A Guide to Gobuster Tool

Gobuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support).

Let’s check the tool help page:

In this example we’re going to use https://www.mediawiki.org as our target just to test the application:

gobuster dir –url https://www.mediawiki.org -w /usr/share/wordlists/dirb/common.txt

We used the flag “dir” to do the directory brute forcing, and the flag “—url” to specify the target site, then we used the flag “-w” to select a custom wordlist.

If we want to get a more complete URL results we can use the flag “-e” then the results will be easier to click on it and open it in your browser.

gobuster dir -e –url https://www.mediawiki.org -w /usr/share/wordlists/dirb/common.txt

DNS mode we are looking to find subdomains of a specific domain. This is very important in penetration testing as it might reveal areas not as well protected as others.

gobuster dns -d facebook.com -w /usr/share/wordlists/dirb/common.txt

VHOST mode should not be mistaken to be the same as the DNS mode. In the DNS mode the tool attempts to DNS resolve the subdomains and based on that we are given the result. In vhosts mode the tool is checking if the subdomain exists by visiting the formed url and verifying the IP address.

gobuster vhost -u http://imdb.com -w /usr/share/wordlists/dirb/common.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s