______ __ __ / ____/___ / /_ __ _______/ /____ _____ / / __/ __ \/ __ \/ / / / ___/ __/ _ \/ ___/ / /_/ / /_/ / /_/ / /_/ (__ ) /_/ __/ / \____/\____/_.___/\__,_/____/\__/\___/_/
By leveraging custom wordlists and flexible operational modes, Gobuster allows for targeted and efficient website scanning and subdomain enumeration. It's an indispensable hacking tool for identifying overlooked administration panels, sensitive files, and forgotten development environments, significantly enhancing the intelligence-gathering phase of any security audit or bug bounty hunting.
Let's start off by learning about directory enumeration using Gobuster, which can help us discover hidden directories and files within a web server. These files can be vital to us, and may contain backup files, configuration files, temporary files, and even something as sensitive as a password list in a text file. Let's see an example command below and break down its structure:
gobuster dir -u https://examplesite.com -w /usr/share/dirb/wordlists/common.txt
We can use the "dir" argument to let Gobuster know we want to scan for directories, the "-u" option to mark that we want to scan the URL that follows in the command, and the "-w" option to mark that we want to use a wordlist, followed by the path to the wordlist we want to use.
Wordlists can be downloaded off the web but most versions of Kali Linux come with some common wordlists usually located at /usr/share/wordlists. Gobuster's GUI older brother, Dirbuster, comes installed with it's own wordlists which you can utilize with Gobuster as well. I also highly suggest you check out SecLists on GitHub. It's listed on my "Resources:" link list for a reason.
Results of a directory scan using Gobuster will look like the following:
=============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://examplesite.com/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/dirb/wordlists/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) [Size: 6690] /help.php (Status: 200) [Size: 6689] /themes (Status: 301) [Size: 0] [--> https://examplesite.com/themes/] /stats.php (Status: 200) [Size: 6690] /css (Status: 301) [Size: 0] [--> https://examplesite.com/css/] /edit.php (Status: 200) [Size: 6689] /includes (Status: 301) [Size: 0] [--> https://examplesite.com/includes/] /license.php (Status: 200) [Size: 6692] /system.php (Status: 200) [Size: 6691] /status.php (Status: 200) [Size: 6691] /javascript (Status: 301) [Size: 0] [--> https://examplesite.com/javascript/] /changelog.txt (Status: 200) [Size: 271] /classes (Status: 301) [Size: 0] [--> https://examplesite.com/classes/] /exec.php (Status: 200) [Size: 6689] /widgets (Status: 301) [Size: 0] [--> https://examplesite.com/widgets/] /graph.php (Status: 200) [Size: 6690] /tree (Status: 301) [Size: 0] [--> https://examplesite.com/tree/] /wizard.php (Status: 200) [Size: 6691] /shortcuts (Status: 301) [Size: 0] [--> https://examplesite.com/shortcuts/] /pkg.php (Status: 200) [Size: 6688] /installer (Status: 301) [Size: 0] [--> https://examplesite.com/installer/] /wizards (Status: 301) [Size: 0] [--> https://examplesite.com/wizards/] /xmlrpc.php (Status: 200) [Size: 384] /reboot.php (Status: 200) [Size: 6691] /interfaces.php (Status: 200) [Size: 6695] /csrf (Status: 301) [Size: 0] [--> https://examplesite.com/csrf/] /system-users.txt (Status: 200) [Size: 106] /filebrowser (Status: 301) [Size: 0] [--> https://examplesite.com/filebrowser/]
We receive a list of directories and files on the web server. These discoveries are flagged with HTTP status codes that signify whether the directory or file has been successfully found. Status codes of 200 mean the directory or file has been found while 301 means it has been moved and will be followed with the correct URL of the moved directory. Other common HTTP status codes include 4xx (Client Error), 5xx (Server Error), and 1xx (Informational).
Using this information, we can download discovered files by using wget:
wget http://examplesite.com/path/to/discovered_file.ext
We can also continue using Gobuster on discovered directories to do some deeper digging i.e. https://examplesite.com/filebrowser/.
Next we will learn about scanning for subdomains. Scanning for subdomains expands the attack surface by uncovering hidden or less-secured subdomains, which can host vulnerable applications or services often missed during initial recon. By brute-forcing common prefixes, we can find subdomains not found in public sources, aiding in the identification of potential attack targets and providing a more comprehensive understanding of a target. We can scan for subdomains by simply swapping in the "dns" argument into our command:
gobuster dns -d examplesite.com -w /usr/share/dirb/wordlists/common.txt
We have added the "-d" option to our command to mark the target domain. Notice we removed the "https://" from our domain. We do not need to specify the protocol when executing a subdomain scan. Following the target domain we will use the "-w" option followed by the path to our wordlist. There are many common subdomain wordlists that can be found on the web which will help with acquiring better results. Below is an example of subdomain scan results:
=============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Domain: examplesite.com [+] Threads: 10 [+] Timeout: 1s [+] Wordlist: /usr/share/dirb/wordlists/common.txt =============================================================== 2025/07/17 16:20:35 Starting gobuster in DNS enumeration mode =============================================================== Found: www.examplesite.com Found: nagios.examplesite.com Found: admin.examplesite.com Found: about.examplesite.com Found: dev.examplesite.com Found: auto.examplesite.com Found: login.examplesite.com
Similar to scanning for subdomains, Gobuster has the ability to scan for virtual hosts. Virtual host (vhost) scanning is a technique used to detect additional websites that reside on the same physical server, but are accessible through different virtual host configurations or domain names. To find vhosts, Gobuster sends HTTP requests to the target IP, changing the 'Host' header in each with names from a wordlist. If a virtual host exists, the web server replies with its content. By performing vhost scanning, you can find unlisted websites or applications that reside on the same server as a familiar site, even if they're not publicly discoverable through DNS.
We can scan for vhosts by using the following command:
gobuster vhost -u examplesite.com -w /usr/share/dirb/wordlists/common.txt
Results of the scan will appear similar to the following:
=============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: examplesite.com [+] Threads: 10 [+] Wordlist: /usr/share/dirb/wordlists/common.txt [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== 2025/07/17 8:11:38 Starting gobuster in VHOST enumeration mode =============================================================== Found: auto.examplesite.com (Status: 200) [Size: 162] Found: mail.examplesite.com (Status: 200) [Size: 162] Found: beta.examplesite.com (Status: 200) [Size: 162] Found: api.examplesite.com (Status: 200) [Size: 162] Found: apache.examplesite.com (Status: 200) [Size: 162]
Gobuster has many more options that can be added to our basic scans. For example, we can use the "-d" flag to set a delay in our scanning process which is beneficial for stability, performance, and stealth. Or the "-x" flag which is used for filtering file extensions during the scan. For instance, if you want to specifically search for images, you might use the following command:
gobuster dir -u https://examplesite.com -w /usr/share/dirb/wordlists/common.txt -x jpg,jpeg,png,gif,ico
Be sure to check out additional flags by using "--help".