GoBuster is a Go-based tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support) – essentially a directory/file & DNS busting tool.
The author built YET ANOTHER directory and DNS brute forcing tool because he wanted..
- … something that didn’t have a fat Java GUI (console FTW).
- … to build something that just worked on the command line.
- … something that did not do recursive brute force.
- … something that allowed me to brute force folders and multiple extensions at once.
- … something that compiled to native on multiple platforms.
- … something that was faster than an interpreted script (such as Python).
- … something that didn’t require a run-time.
- … use something that was good with concurrency (hence Go).
- … to build something in Go that wasn’t totally useless.
Using GoBuster Directory/File & DNS Busting Tool
There are many options for GoBuster, these include:
root: ./gobuster –help
–fw – force processing of a domain with wildcard results.
–np – hide the progress output.
–m <mode> – which mode to use, either dir or dns (default: dir).
–q – disables banner/underline output.
–t <threads> – number of threads to run (default: 10).
–u <url/domain> – full URL (including scheme), or base domain name.
–v – verbose output (show all results).
–w <wordlist> – path to the wordlist used for brute forcing (use – for stdin).
–cn – show CNAME records (cannot be used with ‘-i’ option).
–i – show all IP addresses for the result.
–a <user agent string> – specify a user agent string to send in the request header.
–c <http cookies> – use this to specify any cookies that you might need (simulating auth).
–e – specify extended mode that renders the full URL.
–f – append / for directory brute forces.
–k – Skip verification of SSL certificates.
–l – show the length of the response.
–n – “no status” mode, disables the output of the result‘s status code.
–o <file> – specify a file name to write the output to.
–p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).
–r – follow redirects.
–s <status codes> – comma–separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307).
–x <extensions> – list of extensions to check for, if any.
–P <password> – HTTP Authorization password (Basic Auth only, prompted if missing).
–U <username> – HTTP Authorization username (Basic Auth only).
–to <timeout> – HTTP timeout. Examples: 10s, 100ms, 1m (default: 10s).
You can download GoBuster here:
Or read more here.