Gobuster Cheat Sheet
Complete Directory & DNS Enumeration Reference
Directory Brute-Force • DNS Subdomains • Vhost Discovery • S3 Buckets
📅 Updated: December 2024 • ⏱️ 15 min read • 🔧 Gobuster 3.6+
📑 Quick Navigation
Dir Mode
DNS Mode
Vhost Mode
Fuzz Mode
S3 Mode
Wordlists
What is Gobuster?
Gobuster is a tool for brute-forcing URIs, DNS subdomains, virtual host names, open Amazon S3 buckets, and more. Written in Go, it's extremely fast and supports concurrent connections for maximum speed.
Gobuster comes pre-installed on Kali Linux. Source code at github.com/OJ/gobuster.
📦 Installation
Kali Linux
sudo apt install gobusterGo Install
go install github.com/OJ/gobuster/v3@latestmacOS (Homebrew)
brew install gobuster🔧 Modes Overview
| Mode | Purpose |
|---|---|
| dir | Directory/file enumeration |
| dns | DNS subdomain enumeration |
| vhost | Virtual host enumeration |
| fuzz | Fuzzing with FUZZ keyword |
| s3 | Amazon S3 bucket enumeration |
| gcs | Google Cloud Storage enumeration |
| tftp | TFTP file enumeration |
📁 Dir Mode (Directory Enumeration)
# Basic directory scangobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt# With file extensionsgobuster dir -u http://<target> -w wordlist.txt -x php,html,txt,bak# More threads (faster)gobuster dir -u http://<target> -w wordlist.txt -t 50# With authenticationgobuster dir -u http://<target> -w wordlist.txt -U admin -P password# With cookiesgobuster dir -u http://<target> -w wordlist.txt -c "session=abc123"# Filter by status codesgobuster dir -u http://<target> -w wordlist.txt -s "200,204,301,302,307"# Exclude status codesgobuster dir -u http://<target> -w wordlist.txt -b "404,403"# Output to filegobuster dir -u http://<target> -w wordlist.txt -o results.txt
Dir Mode Options
| Flag | Description |
|---|---|
| -u URL | Target URL |
| -w WORDLIST | Path to wordlist |
| -x EXTENSIONS | File extensions to search |
| -t THREADS | Number of threads (default 10) |
| -s STATUS | Include status codes |
| -b STATUS | Exclude status codes |
| -c COOKIE | Cookie string |
| -H HEADER | Custom header |
| -a USER-AGENT | Custom User-Agent |
| -r | Follow redirects |
| -k | Skip TLS verification |
| -n | Don't print status codes |
| -e | Print full URLs |
| --timeout DURATION | HTTP timeout |
🌐 DNS Mode (Subdomain Enumeration)
# Basic subdomain scangobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt# Show IP addressesgobuster dns -d example.com -w wordlist.txt -i# Custom DNS resolvergobuster dns -d example.com -w wordlist.txt -r 8.8.8.8# Show CNAME recordsgobuster dns -d example.com -w wordlist.txt -c# Wildcard detectiongobuster dns -d example.com -w wordlist.txt --wildcard
DNS Mode Options
| -d DOMAIN | Target domain |
| -i | Show IP addresses |
| -c | Show CNAME records |
| -r RESOLVER | Use custom DNS resolver |
| --wildcard | Force wildcard detection |
🏠 Vhost Mode (Virtual Host Enumeration)
# Basic vhost scangobuster vhost -u http://<target> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt# Append domain to wordlist entriesgobuster vhost -u http://<target> -w wordlist.txt --append-domain# With custom domaingobuster vhost -u http://192.168.1.100 -w wordlist.txt --domain example.local
💡 Vhost vs DNS Mode
DNS mode queries DNS servers for subdomains. Vhost mode sends HTTP requests with different Host headers to find virtual hosts on the same IP (useful when subdomains aren't in DNS).
🎯 Fuzz Mode
Use the FUZZ keyword to specify where to inject wordlist entries.
# Fuzz URL parametergobuster fuzz -u "http://<target>/api?id=FUZZ" -w numbers.txt# Fuzz pathgobuster fuzz -u "http://<target>/FUZZ/admin" -w wordlist.txt# Fuzz with headersgobuster fuzz -u "http://<target>/api" -w wordlist.txt -H "X-Custom-Header: FUZZ"# Exclude certain responsesgobuster fuzz -u "http://<target>/FUZZ" -w wordlist.txt -b "404" --exclude-length 1234
☁️ S3 Mode (AWS Bucket Enumeration)
# Basic S3 bucket scangobuster s3 -w bucket-names.txt# With more threadsgobuster s3 -w bucket-names.txt -t 50
⚙️ Global Options
| Flag | Description |
|---|---|
| -t THREADS | Number of concurrent threads |
| -o FILE | Output file |
| -v | Verbose output |
| -q | Quiet mode (no banner) |
| --no-error | Don't display errors |
| --delay DURATION | Delay between requests |
| -p PATTERN | File with replacement patterns |
📚 Recommended Wordlists
| Purpose | Path (SecLists) |
|---|---|
| Directories (Quick) | /usr/share/wordlists/dirb/common.txt |
| Directories (Medium) | /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt |
| Directories (Large) | /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt |
| Subdomains | /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt |
| API Endpoints | /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt |
| Raft (Various) | /usr/share/seclists/Discovery/Web-Content/raft-medium-*.txt |
🔥 Common Attack Scenarios
# Quick directory scan with common extensionsgobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -t 50# Comprehensive subdomain discoverygobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50# Find backup filesgobuster dir -u http://<target> -w wordlist.txt -x bak,old,backup,~,swp# API endpoint discoverygobuster dir -u http://<target>/api -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt# Virtual host discovery with IPgobuster vhost -u http://192.168.1.100 -w wordlist.txt --append-domain --domain target.local
📚 Additional Resources
📂 Gobuster Cheat Sheet Complete!
You now have a comprehensive reference for the fastest directory and subdomain brute-forcer. From directory enumeration to virtual host discovery, these commands are essential for reconnaissance.
Dir Mode
DNS Mode
Vhost Mode
Fuzz Mode
S3 Mode
Ready to discover hidden content!