Gobuster Wordlist Guide: Best Lists for Directory Busting

What Is Gobuster and Why Wordlists Matter

Gobuster is a command-line tool written in Go that brute-forces directories, files, DNS subdomains, and virtual hosts on web servers. Unlike web crawlers that follow links, Gobuster takes a wordlist and systematically requests each entry against your target to discover hidden content that is not linked anywhere on the site.

The wordlist is the heart of any Gobuster scan. Think of it as a dictionary of guesses. Gobuster reads each word from the file and appends it to your target URL, checking if that path exists. A wordlist containing "admin" will test https://target.com/admin, while one containing "backup.sql" might reveal a database dump at https://target.com/backup.sql.

This approach has a critical implication: Gobuster can only find what is in your wordlist. If your list does not contain "administrator" but the target uses that path instead of "admin", you will miss it completely. This is why wordlist selection matters more than almost any other configuration option.

The balance between wordlist size and scan speed creates a constant trade-off. A 10,000-word list might complete in under a minute but miss uncommon paths. A 2-million-word list covers more ground but could take hours and generate suspicious traffic. Learning to choose the right wordlist for each situation is what separates efficient security testing from aimless scanning.

Where to Find Wordlists for Gobuster

Before diving into specific recommendations, you need to know where wordlists live. Most security-focused Linux distributions come with wordlists pre-installed, and several community projects maintain comprehensive collections.

Kali Linux Default Locations

Kali Linux includes wordlists in several directories:

• /usr/share/wordlists/ - Main wordlist directory
• /usr/share/wordlists/dirb/ - DIRB tool wordlists
• /usr/share/wordlists/dirbuster/ - DirBuster wordlists
• /usr/share/seclists/ - SecLists collection (if installed)

On a fresh Kali installation, you might need to extract the default rockyou.txt wordlist with gunzip /usr/share/wordlists/rockyou.txt.gz. The DirBuster lists are typically ready to use immediately.

SecLists: The Essential Collection

SecLists is the most comprehensive wordlist repository in the security community. Maintained by Daniel Miessler and the community on GitHub, it contains categorized lists for directory enumeration, subdomain discovery, password attacks, fuzzing, and more.

Install SecLists on Kali with:

sudo apt install seclists

Or clone directly from GitHub:

git clone https://github.com/danielmiessler/SecLists.git

After installation, you will find directory-focused wordlists under /usr/share/seclists/Discovery/Web-Content/. This folder alone contains dozens of specialized lists for different web technologies and use cases.

Other Notable Sources

Beyond SecLists, several other projects offer quality wordlists:

• Assetnote Wordlists - Generated from real-world data scraped from millions of websites
• FuzzDB - Attack patterns and discovery lists focused on application testing
• PayloadsAllTheThings - Includes wordlists alongside exploitation payloads

Best Gobuster Wordlists for Directory Enumeration in 2026

Not all wordlists are created equal. Here are the most effective options for directory and file discovery, organized by use case and size.

Quick Scans: Small Wordlists

When you need fast results or want to minimize traffic, these compact lists cover the most common paths:

• common.txt (4,614 entries) - The go-to starting point. Located at /usr/share/wordlists/dirb/common.txt, this list hits the most frequently used directory and file names.
• raft-small-directories.txt (20,000 entries) - From SecLists, compiled from real web crawl data. Excellent signal-to-noise ratio.

Example command for a quick scan:

gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt

Standard Scans: Medium Wordlists

For thorough testing without excessive time investment, medium-sized lists offer the best balance:

• directory-list-2.3-medium.txt (220,560 entries) - The industry standard for directory enumeration. Found at /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.
• raft-medium-directories.txt (30,000 entries) - Curated from actual websites, less noise than the DirBuster lists.

The directory-list-2.3-medium is probably the most commonly used wordlist in penetration testing. Most tutorials and courses reference it, making it a reliable choice when you are unsure what to use.

Comprehensive Scans: Large Wordlists

When you need maximum coverage and have time to spare:

• directory-list-2.3-big.txt (1,273,833 entries) - Exhaustive coverage at the cost of long scan times.
• raft-large-directories.txt (62,000 entries) - Large but still manageable, good for important targets.

Large wordlists make sense for high-value targets or when initial scans came up empty. Always start smaller and escalate if needed.

Technology-Specific Wordlists

SecLists includes wordlists tailored to specific technologies:

• IIS.fuzz.txt - Microsoft IIS specific paths
• apache.txt - Apache web server paths
• nginx.txt - Nginx configuration paths
• tomcat.txt - Apache Tomcat directories
• PHP.fuzz.txt - PHP application paths
• CGIs.txt - Legacy CGI scripts

Fingerprint your target first using tools like Nmap or Wappalyzer, then select appropriate technology-specific lists. Check our Nmap cheat sheet for server fingerprinting techniques.

How to Use Wordlists with Gobuster

Understanding Gobuster's syntax helps you get the most out of any wordlist. Here are the essential commands and options for effective scanning.

Basic Directory Enumeration

The fundamental Gobuster command structure:

gobuster dir -u https://target.com -w /path/to/wordlist.txt

Key flags you should know:

• -u - Target URL (required)
• -w - Path to wordlist file (required)
• -t - Number of concurrent threads (default: 10)
• -x - File extensions to search for
• -o - Output file for results
• -k - Skip TLS certificate verification

Adding File Extensions

Many valuable files have extensions. Use the -x flag to append extensions to each wordlist entry:

gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,bak

This transforms "config" in your wordlist into requests for config, config.php, config.txt, config.html, and config.bak. Be aware that adding extensions multiplies your request count significantly.

Optimizing Scan Speed

Increase threads to speed up scans on responsive servers:

gobuster dir -u https://target.com -w wordlist.txt -t 50

Be careful with high thread counts. Some servers have rate limiting that will block your IP or return false negatives. Start with 10-20 threads and increase only if the target handles it well.

Filtering Results

Focus on relevant results by filtering status codes:

gobuster dir -u https://target.com -w wordlist.txt -s "200,204,301,302,307,401,403"

Or exclude unwanted codes:

gobuster dir -u https://target.com -w wordlist.txt -b "404,503"

403 Forbidden responses often indicate protected but existing directories, making them valuable finds even though access is denied.

Recursive Scanning

Gobuster does not natively support recursive scanning in a single command, but you can chain scans. When you discover a directory like /admin/, run a second scan against it:

gobuster dir -u https://target.com/admin/ -w wordlist.txt

Some wrapper scripts automate this process, but manual recursion gives you more control over which paths deserve deeper investigation.

Choosing the Right Wordlist for Your Target

Wordlist selection should be strategic, not random. Consider these factors when deciding which list to use.

Target Reconnaissance First

Before running Gobuster, gather information about your target:

• Web server type - Apache, Nginx, IIS, or others
• Programming language - PHP, ASP.NET, Python, Node.js
• Framework - WordPress, Django, Laravel, Express
• Industry - Healthcare, finance, and e-commerce have common patterns

This information guides wordlist selection. A PHP application warrants searching for .php files, while an ASP.NET site needs .aspx and .ashx extensions. If you are new to reconnaissance, our ethical hacking course covers these fundamentals.

Start Small, Then Expand

Always begin with a small wordlist. If common.txt reveals interesting directories, you have quick wins to investigate. If it returns nothing, move to medium or large lists. This approach saves time and reduces noise in your results.

Combine Multiple Wordlists

Merge wordlists for comprehensive coverage:

cat list1.txt list2.txt | sort -u > combined.txt

The sort -u removes duplicates, keeping your combined list efficient. This technique works well when you want both general coverage and technology-specific entries.

Consider Response Time

Slow servers demand smaller wordlists or patience. A target responding in 500ms per request will take over 30 hours to scan with directory-list-2.3-big. Calculate expected scan time before launching:

Estimated time = (wordlist entries × extensions) / (threads × requests per second)

Creating Custom Wordlists for Better Results

Generic wordlists work for generic targets. For specific applications or organizations, custom wordlists dramatically improve discovery rates.

CeWL: Custom Word List Generator

CeWL spiders a website and extracts words to build a target-specific wordlist:

cewl https://target.com -d 2 -m 5 -w custom_wordlist.txt

Flags explained:

• -d 2 - Spider depth of 2 levels
• -m 5 - Minimum word length of 5 characters
• -w - Output file

CeWL-generated lists often contain company-specific terms, product names, and terminology that generic wordlists miss entirely.

Building Lists from JavaScript Files

Modern web applications expose paths in JavaScript. Extract them to find API endpoints and hidden routes:

curl -s https://target.com/app.js | grep -oE '["'"'"'](/[a-zA-Z0-9_/-]+)["'"'"']' | tr -d '"'"'"' | sort -u

Many single-page applications bundle their entire routing table in JavaScript files, making this technique highly effective.

Wordlist Mutation

Transform existing wordlists to catch variations:

• Add common prefixes: admin → admin, admin_backup, admin_old
• Add date suffixes: backup → backup, backup2025, backup2026
• Case variations: Admin, ADMIN, admin
• Number substitutions: admin → adm1n, admin1, admin123

Tools like Mentalist and hashcat rules can automate wordlist mutation, though manual creation often produces more targeted results.

