LinuxCommandLibrary

gobuster

TLDR

Directory brute-force

$ gobuster dir -u [https://example.com] -w [wordlist.txt]
copy
DNS subdomain enumeration
$ gobuster dns -d [example.com] -w [subdomains.txt]
copy
Vhost discovery
$ gobuster vhost -u [https://example.com] -w [wordlist.txt]
copy
With file extensions
$ gobuster dir -u [https://example.com] -w [wordlist.txt] -x [php,html,txt]
copy
With custom threads
$ gobuster dir -u [https://example.com] -w [wordlist.txt] -t [50]
copy
Follow redirects
$ gobuster dir -u [https://example.com] -w [wordlist.txt] -r
copy

SYNOPSIS

gobuster mode [options]

DESCRIPTION

gobuster is a fast directory and DNS brute-forcing tool written in Go. It discovers hidden directories, files, and subdomains through wordlist-based enumeration.
The tool is designed for web application security testing, helping identify hidden content that may reveal vulnerabilities or sensitive information.

PARAMETERS

dir

Directory/file brute-forcing mode.
dns
DNS subdomain enumeration mode.
vhost
Virtual host discovery mode.
-u url
Target URL.
-w file
Wordlist file.
-t n
Number of threads.
-x extensions
File extensions to search.
-r
Follow redirects.
-k
Skip TLS certificate verification.
-o file
Output file.
-s codes
Status codes to consider valid.
-b codes
Status codes to blacklist.

CAVEATS

Only for authorized security testing. May trigger WAF rules. Large wordlists slow on remote hosts. Respect rate limits.

HISTORY

gobuster was created by OJ Reeves as a fast alternative to tools like DirBuster. Written in Go for concurrency and performance, it became a standard tool in penetration testing and bug bounty hunting.

SEE ALSO

dirb(1), ffuf(1), wfuzz(1), feroxbuster(1)

Copied to clipboard