Before attacking a web application or a website it is very important to scan hidden directories and files. There could be some valuable information or vulnerability. There are many tools available to do this, but not all tools are same. We have posted tutorial on traditional directory brute-force scanners like Dirbuster, DIRB and DirSearch. They works fine, but they are slow.
Go buster is written in Go language. This tool is used to brute-force directories and files and DNS sub-domains. It also can search virtual host names on target web servers. The main advantage of Gobuster is the lighting speed. Go language is known for faster performance. The only disadvantage of Gobuster is the lack of recursive directory searching. That means for the directory more then one level deep, we need to scan it again.
Installing Gobuster is super easy. We just fire up our Kali Linux's terminal window and type following:
The screenshot is following:
Then we can check the options of this tool by usinf following command:
To brute force ob some target we just need at least two parameters, -u for the target URL or IP address and -w to specify the path of wordlist.
We can found directory wordlists from online or we can use the wordlist from drib and dirbuster which are located on /usr/share/wordlists in our Kali Linux machine.
Here for better results we are going to use SecLists (A whole Github repository of useful wordlists). We can download our suitable wordlist by using following command:
Or we can also install the full SceLists repository by using Kali Linux's package manager by using following command:
But we are not going to install full SceLists. We just need a directory wordlist for directory brute force.
The screenshot is following:
As we can see in the above screenshot our we have downloaded wordlist named common.txt and located in root folder.
Now everything is ready and we are set for sun Gobuster. Let it run against our example target with default parameters.
This is just an example, There are many more advanced mode check uses in this link.
Go buster is written in Go language. This tool is used to brute-force directories and files and DNS sub-domains. It also can search virtual host names on target web servers. The main advantage of Gobuster is the lighting speed. Go language is known for faster performance. The only disadvantage of Gobuster is the lack of recursive directory searching. That means for the directory more then one level deep, we need to scan it again.
Installing Gobuster is super easy. We just fire up our Kali Linux's terminal window and type following:
The screenshot is following:
Then we can check the options of this tool by usinf following command:
To brute force ob some target we just need at least two parameters, -u for the target URL or IP address and -w to specify the path of wordlist.
We can found directory wordlists from online or we can use the wordlist from drib and dirbuster which are located on /usr/share/wordlists in our Kali Linux machine.
Here for better results we are going to use SecLists (A whole Github repository of useful wordlists). We can download our suitable wordlist by using following command:
Or we can also install the full SceLists repository by using Kali Linux's package manager by using following command:
But we are not going to install full SceLists. We just need a directory wordlist for directory brute force.
The screenshot is following:
As we can see in the above screenshot our we have downloaded wordlist named common.txt and located in root folder.
Now everything is ready and we are set for sun Gobuster. Let it run against our example target with default parameters.
This is just an example, There are many more advanced mode check uses in this link.