One of the first steps in attacking a web application is enumerating hidden directories and files. Doing so can often yield valuable information that makes it easier to execute a precise attack, leaving less room for errors and wasted time. There are many tools available to do this, but not all of them are created equally. Gobuster, a directory scanner written in Go, is definitely worth exploring.
Traditional directory brute-force scanners like DirBuster and DIRB work just fine, but can often be slow and prone to errors. Gobuster is a Go implementation of these tools and is offered in a convenient command-line format.
The main advantage Gobuster has over other directory scanners is speed. As a programming language, Go is known to be fast. It also has excellent support for concurrency so that Gobuster can take advantage of multiple threads for faster processing.
The one downfall of Gobuster, though, is the lack of recursive directory searching. For directories more than one level deep, another scan will be needed, unfortunately. Often this isn’t that big of a deal, and other scanners can step up and fill in the gaps for Gobuster in this area.
Gobuster offers a simple command-line interface that just works. It has some useful options, but not so many that it’s easy to get bogged down in the details. All in all, it’s a great tool that is effective and fast. In this tutorial, we’ll be exploring it with DVWA (Damn Vulnerable Web App) as the target and Kali Linux as the attacking machine. You can follow along with those or use a similar testing configuration.
DVWA Installation in Kali Linux
Step 1 >> <Install Gobuster>
First of all, we need to create a working directory for gobuster.
mkdir gobustercd gobuster/
Next, we want to install gobuster. Because it does not come pre-install in kali.
apt-get install gobuster
gobuster in your kali terminal.
After doing it, you can see the following output.
Okay, now all right.
Now, we are going to step two.
Step 2 >> <Getting extra wordlist files>
Now we can see wordlists on Kali are located in the
The wordlists above are the ones I got earlier. You can get the above wordlist using the following Links.
After downloading wordlists move it to
Now we are going to step 3.
Step 3 >> <Scanning web directories & files>
Now that everything is set up and installed, we’re ready to use Gobuster. Let’s run it against our target with the default parameters.
gobuster dir -u http://10.0.100.7/dvwa -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
Before the scanning process starts, the banner will show some information about the scan. They show the URL of the website we are attacking, the location of the wordlist we are using, the status code of those directories and files.
We can have it return the length of the body with the
-l flag, which can be useful for enumeration.
gobuster dir -u http://10.0.100.7/dvwa -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -l
Usually, if something is zero bytes, it isn’t even worth looking into. It can save loads of time, especially when dealing with a large website or a large number of directories. If we only want specific status codes to be displayed, we can do that using the
-s flag followed by the code we want.
gobuster dir -u http://10.0.100.7/dvwa -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -s 200
Let’s say we just wanted a quick way to view the directories, without the extra noise of the banner and status codes. Use the
-q flag to hide the banner, and the
-n flag to hide the status codes.
Another useful feature is the ability to save the results to a file. Use the
-o flag to specify the output file.
gobuster dir -u http://10.0.100.7/dvwa -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -s 200 -o out_put.txt
-x switch specifies the file extensions. Multiple extensions may be listed separated by commas.
gobuster dir -u http://10.0.100.7/dvwa -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x .php,.html,.txt
-e switch shows the full URL path in the results.
gobuster dir -u http://10.0.100.7/dvwa -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x .php,.html,.txt -e -s 200
The user agent options give the ability to change the appearance of the requests for bypassing filters. Via
gobuster dir -u http://10.0.100.7/dvwa -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -a CustomAgent
In this tutorial, we learned about Gobuster, a directory brute-force scanner written in the Go programming language. First, we learned how to install the tool, as well as some useful wordlists not found on Kali by default. Next, we ran it against our target and explored some of the various options it ships with. The bottom line: Gobuster is a fast and powerful directory scanner that should be an essential part of any hacker’s repertoire, and now you know how to use it. Let’s Go!
Goodbye for today!!!
If you enjoying this, please leave a comment in the comment section. It will help to bring more ethical hacking-related posts like this.