gobuster
HackingPenTest Tools

Gobuster Cheat Sheet: Unleash the Power of Directory and DNS Bruteforcing

Posted on

Gobuster is a versatile tool used for directory and DNS brute-forcing, enabling cybersecurity professionals to discover hidden directories, files, and subdomains on web servers. From uncovering sensitive information to identifying potential vulnerabilities, this cheat sheet provides a comprehensive guide to Gobuster commands and techniques for effective reconnaissance.

1. Basic Directory Bruteforcing:

  • Bruteforce Directories (Wordlist):
  gobuster dir -u <target_url> -w <wordlist>
  • Specify Extensions (e.g., PHP, HTML):
  gobuster dir -u <target_url> -w <wordlist> -x <extensions>

2. Advanced Directory Bruteforcing:

  • Set Concurrent Threads:
  gobuster dir -u <target_url> -w <wordlist> -t <threads>
  • Customize User-Agent Header:
  gobuster dir -u <target_url> -w <wordlist> -a <user_agent>

3. DNS Bruteforcing:

  • Bruteforce Subdomains (Wordlist):
  gobuster dns -d <domain> -w <wordlist>
  • Set DNS Server:
  gobuster dns -d <domain> -w <wordlist> -s <dns_server>

4. Output and Reporting:

  • Save Results to File (Text):
  gobuster dir -u <target_url> -w <wordlist> -o <output_file.txt>
  • Save Results to File (JSON):
  gobuster dir -u <target_url> -w <wordlist> -o <output_file.json>

5. Miscellaneous Options:

  • Include Status Codes (e.g., 403, 404):
  gobuster dir -u <target_url> -w <wordlist> -s <status_codes>
  • Filter Out Responses with Length:
  gobuster dir -u <target_url> -w <wordlist> -l <length>

6. Gobuster Best Practices:

  • Use Targeted Wordlists: Select wordlists tailored to the target domain or application to increase the likelihood of discovery.
  • Adjust Threading: Balance speed and resource consumption by adjusting the number of concurrent threads based on network conditions and system resources.
  • Review Results Carefully: Validate discovered directories and subdomains manually to avoid false positives and ensure accuracy.
  • Respect Target Limits: Avoid aggressive scanning that may trigger rate limiting or cause disruption to the target system or network.

7. Online Resources:

  • Official Documentation: Refer to the official Gobuster documentation for detailed usage instructions, options, and examples.
  • Community Forums: Engage with the cybersecurity community to share experiences, tips, and best practices for directory and DNS brute-forcing.

With this Gobuster cheat sheet at your disposal, you’ll be equipped to conduct thorough directory and DNS brute-forcing for penetration testing, cybersecurity assessments, and web application security testing. Happy hunting!