Gobuster | Fast Directory & DNS Brute Forcing Tool
A powerful and fast penetration testing utility, Gobuster is a Go-based tool designed for advanced directory, file, and DNS subdomain brute-forcing tasks.
Powerful Features
Gobuster provides comprehensive brute-forcing capabilities for penetration testers and security researchers
Directory Brute-Forcing
Efficiently discover hidden directories and files using custom wordlists with advanced pattern matching capabilities.
DNS Subdomain Enumeration
Discover subdomains through DNS brute-forcing with support for multiple DNS servers and wildcard detection.
Multi-threaded Performance
Leverage Go's concurrency model for high-speed scanning with configurable thread counts and timeout settings.
Custom Wordlist Support
Support for custom wordlists with file extensions, pattern matching, and intelligent filtering capabilities.
Comprehensive Output Formats
Multiple output formats including plain text, JSON, and custom formats with detailed response information.
Advanced Filtering
Smart filtering of responses based on status codes, content length, and regex patterns for precise results.
Professional Use Cases
Essential tool for security professionals, penetration testers, and bug bounty hunters
Web Application Security Testing
Discover hidden endpoints, administrative interfaces, and sensitive files during penetration testing engagements.
Bug Bounty Programs
Identify subdomains and hidden assets that may contain vulnerabilities for bug bounty hunting.
Infrastructure Assessment
ucture by discovering subdomains and exposed services.
Compliance Auditing
Verify that no unauthorized or hidden endpoints exist in production environments.
Installation Guide
Follow these instructions to install Gobuster on your system:
Linux
Install Gobuster on Linux using a package manager or by compiling from source: Using apt (Debian/Ubuntu): sudo apt install gobuster From source: Ensure Go is installed, then run go install gobuster.org/OJ/gobuster/v3@latest
macOS
Install Gobuster on macOS using Homebrew or from source: Using Homebrew: brew install gobuster From source: Install Go, then run go install gobuster.org/OJ/gobuster/v3@latest
Windows
Install Gobuster on Windows by downloading the binary or compiling from source: Binary: Download the latest release from the GitHub releases page. From source: Install Go, then run go install gobuster.org/OJ/gobuster/v3@latest
Command Reference
Comprehensive overview of Gobuster’s command-line options and flags
| Option | Description | Default |
|---|---|---|
| -u, --url | Target URL | Required |
| -w, --wordlist | Path to the wordlist | Required |
| -t, --threads | Number of concurrent threads | 10 |
| -x, --extensions | File extensions to search for | None |
| --timeout | HTTP timeout | 10s |
Performance Benchmarks
Optimized for speed and efficiency in large-scale security assessments
What is Gobuster?
Gobuster is a command-line tool used for brute-forcing URIs, directories, files, and DNS subdomains.
Who developed Gobuster?
Gobuster was developed by OJ Reeves (OJ/gobuster) for penetration testing purposes.
What programming language is Gobuster written in?
Gobuster is written in the Go programming language.
What is the primary use of Gobuster?
Its primary use is discovering hidden directories, files, and subdomains on web servers.
Is Gobuster open-source?
Yes, Gobuster is open-source and available on GitHub.
What operating systems support Gobuster?
Gobuster works on Linux, Windows, and macOS.
What are the main Gobuster modes?
Common modes are directory brute-forcing, DNS subdomain enumeration, and vhost discovery.
What wordlists are used in Gobuster?
Gobuster uses custom wordlists, often from SecLists or custom-created lists.
How do you install Gobuster on Linux?
It can be installed using apt install gobuster or by compiling from source.
Can Gobuster discover hidden files?
Yes, it can discover hidden files based on extensions provided.
Does Gobuster support HTTPS?
Yes, Gobuster supports both HTTP and HTTPS.
What is the syntax for running Gobuster?
Basic syntax: gobuster dir -u <URL> -w <wordlist>.
What does the -u option do in Gobuster?
The -u option specifies the target URL.
What does the -w option do in Gobuster?
The -w option specifies the wordlist file to use.
What does the -t option do in Gobuster?
The -t option sets the number of concurrent threads.
What does the -x option do in Gobuster?
The -x option defines file extensions to brute-force.
What is the default timeout in Gobuster?
The default timeout is 10 seconds per request.
Does Gobuster support proxy usage?
Yes, Gobuster supports proxies using the –proxy option.
Can Gobuster perform virtual host enumeration?
Yes, with the vhost mode, Gobuster can discover virtual hosts.
What is DNS mode in Gobuster?
DNS mode allows brute-forcing of DNS subdomains.
Can Gobuster brute-force subdomains over HTTPS?
Yes, Gobuster can brute-force subdomains on HTTPS domains.
Is Gobuster faster than DirBuster?
Yes, Gobuster is generally faster due to being written in Go.
Can Gobuster resume from a previous scan?
No, Gobuster does not natively support resuming scans.
Does Gobuster have recursion support?
No, Gobuster does not natively support recursion for deeper directory discovery.
Can Gobuster save scan results to a file?
Yes, using the -o option, results can be saved.
Does Gobuster support brute-forcing authentication?
No, Gobuster does not perform brute-forcing of usernames or passwords.
How is Gobuster different from FFUF?
Gobuster is simpler and older, while FFUF offers more advanced features.
What is the latest version of Gobuster?
You can check the latest release on the Gobuster GitHub page
Can Gobuster be used in penetration testing reports?
Yes, Gobuster findings are often included in professional penetration testing reports.
Is Gobuster legal to use?
Gobuster is legal for ethical use, but unauthorized scans on systems you don’t own are illegal.