What is Gobuster? How to Use It and Find Hidden Directories?

what is gobuster

Gobuster is like a detective partner who can help you investigate secret spaces on a website. You don’t know exactly where it is, but you have some clues.

What is Gobuster?

This is a very powerful and useful tool that is written in Go language, an open-source, low-level language (much like C or Rust) developed by a team at Google and other contributors.

It is a helpful tool for security professionals to find hidden weaknesses in websites. By using it responsibly, we can help keep websites safe and secure.

Websites are like buildings with many rooms (directories and files). Some rooms are public and easy to find, like the homepage (main entrance). But there might be hidden rooms with secret information (like hidden files with sensitive data).

Using this tool is like trying different keys (words) to open different doors (website locations) on the website. It checks if a specific location exists and gives you a clue if it finds something interesting.

Here’s how it works:

The Detective with a List:

You (the detective) give this tool a list of possible room names (words or phrases). This list is called a wordlist.

Trying the Keys:

It goes through the list, trying each word (key) as a location (door) on the website. For example, it might try “login”, “admin”, “images”, or any other word from the list.

Finding the Hidden Rooms:

If it tries a location and the website responds in a particular way (like showing a different page or error message), it might be a hidden room! This tool tells you which locations seem interesting.

Why use Gobuster?

There are two main reasons:

● Security Testing:

Website owners can use this tool to find weaknesses on their website before someone else does. This helps them fix any problems and keep their website secure.

● Ethical Hacking:

Ethical hackers use this tool to help website owners find hidden vulnerabilities they might have missed. This helps make the website stronger.

Gobuster Scanner How-to Guide

It is a powerful scanning tool that enables penetration testers and security enthusiasts to discover hidden directories, files, subdomains, and virtual hosts on target domains.

Modes of Gobuster

This tool offers multiple modes to cater to different scanning needs. Understanding these modes is essential before diving into the scanning process.

1. Dir Mode:

The Dir mode is the classic directory brute-forcing mode, focusing on enumerating URIs for directories and files. To utilize this mode, the following syntax is employed:


gobuster dir [options]

This mode is particularly useful for discovering extra content within a target domain or its subdomains. By using the `-u` option, users can specify the target domain, and the `-w` option allows the selection of a wordlist for brute-forcing.


gobuster dir -u https://www.geeksforgeeks.org/ -w /usr/share/wordlists/big.txt

2. DNS Mode:

The DNS mode focuses on brute-forcing subdomains within a target domain. By using the `-d` option to specify the target domain and the `-w` option to select a wordlist, users can uncover hidden or unidentifiable subdomains.


gobuster dns -d geeksforgeeks.org -w /usr/share/wordlists/big.txt

3. Vhost Mode:

The Vhost mode is designed to identify virtual hosts on the victim server, essential for scenarios where multiple domain names share a single server. This mode checks the existence of subdomains by visiting the formed URL and cross-checking the IP address.


gobuster vhost -u https://www.example.com -w /usr/share/wordlists/big.txt

Understanding Flags in Gobuster:

After selecting the appropriate mode, this tool provides an array of flags to customize and refine the scanning process. Some key options include:

-h, –help: help for gobuster

-z, –no progress: Don’t display progress

-o, –output string: Specify the output file to write results to (defaults to stdout).

-q, –quiet: Suppress banner and other noise for a quieter output.

-t, –threads int: Set the number of concurrent threads (default 10) to enhance scanning speed.

-v, –verbose: Enable verbose output, useful for debugging or identifying errors.

-n, –no-status: Hide the status code, displaying results without presenting the status code.

-w, –wordlist string: Path to wordlist.

Target Specification and GoBuster Wordlist Usage:

For effective scanning, users must specify the target URL, IP address, or hostname using the `-u` option. Additionally, it employs a brute-force attack to enumerate hidden directories and files, requiring a wordlist specified by the `-w` option.


gobuster dir -u https://www.geeksforgeeks.org/ -w /usr/share/wordlists/big.txt

Enumerating Files and Full Path Extraction:

This tool can be configured to enumerate hidden files alongside directories. The `-x` option followed by file extensions allows users to search for specific file types.


gobuster dir -u https://www.geeksforgeeks.com -w /usr/share/wordlists/big.txt -x php,html,htm

For extracting the full path of a directory or file, the `-e` option can be used.


gobuster dir -e -u geeksforgeeks.org -w /usr/share/wordlists/big.txt

Optimizing Your Gobuster Scans

To make the most of this tool, consider the following optimization techniques:

  • Threading for Speed
  • Specifying Extensions
  • Recursive Scanning
  • Filtering Results

Usage of Gobuster Tool

This is a versatile and powerful tool for directory and file brute-forcing, offering a range of advanced features that can significantly enhance your scanning capabilities. In this section, we’ll walk through several practical examples demonstrating the usage of its advanced options.

1. Obtaining Full Path for a Directory or File

The `-e` option is particularly useful for obtaining the full path when extracting hidden files or directories. This can be crucial for understanding the structure of the target website. Here’s an example command:


gobuster dir -e -u geeksforgeeks.org -w /usr/share/wordlists/dirb/common.txt –wildcard

This command will display the complete URL path for each discovered item, providing valuable information about the website’s hierarchy.

