Gobuster is a fast, concurrent directory and DNS brute-forcing tool written in Go. Unlike traditional tools that run single-threaded, Gobuster hammers targets with multiple simultaneous requests, making it one of the quickest options for web enumeration in a penetration test. This guide covers installation, wordlist selection, key flags, and practical usage across directory, DNS, and vhost modes.
Installing Gobuster
On Kali Linux or Debian-based systems, Gobuster is available from the package manager:
sudo apt install gobuster
For the latest version, build from source using Go:
go install github.com/OJ/gobuster/v3@latest
Verify the install:
gobuster version
Choosing the Right Wordlist
Your results are only as good as your wordlist. Two collections dominate penetration testing:
dirb — Ships with Kali. The classic common.txt list at /usr/share/dirb/wordlists/common.txt contains around 4,600 entries and is a solid starting point for quick scans.
SecLists — Maintained by Daniel Miessler, this is the gold standard. Install it with:
sudo apt install seclists
Key paths after installation:
| Wordlist | Path | Size |
|---|
| common directories | /usr/share/seclists/Discovery/Web-Content/common.txt | ~4,700 |
| directory medium | /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt | ~220,000 |
| DNS subdomains | /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | 5,000 |
| API routes | /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt | varies |
For most engagements, start with common.txt to get quick wins, then move to the medium list for thoroughness.
Directory Mode: Core Flags
The dir mode is Gobuster’s bread and butter. The basic syntax is:
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt
Essential Flags
-u — Target URL. Always include the scheme (http:// or https://).
-w — Wordlist path.
-t — Thread count. Default is 10. Increasing to 50 dramatically speeds things up:
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50
Be cautious on production systems — high thread counts can trigger rate limiting or crash fragile servers.
-x — File extensions to append. This doubles or triples your discovery surface by checking for actual files:
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt,bak
-o — Output file. Always save results:
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt -o gobuster_results.txt
-s — Status codes to consider valid. By default Gobuster shows 200, 204, 301, 302, 307, 401, and 403. You can customize:
gobuster dir -u https://target.com -w common.txt -s "200,204,301,302,403"
-b — Blacklist specific status codes (exclude them from output):
gobuster dir -u https://target.com -w common.txt -b "404,500"
-k — Skip TLS certificate verification. Useful for self-signed certs on internal targets:
gobuster dir -u https://192.168.1.50 -w common.txt -k
--timeout — Set request timeout (default 10s). Useful on slow networks:
gobuster dir -u https://target.com -w common.txt --timeout 15s
A Complete Directory Scan Command
gobuster dir \
-u https://target.com \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-x php,html,js,txt,bak,zip \
-t 40 \
-o dir_results.txt \
-k \
--timeout 10s
DNS Mode: Subdomain Enumeration
Switch to dns mode to brute-force subdomains. This queries DNS directly rather than making HTTP requests, making it faster for large subdomain lists.
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
DNS Mode Flags
-d — Target domain (no http:// prefix).
-r — Use a specific DNS resolver instead of the system default:
gobuster dns -d target.com -w subdomains.txt -r 8.8.8.8
-i — Show IP addresses alongside discovered subdomains:
gobuster dns -d target.com -w subdomains.txt -i
--wildcard — Gobuster automatically detects wildcard DNS and exits. Use this flag to force it to continue anyway, though results will be noisy.
VHost Enumeration
VHost mode enumerates virtual hosts on a web server — multiple domains served from the same IP. This differs from DNS mode because it makes HTTP requests with a manipulated Host header rather than querying DNS.
gobuster vhost \
-u https://target.com \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
--append-domain
The --append-domain flag appends the base domain to each wordlist entry, so admin becomes admin.target.com in the Host header.
Interpreting Results
Gobuster output includes the path and status code:
/admin (Status: 301) [Size: 318] [--> https://target.com/admin/]
/login (Status: 200) [Size: 4523]
/backup (Status: 403) [Size: 287]
/.git (Status: 403) [Size: 287]
- 200 — Directory or file exists and is accessible. High priority.
- 301/302 — Redirect. Follow it manually.
- 403 — Exists but access is forbidden. Worth noting — sometimes bypassable.
- 401 — Authentication required. Credentials needed; try default creds.
.git folders are a major finding. If exposed, you can often recover source code using git-dumper. Similarly, /backup, /admin, and /config directories warrant immediate manual investigation.
Tips for Better Results
- Layer your wordlists: Run
common.txt first, then escalate to medium or large lists based on time constraints.
- Adjust threads carefully: Start at 20–30 threads and watch for server errors or rate-limit responses (429 status codes).
- Combine with extensions: Always include
-x php,asp,aspx,html on web applications — discovering config.php.bak can be a game-changer.
- Feed results into other tools: Pipe discovered URLs into Nikto or Burp Suite for deeper testing.
Gobuster is most effective as part of a broader recon workflow. Pair it with Subfinder for passive subdomain discovery and Nikto for vulnerability scanning to build a complete picture of the target’s web attack surface.