Learning from Results

Your findings inform future wordlists. If you discover /api/v1/users, add variations like /api/v2/users, /api/v1/admin, and /api/v1/config to your custom list. Over time, you build wordlists tuned to specific application patterns. Practice this iterative approach on CTF challenges to develop your intuition.

Common Wordlist Mistakes to Avoid

Even experienced testers make wordlist errors. Avoid these common pitfalls:

Using Only One Wordlist

Relying on a single wordlist limits your discoveries. Different lists have different strengths. RAFT lists come from real web crawl data, while DirBuster lists were compiled from security testing experience. Use both for better coverage.

Ignoring Case Sensitivity

Linux servers are case-sensitive. "Admin" and "admin" are different directories. Windows servers are typically case-insensitive. Know your target's operating system and adjust your approach. Some wordlists include case variations, while others require you to add the -n flag for lowercase normalization.

Forgetting File Extensions

A wordlist full of directory names misses files. Always consider what file types your target might serve and add appropriate extensions with -x.

Skipping Backup Extensions

Developers frequently leave backup files exposed: .bak, .old, .orig, .save, .swp, .tmp. These backups often contain source code or configuration details. Include backup extensions in your scans, especially on development or staging servers.

Not Customizing for the Target

Generic wordlists work generically. Take five minutes to research your target and add relevant terms. Company name, products, employee names, and industry terminology improve results significantly.

Overwhelming the Target

Large wordlists with high thread counts can trigger security alerts, crash unstable servers, or get your IP banned. Start conservatively and increase intensity only with proper authorization.

Ethics and Legal Considerations

Directory enumeration with Gobuster sends thousands of requests to a target server. This activity is only legal and ethical when you have explicit written authorization from the system owner.

Authorized uses include:

• Penetration testing with a signed scope agreement
• Bug bounty programs where directory enumeration is permitted
• Testing your own servers and applications
• CTF competitions and intentionally vulnerable labs
• Educational environments designed for security practice

Never scan:

• Production systems without written permission
• Targets outside your authorized scope
• Systems where terms of service prohibit security testing

Even with authorization, communicate with the target organization about your testing schedule. Unexpected traffic spikes can alarm security teams and waste incident response resources. Practice your skills on platforms like HackerDNA labs or other intentionally vulnerable environments before testing real systems.

Frequently Asked Questions

What is the best wordlist for Gobuster beginners?

Start with /usr/share/wordlists/dirb/common.txt. It contains about 4,600 entries covering the most frequently used directory and file names. This list runs quickly and teaches you Gobuster basics without overwhelming results.

Where do I find wordlists on Kali Linux?

The main wordlist directory is /usr/share/wordlists/. Install SecLists with sudo apt install seclists for the most comprehensive collection, which installs to /usr/share/seclists/.

How do I use a custom wordlist with Gobuster?

Simply provide the path with the -w flag: gobuster dir -u https://target.com -w /path/to/your/wordlist.txt. The wordlist should be a plain text file with one entry per line.

What is the difference between directory-list-2.3-small, medium, and big?

These DirBuster-originated lists differ in size: small has about 87,000 entries, medium has 220,000, and big has over 1.2 million. Larger lists find more paths but take exponentially longer to run. Medium is the most commonly used balance.

Should I use RAFT or DirBuster wordlists?

Both have value. RAFT lists come from crawling real websites, making them excellent for common paths. DirBuster lists were compiled from security testing experience and include more obscure entries. Use RAFT for quick scans and DirBuster for thorough testing, or combine them.

Can Gobuster find files without extensions?

Yes, Gobuster tests exactly what your wordlist contains. If your list has "config" without an extension, Gobuster requests /config. Add extensions with -x php,txt,bak to also test /config.php, /config.txt, and /config.bak.

Next Steps: Put Your Knowledge into Practice

You now understand how to select, use, and create effective wordlists for Gobuster. The key takeaways: start with small wordlists like common.txt, escalate to larger lists when needed, customize for your target, and always test within authorized scope.

The best way to build wordlist intuition is through practice. Work through CTF challenges that require directory enumeration, and pay attention to which wordlists succeed and which miss the mark. Over time, you will develop a sense for which lists fit which scenarios.

For hands-on practice with web application testing, explore our web attacks course where you can safely experiment with enumeration techniques against intentionally vulnerable targets. The more you practice choosing and creating wordlists, the more efficient your security testing becomes.