Gobuster is one of the most popular tools in a penetration tester’s arsenal for discovering hidden directories, files, and DNS subdomains. Written in Go, it is fast, reliable, and built specifically for brute-force enumeration tasks. Unlike browser-based crawlers, Gobuster hammers a target with wordlist entries to surface resources that aren’t linked anywhere — the kind of content that often holds sensitive data, admin panels, or old backup files.
This guide covers Gobuster’s core modes, the most useful flags, recommended wordlists, and practical techniques used in real assessments.
Installing Gobuster
On Kali Linux and Parrot OS, Gobuster ships preinstalled. On any Debian-based system you can install it with:
sudo apt install gobuster
To grab the latest release directly:
go install github.com/OJ/gobuster/v3@latest
Confirm the installation:
gobuster version
Core Modes
Gobuster has several operating modes, each targeting a different type of enumeration:
| Mode | Purpose |
|---|
dir | Brute-force directories and files on a web server |
dns | Enumerate DNS subdomains |
vhost | Discover virtual hosts on a web server |
fuzz | General-purpose fuzzing with a FUZZ placeholder |
s3 | Enumerate open Amazon S3 buckets |
Directory Enumeration with dir Mode
The dir mode is the most commonly used. Point it at a target URL with a wordlist and Gobuster starts firing HTTP requests.
Basic Syntax
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
Essential Flags
| Flag | Description |
|---|
-u | Target URL |
-w | Path to wordlist |
-x | File extensions to append (e.g., php,html,txt) |
-t | Number of concurrent threads (default: 10) |
-o | Output results to a file |
-b | Blacklist specific HTTP status codes |
-k | Skip TLS certificate verification |
--timeout | HTTP request timeout |
-r | Follow redirects |
Practical Example
gobuster dir \
-u https://target.com \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,txt,bak \
-t 50 \
-o gobuster_results.txt \
-k
This command targets an HTTPS site, appends common extensions to each wordlist entry, uses 50 threads for speed, saves output, and ignores SSL certificate errors (common on internal test environments).
Filtering by Status Code
By default Gobuster shows all results that don’t return 404. You can narrow results by specifying which codes to display:
gobuster dir -u http://target.com -w wordlist.txt -b 301,302,403
Or use -s to show only specific status codes:
gobuster dir -u http://target.com -w wordlist.txt -s 200,204
DNS Subdomain Brute-Forcing
The dns mode discovers subdomains by resolving wordlist entries prepended to the target domain.
gobuster dns -d target.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 30
Key DNS Flags
| Flag | Description |
|---|
-d | Target domain |
--wildcard | Force continuation even when wildcard DNS is detected |
-i | Show resolved IP addresses |
-r | Use a custom DNS resolver |
Using a custom resolver can bypass rate-limiting from a target’s nameserver:
gobuster dns -d target.com -w subdomains.txt -r 8.8.8.8:53
Wildcard DNS warning: Some domains configure wildcard DNS (*.target.com resolves to a real IP). Gobuster will detect this and stop unless you pass --wildcard.
Virtual Host Enumeration
Many web servers host multiple sites on the same IP via virtual hosting. The vhost mode fuzzes the Host header to find them:
gobuster vhost -u http://192.168.1.10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
The --append-domain flag appends the base domain from the URL to each wordlist entry, so admin becomes admin.target.com in the Host header.
Wordlist Recommendations
The wordlist you choose dramatically affects your results. These are the go-to options:
- SecLists (
/usr/share/seclists/) — the gold standard, maintained at github.com/danielmiessler/SecLists
- DirBuster lists —
directory-list-2.3-small.txt, medium.txt, and big.txt balance coverage and speed
common.txt from DIRB — fast scan for quick winsraft-large-directories.txt — comprehensive coverage for thorough assessments
Install SecLists:
sudo apt install seclists
Tuning for Speed and Stealth
Increase Threads for Speed
gobuster dir -u http://target.com -w wordlist.txt -t 100
Be cautious — high thread counts can crash fragile web servers or trigger rate-limiting and WAF blocks.
Set a User-Agent
gobuster dir -u http://target.com -w wordlist.txt -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
If the target requires authentication headers or cookies:
gobuster dir -u http://target.com -w wordlist.txt -H "Authorization: Bearer eyJhbGci..." -H "Cookie: session=abc123"
Interpreting Results
A typical output line looks like this:
/admin (Status: 301) [Size: 314] [--> http://target.com/admin/]
/backup (Status: 200) [Size: 5842]
/config.php (Status: 200) [Size: 0]
/robots.txt (Status: 200) [Size: 124]
- 301 redirects often point to real directories — follow them manually
- 200 with size 0 can indicate empty files that still exist (config files, API endpoints)
- 403 Forbidden means the resource exists but access is blocked — worth noting for further exploitation attempts
Gobuster works best as part of a larger workflow:
- Run a Nmap scan first to find open ports and identify the web server
- Use Gobuster for directory and subdomain discovery
- Feed interesting findings into Burp Suite for manual inspection
- Use Nikto for vulnerability scanning on discovered paths
- Revisit with FFUF for more advanced fuzzing with custom matchers
Legal and Ethical Considerations
Gobuster sends a high volume of HTTP requests in a short time. Only run it against systems you own or have explicit written permission to test. Unauthorized enumeration is illegal under computer fraud laws in most jurisdictions and can cause availability issues on targeted servers. Always operate within the scope defined in your penetration testing agreement.
Summary
Gobuster is a fast, versatile enumeration tool that excels at surfacing hidden web resources. Master the dir, dns, and vhost modes, choose your wordlists strategically, and integrate Gobuster early in your web application assessment workflow. The hidden directories and subdomains it finds often become the most valuable entry points in a penetration test.