Gobuster -- Faster Directory Scanner

Before attacking a web application or a website it is very important to scan hidden directories and files. There could be some valuable information or vulnerability. There are many tools available to do this, but not all tools are same. We have posted tutorial on traditional directory brute-force scanners like Dirbuster, DIRB and DirSearch. They works fine, but they are slow.

Go buster is written in Go language. This tool is used to brute-force directories and files and DNS sub-domains. It also can search virtual host names on target web servers. The main advantage of Gobuster is the lighting speed. Go language is known for faster performance. The only disadvantage of Gobuster is the lack of recursive directory searching. That means for the directory more then one level deep, we need to scan it again.

gobuster kali

Installing Gobuster is super easy. We just fire up our Kali Linux's terminal window and type following:

apt-get install gobuster
The screenshot is following:

installing gobuster in kali linux

Then we can check the options of this tool by usinf following command:

gobuster -h
gobuster menu

To brute force ob some target we just need at least two parameters, -u for the target URL or IP address and -w to specify the path of wordlist.

We can found directory wordlists from online or we can use the wordlist from drib and dirbuster which are located on /usr/share/wordlists in our Kali Linux machine.


Here for better results we are going to use SecLists (A whole Github repository of useful wordlists). We can download our suitable wordlist by using following command:

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt

Or we can also install the full SceLists repository by using Kali Linux's package manager by using following command:

apt-get install seclists

But we are not going to install full SceLists. We just need a directory wordlist for directory brute force.

The screenshot is following:

downloading wordlists

As we can see in the above screenshot our we have downloaded wordlist named common.txt and located in root folder.

Now everything is ready and we are set for sun Gobuster. Let it run against our example target with default parameters.

gobuster dir -u https://buffered.io -w /root/common.txt

Gobuster results

This is just an example, There are many more advanced mode check uses in this link.
Kali Linux


No comments
Post a Comment