How to Use Gobuster for Directory Enumeration (2026)

Penetration Testing
12 min read
How to Use Gobuster for Directory Enumeration (2026)
On this page
  1. What Is Gobuster?
  2. Installing Gobuster
    1. Install on Kali or Debian
    2. Install with Go
    3. Confirm the Version
  3. Gobuster's Enumeration Modes
  4. How to Use Gobuster for Directory Enumeration
    1. Step 1: Run a Basic Scan
    2. Step 2: Add File Extensions
    3. Step 3: Tune Threads and Wordlist Size
    4. Step 4: Read the Status Codes
  5. Gobuster Command Cheat Sheet
    1. Filtering False Positives with --exclude-length
  6. DNS and Virtual Host Enumeration
    1. Subdomain Discovery with dns Mode
    2. Virtual Host Discovery with vhost Mode
  7. Gobuster vs DirBuster vs ffuf
  8. Tips for Cleaner, Faster Scans
  9. Legal and Ethical Considerations
    1. Where Gobuster Is Fair Game
  10. Frequently Asked Questions
  11. Your Next Steps

You have found a web server, but the homepage gives nothing away. No admin link, no obvious API, no sitemap. This is where learning how to use Gobuster pays off. Gobuster is a fast, Go-based tool that brute-forces hidden directories, files, DNS subdomains, and virtual hosts by throwing a wordlist at the target and watching how the server responds. It is one of the first tools most testers reach for during the enumeration phase of a penetration testing engagement.

This guide covers installation, every scan mode, the flags that actually matter, and the false-positive filtering that separates a clean report from a noisy one. You can follow along and run real scans against our hidden CMS breach lab, a browser-based target built for exactly this kind of content discovery.

TL;DR: Gobuster is a command-line directory and DNS brute-forcing tool written in Go. Run gobuster dir -u http://target -w wordlist.txt to enumerate hidden paths, add -x php,txt for file extensions, and use --exclude-length to kill false positives. It is faster than DirBuster, lighter than ffuf for simple jobs, and a core skill for web enumeration.

What Is Gobuster?

Gobuster is a directory, file, and DNS brute-forcing tool written in Go. It sends a stream of HTTP or DNS requests built from a wordlist, then reports which paths or names the target actually responds to. Testers use it to uncover content that is not linked anywhere in the site's navigation.

The tool exists because web applications hide more than they show. A running server usually holds resources the developers never meant to expose:

  • Admin panels at paths like /admin, /manage, or /wp-admin
  • Backup files such as config.php.bak or database.sql
  • Version control leftovers like a /.git/ directory
  • API endpoints that appear in no public documentation
  • Staging or debug pages such as /phpinfo.php

Gobuster is written in Go, which is where its main advantage comes from. Go compiles to a single static binary and handles concurrency natively, so Gobuster runs many requests in parallel without the memory overhead of the older Java-based DirBuster. On a typical wordlist it finishes in a fraction of the time.

The project is open source and actively maintained on GitHub by OJ Reeves and a group of contributors. The current 3.x branch splits its work into distinct modes, which is the first thing to understand before you run a scan.

Installing Gobuster

Gobuster ships pre-installed on Kali Linux and Parrot OS. On a fresh system, or if you removed it, installation takes one command.

Install on Kali or Debian

sudo apt update && sudo apt install gobuster

If you skip apt update and hit the error unable to locate package gobuster, that is almost always the fix. Your package index is stale and needs refreshing before apt can find the package.

Install with Go

To get the newest release before your distro's repos catch up, install straight from source. You need Go 1.19 or later on your PATH:

go install github.com/OJ/gobuster/v3@latest

This drops the binary in ~/go/bin/. Add that directory to your PATH if the command is not found afterward.

Confirm the Version

gobuster version

Check that you are on a 3.x release. The flag behavior described below changed between versions 2 and 3, and again around 3.2, so an old build will not match these examples.

Gobuster's Enumeration Modes

Unlike single-purpose scanners, Gobuster is a collection of modes under one binary. You pick the mode as the first argument, and each has its own flags. Knowing which mode to reach for saves you from forcing the wrong tool at a problem.

  • dir - Brute-forces directories and files on a web server. This is the mode you will use most.
  • dns - Discovers subdomains of a domain by resolving candidate names.
  • vhost - Finds virtual hosts served from the same IP by varying the Host header.
  • fuzz - Replaces a FUZZ keyword anywhere in the request, for parameters, headers, or paths.
  • s3 and gcs - Hunt for open Amazon S3 and Google Cloud Storage buckets.

The rest of this guide focuses on dir, dns, and vhost, which cover the vast majority of real work.

💻
Practice this now: Hidden CMS Breach - use Gobuster to uncover a hidden content management system and work your way to the flag, all in the browser with no setup.

How to Use Gobuster for Directory Enumeration

The dir mode is the heart of the tool. Every scan needs two things: a target URL with -u and a wordlist with -w. Everything else is refinement.

Step 1: Run a Basic Scan

Start with a small, common wordlist to get quick wins without hammering the target:

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

Gobuster prints each discovered path with its status code and response size. A result line looks like this:

/admin                (Status: 301) [Size: 312] [--> /admin/]
/index.php            (Status: 200) [Size: 5124]
/backup               (Status: 403) [Size: 278]

Step 2: Add File Extensions

A bare wordlist only tests directory names. Real targets hide files too, so tell Gobuster which extensions to append with -x:

gobuster dir -u http://target.com -w common.txt -x php,txt,html,bak

Now each word is tested as a directory and as word.php, word.txt, word.html, and word.bak. Match the extensions to the stack you found during recon. An Nmap fingerprint that shows PHP means php,phtml,php5 belong on the list, while an IIS box calls for asp,aspx.

Step 3: Tune Threads and Wordlist Size

The default is 10 threads. Bump it up for speed on a server that can take the load:

gobuster dir -u http://target.com -w directory-list-2.3-medium.txt -x php,txt -t 50 -o results.txt

The -t 50 raises concurrency to 50 threads and -o results.txt saves output to a file for your report. Drop the thread count back to 5 or 10 if you see connection errors or the target starts rate-limiting you. For a deeper look at which wordlists find the most content, our Gobuster wordlist guide breaks down the trade-offs.

Step 4: Read the Status Codes

Status codes tell you what you found. Focus on these:

  • 200 OK - The resource exists and returns content. Investigate it.
  • 301 / 302 - A redirect, often a directory pointing to its trailing-slash version.
  • 403 Forbidden - The path exists but access is blocked. These are gold, because the server just confirmed something is there.
  • 401 Unauthorized - Authentication required, so you found a protected area.

Modern Gobuster (3.1 and later) hides 404s by default through a status-code blacklist and shows everything else. If you would rather work from a whitelist, set -s 200,301,302,401,403 and clear the blacklist with -b "". Gobuster refuses to run with both a whitelist and a blacklist set at once, which trips up a lot of first-time users.

Gobuster Command Cheat Sheet

These are the dir mode flags worth memorizing. Most scans use only a handful, but knowing the full set lets you shape a scan to an awkward target.

FlagPurpose
-uTarget URL
-wPath to the wordlist
-xFile extensions to append (php,txt,bak)
-tNumber of concurrent threads (default 10)
-sStatus codes to show (whitelist)
-bStatus codes to hide (blacklist, default 404)
--exclude-lengthHide responses of a given byte length
-kSkip TLS certificate verification (self-signed HTTPS)
-rFollow redirects
-oWrite output to a file
-HAdd a custom header (auth tokens, cookies)
--wildcardContinue even when the server responds to everything

Filtering False Positives with --exclude-length

Here is the problem that wastes the most time. Some servers answer every request with a 200 status and a friendly custom page instead of a real 404. Gobuster sees a 200 and reports every single word as a hit, burying your genuine findings under thousands of fakes.

The fix is --exclude-length. Those fake pages are almost always identical, so they share the same byte length. Note the length in the noise, then exclude it:

gobuster dir -u http://target.com -w common.txt --exclude-length 1234

In practice, this one flag turns an unusable scan into a clean one. Run the scan once, spot the repeating [Size: 1234] value across obviously wrong results, then re-run with that length excluded. You can pass ranges too, such as --exclude-length 1200-1300, when the fake pages vary slightly.

DNS and Virtual Host Enumeration

Directory busting is only one job Gobuster does. Two other modes widen your attack surface before you ever touch a single web path.

Subdomain Discovery with dns Mode

The dns mode finds subdomains by resolving candidate names against DNS. Use -d for the domain instead of -u:

gobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50

Add -i to print the resolved IP addresses alongside each hit. Subdomains like dev.example.com or staging.example.com often run weaker security than the production site, which makes them worth the extra step.

Virtual Host Discovery with vhost Mode

Many servers host several sites on one IP and decide which to serve based on the Host header. The vhost mode brute-forces that header to find hidden sites:

gobuster vhost -u http://example.com -w vhosts.txt --append-domain

Watch the --append-domain flag. Gobuster 3.2 and later no longer appends the base domain to each word automatically, so without this flag your scan tests bare words like admin instead of admin.example.com and finds nothing. This change quietly broke a lot of older tutorials.

Gobuster vs DirBuster vs ffuf

Gobuster is not the only content-discovery tool, and it is not always the right one. Here is an honest comparison of the three you will meet most often.

