A tool for brute forcing webpages (aka directory busting), DNS names, and virtual hosts - written in Go.
The repository can be found at https://github.com/OJ/gobuster
gobuster does not come preinstalled on Kali Linux, but it does have a package. Install with:
$ sudo apt-get install gobuster
If your package manager doesn’t have gobuster, or you want to install from source on Kali instead of using apt, you can follow the installation instructions in the repo.
Basic Syntax
$ gobuster dir -u [URL] -w /path/to/wordlist
Which Wordlist to Use?
I like to use the SecLists Discovery lists. The most common one I use is located at /path/to/seclists/Discovery/Web-Content/raft-small-words.txt. SecLists comes preinstalled on Kali Linux, and is found at /usr/share/seclists.
You may also wish to use a larger list, such as raft-large-words.txt, or a list for a specific platform, such as tomcat.txt against a known Tomcat server.
If you do not wish to install SecLists some distributions come with alternative wordlists, for example /usr/share/wordlists/dirb/common.txt. However, many of the dirb wordlists miss important items, such as checking for a .git file.
Add Extensions
If you know your target site is using a specific file extension, such as php or jsp, you can specify this with the -x flag
$ gobuster dir -u example.com -w /path/to/wordlist -x php,asp
You can also use Gobuster to brute force Virtual Hosts (aka subdomains). Use vhost mode to do this.
Basic Syntax
gobuster vhost -u example.com -w /path/to/wordlist
This will append subdomains to the beginning of the hostname, e.g. staging.example.com. A good wordlist can be found at /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt.
Practical example: IppSec does this on Academy
#cheat-sheet #enum