2. Hide Status Code

The `-n` option allows you to hide the status code in the results’ output. This is useful for obtaining a cleaner and more focused output without being overwhelmed by status information. Here’s how to use it:


gobuster dir -u geeksforgeeks.org -w /usr/share/wordlists/dirb/common.txt -n –wildcard

This command will present the results without displaying the status codes, making it easier to interpret the findings.

3. Disable Banner

It typically adds a banner to introduce the applied options when launching a brute force attack. However, if you prefer a cleaner output without the banner, you can use the `-q` option. Here’s an example:


gobuster dir -u geeksforgeeks.org -w /usr/share/wordlists/dirb/common.txt -q –wildcard

This command will disable the banner, providing a more concise and focused result.

4. Set Threads Number

To control the number of concurrent threads during the brute-forcing process, the `-t` option can be utilized. This is beneficial when dealing with large-scale scans. Here’s an example:


gobuster dns -d geeksforgeeks.org -t 100 -w /usr/share/wordlists/dirb/common.txt –wildcard

In this command, 100 threads are specified to speed up the brute-forcing of sub-domain names or directories.

5. Obtain Subdomain IPs

The `-i` option allows you to obtain the IP addresses of selected sub-domains. This can be crucial for further investigation or understanding the network architecture. Here’s an example in the context of DNS mode:


gobuster dns -d geeksforgeeks.org -t 100 -w /usr/share/wordlists/dirb/common.txt -i –wildcard

This command reveals the IP addresses associated with the discovered sub-domains.

6. Timeout

Using the `–timeout` option, you can set the timeout parameter for HTTP requests. The default timeout is 5 seconds. Here’s an example:


gobuster dir –timeout 5s -u geeksforgeeks.org -t 100 -w /usr/share/wordlists/dirb/common.txt –wildcard

Adjusting the timeout can be beneficial in scenarios where a longer or shorter timeout is necessary.

7. Appending Forward Slash

The `-f` option allows the appending of a forward slash during a brute-force attack on the target URL. This is useful for ensuring correct path handling. Here’s an example:


gobuster dir -u geeksforgeeks.org -w /usr/share/wordlists/dirb/common.txt -f –wildcard

Appending the forward slash can be crucial when dealing with web servers that require the correct path structure.

Its advanced features empower users to customize their scans according to specific requirements and preferences. By incorporating these options into your scanning routine, you can gain more control over the process and extract valuable information efficiently.

Examples of its Usages:

  • Finding Hidden Directories
  • Locating Sensitive Files
  • Brute Forcing Login Pages

How to Install Gobuster

The installation process for this tool depends on your operating system. Here’s a breakdown of the two most common scenarios:

Installing Gobuster on Kali Linux:

Kali Linux, a popular penetration testing distribution, doesn’t include this tool by default. However, it’s readily installable using the package manager. Here’s how:

1. Open a terminal window: You can find this by searching for “Terminal” in the applications menu.

2. Update package lists: This ensures you have access to the latest versions of software. Type the following command and press enter:


sudo apt update

3. Install Gobuster: Use the apt command to install. Type the following command and press enter:


sudo apt install gobuster

4. Verify installation: Once the installation finishes, type gobuster -h and press enter. This should display the help menu, confirming a successful installation.

Installing Gobuster on Other Linux Distributions:

For other Linux distributions, you have two options:

  • Using the package manager: Many distributions offer it pre-packaged. Consult your distribution’s documentation to find the appropriate package name and installation command using its package manager (e.g., yum, dnf, pacman).
  • Compiling from source: If it isn’t available in your distribution’s repositories, you can compile it from source code. This requires having Go installed on your system. Download the source code from the official its repository https://github.com/PentestBox/gobuster and follow the compilation instructions in the README file.

How to Use Gobuster to Find Hidden Directories, Sub-Domains, and S3 Buckets?

While websites often showcase their main content prominently, valuable information can sometimes be hidden. Here’s a roadmap for using this powerful tool, to uncover these hidden gems:

Finding Hidden Directories:

Gather Information:

Before diving in, it’s crucial to understand the target website’s structure. Use tools like whois or online DNS record checkers to identify any subdomains.

Prepare Your Arsenal:

You’ll need two things: This tool (installation instructions provided previously) and a wordlist containing potential directory names. Common wordlists can be found online, but you can also create your own based on the website’s theme.

Launch the Attack:

Open your terminal and navigate to the directory where your wordlist is saved. Use the following command, replacing <target_url> with the website’s URL (including protocol, e.g., https://) and <wordlist> with the path to your wordlist:


gobuster dir -u <target_url> -w <wordlist>

This command instructs this tool to scan the target URL for directories using the provided wordlist.

Analyze the Results:

This tool will display a list of URLs it attempted and the corresponding response code. A status code of 200 (OK) indicates a potentially valid directory. Manually review these URLs to confirm their existence and relevance.

Finding Hidden Subdomains:

  • Wordlist Selection:

Here, you’ll need a wordlist containing potential subdomains. Pre-built subdomain wordlists are available online, but you can also craft one based on the target domain name and common subdomain prefixes (e.g., mail, admin).

  • Gobuster in Action:

Use the following command, replacing <target_domain> with the domain name (e.g., example.com) and <wordlist> with your subdomain wordlist path:


gobuster dns -d <target_domain> -w <wordlist>

This command instructs this tool to scan for subdomains of the target domain using the provided wordlist.

Result Review:

This tool will display a list of subdomains it attempted to resolve along with the corresponding IP address (if found). Valid subdomains will have a corresponding IP address. Further investigation using tools like ping or a web browser can confirm their existence.

Finding S3 Buckets:

Scanning for S3 buckets can be ethically questionable. It’s crucial to ensure you have permission to scan a specific domain before proceeding.

1. Wordlist Acquisition:

You’ll need a wordlist containing potential S3 bucket names. These can be found online, but keep in mind the ethical considerations mentioned above.

2. Gobuster Command:

Use the following command, replacing <target_domain> with the domain name (e.g., example.com) and <wordlist> with your S3 bucket wordlist path:


gobuster s3 -u <target_domain> -w <wordlist>

This command instructs Gobuster to scan for S3 buckets associated with the target domain using the provided wordlist.

3. Interpreting Results:

Gobuster will display a list of URLs it attempted and the corresponding response code. A status code of 302 (Found) often indicates a potential S3 bucket. However, proceed with caution and respect for data privacy.


  • Always obtain permission before scanning any domain.
  • Use the information gathered responsibly.
  • Be aware that some websites may have countermeasures to prevent directory brute-forcing.

By following these steps and adhering to ethical guidelines, Gobuster can become a valuable tool in your penetration testing arsenal, helping you unearth hidden information within the web’s vast landscape.

Is Gobuster illegal?

Gobuster itself isn’t an illegal tool. However, it is a great tool used for hacking and can be used for good as well as bad purposes. The legality completely depends on permission.

If you use this tool to scan a website without the owner’s consent, it’s trespassing in the digital world. This can violate laws against unauthorized access to computer systems.

When a website owner allows you to use Gobuster to test their security (like an ethical hacker helping a building manager), it’s perfectly legal. It’s a valuable security practice.

Here’s the Risk:

Even with good intentions, accidentally overloading the website with requests (like knocking too many times) can be disruptive. It’s important to be respectful and use it responsibly.

In short, Gobuster is a legal tool when used with permission for security testing. Without permission, it can be illegal. Always prioritize responsible use and respect for other people’s websites.

Gobuster vs Dirbuster

In the thrilling world of penetration testing, where security researchers unearth hidden vulnerabilities, two warriors stand out: Gobuster and Dirbuster. Both specialize in a technique called directory brute-forcing, essentially trying different directory names on a website until they find a valid one. But which champion reigns supreme? Let’s delve into the ring and compare!

InterfaceCommand-line onlyGUI and command-line
RecursionNoYes (optional)
Wordlist SupportYesYes
CustomizationMore flexible commandsLimited options
Ease of UseSteeper learning curveEasier to use

Gobuster takes the crown for speed thanks to the efficiency of the Go programming language. For large website scans, its swiftness is a clear advantage. However, Dirbuster offers a user-friendly GUI for those less comfortable with the command line. Additionally, its optional recursive search can unearth deeply nested directories in one go, which the Go language tool can’t do in a single command.

Ultimately, the win depends on your priorities. Need blazing-fast scans and advanced customization? The Go language tool is your champion. If a user-friendly interface and recursive search are key, Dirbuster might be your best bet. Consider your testing goals and comfort level to choose the directory brute-forcing tool that best suits your penetration testing needs!

Ffuf vs Gobuster

In the digital coliseum of web security testing, two gladiators lock horns: ffuf and Gobuster. Both wield the fearsome technique of fuzzing, bombarding websites with a barrage of potential URLs to uncover hidden directories and files. But which combatant emerges victorious? Let’s raise the metaphorical visor and size them up!

FocusFuzzingDirectory Brute-forcing
StrengthUncovering hidden filesFinding valid directories
FunctionalityMore versatileSimpler and faster
CustomizationHighly customizableMore limited options
Wordlist SupportYesYes
Regular ExpressionsPowerful supportLimited support
Ease of UseSteeper learning curveEasier to use

Ffuf is highly customizable, adept at not only uncovering hidden directories but also identifying sensitive files through different techniques. Its ability to leverage regular expressions further enhances its precision. However, Gobuster shines in its simplicity and speed. It’s a fantastic choice for straightforward directory brute-forcing.


Mastering Gobuster is an essential skill for anyone involved in penetration testing or cybersecurity. This efficient tool offers a wide range of scanning options, allowing users to uncover hidden vulnerabilities and strengthen the security of target systems. By understanding the different modes, options, and advanced techniques discussed in this guide, you can use the power of this tool to conduct effective and thorough scans, contributing to a more secure digital landscape.

Also Read- Best Automation Testing Tools

Leave a Reply

Your email address will not be published. Required fields are marked *