FeatureGobusterDirBusterffuf
SpeedFast (Go)Slow (Java)Fast (Go)
InterfaceCLIGUICLI
DNS / vhost modesYesNoVia fuzzing
Recursive scanningNoYesPlugin
Response filteringLength, statusBasicAdvanced
Learning curveGentleGentleSteeper

My take: reach for Gobuster when you want a fast, no-nonsense scan and clean command-line output. It is the best default for directory and subdomain work. Switch to ffuf when you need surgical response filtering or want to fuzz parameters and headers, and use it when Gobuster's lack of built-in recursion becomes a limit. DirBuster still earns its place if you genuinely prefer a GUI, but for scripted and repeatable testing it has been overtaken. If you are coming from the Java tool, our DirBuster tutorial maps the two workflows side by side.

Tips for Cleaner, Faster Scans

Speed is easy. Signal is hard. These habits keep your results readable and keep you off the target's radar.

  • Recon before you brute-force. Fingerprint the server and stack first so your wordlist and extensions match reality instead of guessing blind.
  • Start small, then go deep. Run common.txt first. When you find something like /api/, launch a fresh scan against that path rather than one giant sweep.
  • Chase 403s. A forbidden response confirms the path exists. That is often more useful than a 200, because it points at something worth protecting.
  • Mind the noise. High thread counts finish faster but light up intrusion detection. On engagements with a low-and-slow requirement, drop to 5 threads.
  • Use quality wordlists. The SecLists collection under /usr/share/seclists/Discovery/Web-Content/ is built from real-world crawls and outperforms generic lists.

Directory enumeration is one small slice of web assessment. To see where it fits in a full methodology, the OWASP Web Security Testing Guide documents the reconnaissance and content-discovery phases in detail.

Critical reminder: Gobuster can fire thousands of requests at a server in seconds. Running it against a system you do not own or have written permission to test is illegal in most countries, no matter your intent.

Directory brute-forcing is noisy and unmistakably active. It leaves a clear trail in server logs and looks identical to an attack, because it is the same technique an attacker would use. Only point it at targets where you have authorization.

Where Gobuster Is Fair Game

  • Penetration tests covered by a signed engagement letter that lists the target scope
  • Bug bounty programs where enumeration is explicitly in scope
  • Systems and applications you own
  • CTF competitions and deliberately vulnerable labs built for practice

Keep your authorization documented and within reach for the duration of any engagement. "I was only learning" is not a defense that holds up once you have touched a system without permission.

Frequently Asked Questions

What is Gobuster used for?

Gobuster is used to discover hidden directories, files, DNS subdomains, and virtual hosts on a target during authorized security testing. It brute-forces these by sending requests built from a wordlist and reporting which ones the server responds to.

How do I install Gobuster on Kali Linux?

Run sudo apt update && sudo apt install gobuster. Gobuster is usually pre-installed on Kali. If you see "unable to locate package gobuster," run apt update first to refresh the package index, then try again.

Is Gobuster better than DirBuster?

For most work, yes. Gobuster is written in Go and runs far faster than the Java-based DirBuster, and it adds DNS and virtual host modes. DirBuster's only real advantages are its GUI and built-in recursion, so pick it if you want those specifically.

How do I stop Gobuster from reporting false positives?

Use the --exclude-length flag. When a server returns 200 for every request with an identical custom page, those fake results share the same byte length. Note that length and exclude it, for example --exclude-length 1234, to filter the noise.

Why does my Gobuster vhost scan find nothing?

You are probably missing the --append-domain flag. Gobuster 3.2 and later no longer append the base domain automatically, so each wordlist entry is tested as a bare word instead of a full hostname. Add --append-domain to fix it.

What is the best wordlist for Gobuster?

Start with common.txt from the dirb package for fast scans, then move to directory-list-2.3-medium.txt or the SecLists Web-Content lists for deeper coverage. Match the wordlist size to your time budget and the value of the target.

Your Next Steps

You now know how to use Gobuster across its main modes: directory and file discovery with dir, subdomain hunting with dns, and virtual host enumeration with vhost. The details that matter most in real work are matching extensions to the target stack, tuning threads to stay under the radar, and cutting false positives with --exclude-length. Get those right and Gobuster turns a blank homepage into a map of the whole application.

The fastest way to lock this in is to run the tool against a live target. Try our Hidden CMS Breach lab to enumerate a real hidden application in the browser, then go deeper with the web attacks course to see where content discovery fits into a full web assessment. Start with HackerDNA's free tier, no credit card required, and practice the technique instead of just reading about it.

HackerDNA Team

HackerDNA Team

Written by the HackerDNA team - cybersecurity professionals building hands-on hacking labs and educational content to help you develop real-world security skills.

Meet the Team

Ready to put this into practice?

Stop reading, start hacking. Get hands-on experience with 170+ real-world cybersecurity labs.

Start Hacking Free
15,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free