce