You have found a web server, but the homepage gives nothing away. No admin link, no obvious API, no sitemap. This is where learning how to use Gobuster pays off. Gobuster is a fast, Go-based tool that brute-forces hidden directories, files, DNS subdomains, and virtual hosts by throwing a wordlist at the target and watching how the server responds. It is one of the first tools most testers reach for during the enumeration phase of a penetration testing engagement.
This guide covers installation, every scan mode, the flags that actually matter, and the false-positive filtering that separates a clean report from a noisy one. You can follow along and run real scans against our hidden CMS breach lab, a browser-based target built for exactly this kind of content discovery.
TL;DR: Gobuster is a command-line directory and DNS brute-forcing tool written in Go. Run gobuster dir -u http://target -w wordlist.txt to enumerate hidden paths, add -x php,txt for file extensions, and use --exclude-length to kill false positives. It is faster than DirBuster, lighter than ffuf for simple jobs, and a core skill for web enumeration.
What Is Gobuster?
Gobuster is a directory, file, and DNS brute-forcing tool written in Go. It sends a stream of HTTP or DNS requests built from a wordlist, then reports which paths or names the target actually responds to. Testers use it to uncover content that is not linked anywhere in the site's navigation.
The tool exists because web applications hide more than they show. A running server usually holds resources the developers never meant to expose:
- Admin panels at paths like
/admin,/manage, or/wp-admin - Backup files such as
config.php.bakordatabase.sql - Version control leftovers like a
/.git/directory - API endpoints that appear in no public documentation
- Staging or debug pages such as
/phpinfo.php
Gobuster is written in Go, which is where its main advantage comes from. Go compiles to a single static binary and handles concurrency natively, so Gobuster runs many requests in parallel without the memory overhead of the older Java-based DirBuster. On a typical wordlist it finishes in a fraction of the time.
The project is open source and actively maintained on GitHub by OJ Reeves and a group of contributors. The current 3.x branch splits its work into distinct modes, which is the first thing to understand before you run a scan.
Installing Gobuster
Gobuster ships pre-installed on Kali Linux and Parrot OS. On a fresh system, or if you removed it, installation takes one command.
Install on Kali or Debian
sudo apt update && sudo apt install gobuster
If you skip apt update and hit the error unable to locate package gobuster, that is almost always the fix. Your package index is stale and needs refreshing before apt can find the package.
Install with Go
To get the newest release before your distro's repos catch up, install straight from source. You need Go 1.19 or later on your PATH:
go install github.com/OJ/gobuster/v3@latest
This drops the binary in ~/go/bin/. Add that directory to your PATH if the command is not found afterward.
Confirm the Version
gobuster version
Check that you are on a 3.x release. The flag behavior described below changed between versions 2 and 3, and again around 3.2, so an old build will not match these examples.
Gobuster's Enumeration Modes
Unlike single-purpose scanners, Gobuster is a collection of modes under one binary. You pick the mode as the first argument, and each has its own flags. Knowing which mode to reach for saves you from forcing the wrong tool at a problem.
- dir - Brute-forces directories and files on a web server. This is the mode you will use most.
- dns - Discovers subdomains of a domain by resolving candidate names.
- vhost - Finds virtual hosts served from the same IP by varying the Host header.
- fuzz - Replaces a
FUZZkeyword anywhere in the request, for parameters, headers, or paths. - s3 and gcs - Hunt for open Amazon S3 and Google Cloud Storage buckets.
The rest of this guide focuses on dir, dns, and vhost, which cover the vast majority of real work.
How to Use Gobuster for Directory Enumeration
The dir mode is the heart of the tool. Every scan needs two things: a target URL with -u and a wordlist with -w. Everything else is refinement.
Step 1: Run a Basic Scan
Start with a small, common wordlist to get quick wins without hammering the target:
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
Gobuster prints each discovered path with its status code and response size. A result line looks like this:
/admin (Status: 301) [Size: 312] [--> /admin/]
/index.php (Status: 200) [Size: 5124]
/backup (Status: 403) [Size: 278]
Step 2: Add File Extensions
A bare wordlist only tests directory names. Real targets hide files too, so tell Gobuster which extensions to append with -x:
gobuster dir -u http://target.com -w common.txt -x php,txt,html,bak
Now each word is tested as a directory and as word.php, word.txt, word.html, and word.bak. Match the extensions to the stack you found during recon. An Nmap fingerprint that shows PHP means php,phtml,php5 belong on the list, while an IIS box calls for asp,aspx.
Step 3: Tune Threads and Wordlist Size
The default is 10 threads. Bump it up for speed on a server that can take the load:
gobuster dir -u http://target.com -w directory-list-2.3-medium.txt -x php,txt -t 50 -o results.txt
The -t 50 raises concurrency to 50 threads and -o results.txt saves output to a file for your report. Drop the thread count back to 5 or 10 if you see connection errors or the target starts rate-limiting you. For a deeper look at which wordlists find the most content, our Gobuster wordlist guide breaks down the trade-offs.
Step 4: Read the Status Codes
Status codes tell you what you found. Focus on these:
- 200 OK - The resource exists and returns content. Investigate it.
- 301 / 302 - A redirect, often a directory pointing to its trailing-slash version.
- 403 Forbidden - The path exists but access is blocked. These are gold, because the server just confirmed something is there.
- 401 Unauthorized - Authentication required, so you found a protected area.
Modern Gobuster (3.1 and later) hides 404s by default through a status-code blacklist and shows everything else. If you would rather work from a whitelist, set -s 200,301,302,401,403 and clear the blacklist with -b "". Gobuster refuses to run with both a whitelist and a blacklist set at once, which trips up a lot of first-time users.
Gobuster Command Cheat Sheet
These are the dir mode flags worth memorizing. Most scans use only a handful, but knowing the full set lets you shape a scan to an awkward target.
| Flag | Purpose |
|---|---|
-u | Target URL |
-w | Path to the wordlist |
-x | File extensions to append (php,txt,bak) |
-t | Number of concurrent threads (default 10) |
-s | Status codes to show (whitelist) |
-b | Status codes to hide (blacklist, default 404) |
--exclude-length | Hide responses of a given byte length |
-k | Skip TLS certificate verification (self-signed HTTPS) |
-r | Follow redirects |
-o | Write output to a file |
-H | Add a custom header (auth tokens, cookies) |
--wildcard | Continue even when the server responds to everything |
Filtering False Positives with --exclude-length
Here is the problem that wastes the most time. Some servers answer every request with a 200 status and a friendly custom page instead of a real 404. Gobuster sees a 200 and reports every single word as a hit, burying your genuine findings under thousands of fakes.
The fix is --exclude-length. Those fake pages are almost always identical, so they share the same byte length. Note the length in the noise, then exclude it:
gobuster dir -u http://target.com -w common.txt --exclude-length 1234
In practice, this one flag turns an unusable scan into a clean one. Run the scan once, spot the repeating [Size: 1234] value across obviously wrong results, then re-run with that length excluded. You can pass ranges too, such as --exclude-length 1200-1300, when the fake pages vary slightly.
DNS and Virtual Host Enumeration
Directory busting is only one job Gobuster does. Two other modes widen your attack surface before you ever touch a single web path.
Subdomain Discovery with dns Mode
The dns mode finds subdomains by resolving candidate names against DNS. Use -d for the domain instead of -u:
gobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
Add -i to print the resolved IP addresses alongside each hit. Subdomains like dev.example.com or staging.example.com often run weaker security than the production site, which makes them worth the extra step.
Virtual Host Discovery with vhost Mode
Many servers host several sites on one IP and decide which to serve based on the Host header. The vhost mode brute-forces that header to find hidden sites:
gobuster vhost -u http://example.com -w vhosts.txt --append-domain
Watch the --append-domain flag. Gobuster 3.2 and later no longer appends the base domain to each word automatically, so without this flag your scan tests bare words like admin instead of admin.example.com and finds nothing. This change quietly broke a lot of older tutorials.
Gobuster vs DirBuster vs ffuf
Gobuster is not the only content-discovery tool, and it is not always the right one. Here is an honest comparison of the three you will meet most often.
| Feature | Gobuster | DirBuster | ffuf |
|---|---|---|---|
| Speed | Fast (Go) | Slow (Java) | Fast (Go) |
| Interface | CLI | GUI | CLI |
| DNS / vhost modes | Yes | No | Via fuzzing |
| Recursive scanning | No | Yes | Plugin |
| Response filtering | Length, status | Basic | Advanced |
| Learning curve | Gentle | Gentle | Steeper |
My take: reach for Gobuster when you want a fast, no-nonsense scan and clean command-line output. It is the best default for directory and subdomain work. Switch to ffuf when you need surgical response filtering or want to fuzz parameters and headers, and use it when Gobuster's lack of built-in recursion becomes a limit. DirBuster still earns its place if you genuinely prefer a GUI, but for scripted and repeatable testing it has been overtaken. If you are coming from the Java tool, our DirBuster tutorial maps the two workflows side by side.
Tips for Cleaner, Faster Scans
Speed is easy. Signal is hard. These habits keep your results readable and keep you off the target's radar.
- Recon before you brute-force. Fingerprint the server and stack first so your wordlist and extensions match reality instead of guessing blind.
- Start small, then go deep. Run
common.txtfirst. When you find something like/api/, launch a fresh scan against that path rather than one giant sweep. - Chase 403s. A forbidden response confirms the path exists. That is often more useful than a 200, because it points at something worth protecting.
- Mind the noise. High thread counts finish faster but light up intrusion detection. On engagements with a low-and-slow requirement, drop to 5 threads.
- Use quality wordlists. The SecLists collection under
/usr/share/seclists/Discovery/Web-Content/is built from real-world crawls and outperforms generic lists.
Directory enumeration is one small slice of web assessment. To see where it fits in a full methodology, the OWASP Web Security Testing Guide documents the reconnaissance and content-discovery phases in detail.
Legal and Ethical Considerations
Critical reminder: Gobuster can fire thousands of requests at a server in seconds. Running it against a system you do not own or have written permission to test is illegal in most countries, no matter your intent.
Directory brute-forcing is noisy and unmistakably active. It leaves a clear trail in server logs and looks identical to an attack, because it is the same technique an attacker would use. Only point it at targets where you have authorization.
Where Gobuster Is Fair Game
- Penetration tests covered by a signed engagement letter that lists the target scope
- Bug bounty programs where enumeration is explicitly in scope
- Systems and applications you own
- CTF competitions and deliberately vulnerable labs built for practice
Keep your authorization documented and within reach for the duration of any engagement. "I was only learning" is not a defense that holds up once you have touched a system without permission.
Frequently Asked Questions
What is Gobuster used for?
Gobuster is used to discover hidden directories, files, DNS subdomains, and virtual hosts on a target during authorized security testing. It brute-forces these by sending requests built from a wordlist and reporting which ones the server responds to.
How do I install Gobuster on Kali Linux?
Run sudo apt update && sudo apt install gobuster. Gobuster is usually pre-installed on Kali. If you see "unable to locate package gobuster," run apt update first to refresh the package index, then try again.
Is Gobuster better than DirBuster?
For most work, yes. Gobuster is written in Go and runs far faster than the Java-based DirBuster, and it adds DNS and virtual host modes. DirBuster's only real advantages are its GUI and built-in recursion, so pick it if you want those specifically.
How do I stop Gobuster from reporting false positives?
Use the --exclude-length flag. When a server returns 200 for every request with an identical custom page, those fake results share the same byte length. Note that length and exclude it, for example --exclude-length 1234, to filter the noise.
Why does my Gobuster vhost scan find nothing?
You are probably missing the --append-domain flag. Gobuster 3.2 and later no longer append the base domain automatically, so each wordlist entry is tested as a bare word instead of a full hostname. Add --append-domain to fix it.
What is the best wordlist for Gobuster?
Start with common.txt from the dirb package for fast scans, then move to directory-list-2.3-medium.txt or the SecLists Web-Content lists for deeper coverage. Match the wordlist size to your time budget and the value of the target.
Your Next Steps
You now know how to use Gobuster across its main modes: directory and file discovery with dir, subdomain hunting with dns, and virtual host enumeration with vhost. The details that matter most in real work are matching extensions to the target stack, tuning threads to stay under the radar, and cutting false positives with --exclude-length. Get those right and Gobuster turns a blank homepage into a map of the whole application.
The fastest way to lock this in is to run the tool against a live target. Try our Hidden CMS Breach lab to enumerate a real hidden application in the browser, then go deeper with the web attacks course to see where content discovery fits into a full web assessment. Start with HackerDNA's free tier, no credit card required, and practice the technique instead of just reading about it.
Part of the Penetration Testing series
Related articles: