Gobuster Cheat Sheet
gobuster is a fast, CLI-based enumeration tool written in Go. It is commonly used for directory/file discovery, DNS subdomain enumeration, and virtual host (vhost) fuzzing.
Directory Enumeration (dir)
gobuster dir -u http://example.com -w wordlist.txt
Specify Extensions
gobuster dir -u http://example.com -w wordlist.txt -x php,txt,bak,old
Threads & Timeout
gobuster dir -u http://example.com -w wordlist.txt -t 50 --timeout 10s
Filter Status Codes
gobuster dir -u http://example.com -w wordlist.txt -b 404
DNS Subdomain Enumeration
gobuster dns -d example.com -w subdomains.txt
DNS with Resolver
gobuster dns -d example.com -w subdomains.txt -r 8.8.8.8
Virtual Host Enumeration (vhost)
gobuster vhost -u http://example.com -w vhosts.txt
HTTPS with Insecure SSL
gobuster dir -u https://example.com -w wordlist.txt -k
Save Output
gobuster dir -u http://example.com -w wordlist.txt -o results.txt
Typical Workflow
gobuster dir -u http://target -w common.txt
gobuster dns -d target.com -w subdomains.txt
gobuster vhost -u http://target -w vhosts.txt
Common Issues
Too many false positives
- Filter status codes
- Use response length comparison
Connection errors
- Lower threads
- Check TLS settings
Gobuster vs FFUF
| Feature | Gobuster | FFUF |
|---|---|---|
| Speed | Very Fast | Fast |
| Recursion | Limited | Advanced |
| API fuzzing | No | Yes |
Related Tools
ffufdirbusterwfuzzburpsuite
Use Cases
- Directory discovery
- Subdomain enumeration
- Virtual host discovery
- Initial web reconnaissance
Legal Notice
Danger
Use gobuster only on authorized targets.