Gobuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support).
Let’s check the tool help page:
In this example we’re going to use https://www.mediawiki.org as our target just to test the application:
gobuster dir –url https://www.mediawiki.org -w /usr/share/wordlists/dirb/common.txt
We used the flag “dir” to do the directory brute forcing, and the flag “—url” to specify the target site, then we used the flag “-w” to select a custom wordlist.
If we want to get a more complete URL results we can use the flag “-e” then the results will be easier to click on it and open it in your browser.
gobuster dir -e –url https://www.mediawiki.org -w /usr/share/wordlists/dirb/common.txt
DNS mode we are looking to find subdomains of a specific domain. This is very important in penetration testing as it might reveal areas not as well protected as others.
gobuster dns -d facebook.com -w /usr/share/wordlists/dirb/common.txt
VHOST mode should not be mistaken to be the same as the DNS mode. In the DNS mode the tool attempts to DNS resolve the subdomains and based on that we are given the result. In vhosts mode the tool is checking if the subdomain exists by visiting the formed url and verifying the IP address.
gobuster vhost -u http://imdb.com -w /usr/share/wordlists/dirb/common.txt