back to the arsenal

// arsenal·Web AppSecBeginnerFOSS

Gobuster

Fast directory, DNS-subdomain, and virtual-host brute-forcer in Go.

Web AppSec

$ gobuster --help

Gobuster

// what it is

Description

OJ Reeves' brute-forcer — the modern replacement for `dirb`. Drastically faster, has VHOST mode, and pipes cleanly into other tools.

// use cases

What people use it for

Discover hidden web directories
Subdomain bruteforce when passive enum misses things
VHOST discovery on shared-hosting boxes

// commands

The commands you'll type

Directory brute-force

$ gobuster dir -u https://target -w /usr/share/wordlists/dirb/common.txt -x php,html

DNS subdomain brute

$ gobuster dns -d target.tld -w subdomains.txt

// facts

category: Web AppSec
platforms: LIN · WIN · MAC
license: FOSS
difficulty: Beginner

// links

// related in Web AppSec

Web AppSecIntermediate

Burp Suite

PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.

Web AppSecBeginner

OWASP ZAP

The free, OWASP-stewarded alternative to Burp.

Web AppSecBeginner

Nikto

Loud-but-fast web server scanner — checks for thousands of misconfigurations.