🔍 Enumeration / Gobuster

Gobuster

Dir Mode

# Basic directory brute force
gobuster dir -u <url> -w <wordlist>

# With file extensions
gobuster dir -u <url> -w <wordlist> -x php,html,txt,bak,old

# Follow redirects
gobuster dir -u <url> -w <wordlist> -r

# Increase threads
gobuster dir -u <url> -w <wordlist> -t 50

# Ignore SSL errors
gobuster dir -u <url> -w <wordlist> -k

# Show status codes in output
gobuster dir -u <url> -w <wordlist> -s 200,301,302,403

# Hide specific status codes
gobuster dir -u <url> -w <wordlist> -b 404,500

# Output to file
gobuster dir -u <url> -w <wordlist> -o gobuster_dir.txt

# With proxy
gobuster dir -u <url> -w <wordlist> --proxy http://127.0.0.1:8080

# Add trailing slash to attempts
gobuster dir -u <url> -w <wordlist> -f

# Expanded output (show lengths, status, etc.)
gobuster dir -u <url> -w <wordlist> -e

# Filter by length
gobuster dir -u <url> -w <wordlist> --exclude-length 1234

# Timeout per request
gobuster dir -u <url> -w <wordlist> --timeout 10s

# Delay between requests (rate limit)
gobuster dir -u <url> -w <wordlist> --delay 50ms

# User agent
gobuster dir -u <url> -w <wordlist> -a "Mozilla/5.0"

# Verbose (show all attempts)
gobuster dir -u <url> -w <wordlist> -v

# No error output
gobuster dir -u <url> -w <wordlist> --no-error

# No progress bar
gobuster dir -u <url> -w <wordlist> -z

Dir Mode — Authentication

# Basic auth
gobuster dir -u <url> -w <wordlist> -U <username> -P <password>

# Cookie authentication
gobuster dir -u <url> -w <wordlist> -c "session=abc123"

# Bearer token
gobuster dir -u <url> -w <wordlist> -H "Authorization: Bearer <password>"

# Multiple headers
gobuster dir -u <url> -w <wordlist> \
  -H "Authorization: Bearer <password>" \
  -H "X-Custom-Header: value"

# API key
gobuster dir -u <url> -w <wordlist> -H "X-Api-Key: <password>"

Dir Mode — Common Patterns

# PHP application
gobuster dir -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -x php,html,txt,bak \
  -b 404 -t 50

# ASP.NET application
gobuster dir -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -x aspx,asp,html,txt,config \
  -b 404 -t 50

# Quick initial recon
gobuster dir -u <url> -w /usr/share/seclists/Discovery/Web-Content/common.txt -b 404 -t 40

# Sensitive file hunt
gobuster dir -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt \
  -b 404 \
  -x bak,old,zip,tar.gz,sql,conf,config,env,log

# Recursive (manual chaining)
gobuster dir -u <url>/api -w <wordlist> -b 404
gobuster dir -u <url>/admin -w <wordlist> -b 404

DNS Mode

# Subdomain enumeration
gobuster dns -d <domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Show IP addresses
gobuster dns -d <domain> -w <wordlist> -i

# Custom DNS resolver
gobuster dns -d <domain> -w <wordlist> -r 8.8.8.8

# Output
gobuster dns -d <domain> -w <wordlist> -o subdomains.txt

# Threads
gobuster dns -d <domain> -w <wordlist> -t 50

# Include wildcard results (show even if wildcard exists)
gobuster dns -d <domain> -w <wordlist> --wildcard

# Verbose (show CNAMEs)
gobuster dns -d <domain> -w <wordlist> -v

# Timeout
gobuster dns -d <domain> -w <wordlist> --timeout 5s

VHost Mode

# Virtual host enumeration
gobuster vhost -u <url> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Append domain automatically
gobuster vhost -u http://<ip> -w <wordlist> --append-domain -d <domain>

# Filter false positives by length
gobuster vhost -u <url> -w <wordlist> --exclude-length 1234

# With HTTPS (ignore cert)
gobuster vhost -u https://<ip> -w <wordlist> -k

# Threads + output
gobuster vhost -u <url> -w <wordlist> -t 50 -o vhosts.txt

# Custom User-Agent
gobuster vhost -u <url> -w <wordlist> -a "Mozilla/5.0"

# With domain appended manually in wordlist
gobuster vhost -u http://<ip> -w <wordlist> -H "Host: FUZZ.<domain>"

Fuzz Mode

# Generic fuzzing (any position)
gobuster fuzz -u <url>/FUZZ -w <wordlist>

# Fuzz GET parameter
gobuster fuzz -u "<url>?id=FUZZ" -w <wordlist>

# Fuzz with extensions in FUZZ
gobuster fuzz -u <url>/FUZZ -w <wordlist> -b 404

# Filter responses
gobuster fuzz -u <url>/FUZZ -w <wordlist> -b 404,403 --exclude-length 0

# Match status codes
gobuster fuzz -u <url>/FUZZ -w <wordlist> -s 200

S3 Mode

# AWS S3 bucket enumeration
gobuster s3 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# With threads
gobuster s3 -w <wordlist> -t 50

# Output
gobuster s3 -w <wordlist> -o s3_buckets.txt

Pattern Files

# Use a pattern file to append to wordlist entries
# Create pattern file:
cat > patterns.txt << 'EOF'
{GOBUSTER}/v1
{GOBUSTER}/v2
{GOBUSTER}/api
{GOBUSTER}/backup
EOF

gobuster dir -u <url> -w <wordlist> -p patterns.txt

# Pattern for API versioning
cat > api_patterns.txt << 'EOF'
/api/{GOBUSTER}
/api/v1/{GOBUSTER}
/api/v2/{GOBUSTER}
EOF

gobuster dir -u <url> -w /usr/share/seclists/Discovery/Web-Content/common.txt -p api_patterns.txt

Practical One-Liners

# Fast full recon
gobuster dir -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -b 404 -t 40 -o /tmp/gobuster_<target>.txt

# Subdomain + vhost combo
gobuster dns -d <domain> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -i
gobuster vhost -u http://<ip> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain -d <domain>

# API fuzzing
gobuster dir -u <url>/api -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -b 404 -s 200,201,204,400,401,403,405 -t 30

# File hunt with extensions
gobuster dir -u <url> -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt \
  -x php,txt,html,bak,old,zip,sql,conf,log,env \
  -b 404 -t 50 -o files.txt