/ Reconnaissance & Enumeration, Uncategorized / By

GoBuster for Pentesters: Brute-Forcing the Web Like a Pro

When you’re on an engagement and staring down a web server, one of the first things you should be thinking is: What’s hidden behind this HTTP service?

That’s where GoBuster comes in — a fast, flexible tool designed to brute-force URIs, directories, files, and DNS subdomains. It’s a staple in any pentester’s toolbox.

Let’s break down what it is, why it’s useful, and exactly how to use it in a real-world scenario.

What Is GoBuster?

GoBuster is a fast directory and file brute-forcing tool written in Go. It’s made for speed, stability, and scriptability. While tools like DirBuster and DirSearch exist, GoBuster stands out for raw performance and low overhead.

It works by taking a wordlist and hammering the server with HTTP requests, checking which paths exist based on the HTTP status codes returned.

GoBuster has three main modes:

  • dir – for discovering directories and files via brute-force
  • dns – for brute-forcing subdomains
  • vhost – for brute-forcing virtual host names

Installing GoBuster

On Kali Linux:

sudo apt install gobuster

Or clone it manually:

go install github.com/OJ/gobuster/v3@latest

Directory Bruteforce (dir mode)

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
# -u: target URL
# -w: wordlist to use

This will try every word in the list, appending it to the target URL and checking if it exists.

Add file extension brute-forcing:

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
# -x: file extensions to test

Add recursion:

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -r
# -r: recursive scan into discovered directories

Filter out 404s, add status codes you care about:

gobuster dir -u http://target.com -w common.txt -s 200,204,301,302,307,403
# -s: show only specific status codes

DNS Subdomain Bruteforce (dns mode)

gobuster dns -d target.com -w /usr/share/wordlists/dns/namelist.txt
# -d: domain to brute-force
# -w: wordlist of subdomains

You can also specify a DNS server if needed:

gobuster dns -d target.com -w namelist.txt -i -t 50 --dns-server 8.8.8.8
# -i: show IPs
# -t: number of concurrent threads

Virtual Host Bruteforce (vhost mode)

Some servers host multiple apps on the same IP using virtual hosts. This mode helps find them:

gobuster vhost -u http://target.com -w /usr/share/wordlists/dns/namelist.txt
# Looks for virtual hosts like dev.target.com by setting the Host header

Extra Options That Matter

-t 50         # Number of threads (default is 10)
-o result.txt # Output to file
-k            # Skip SSL cert validation
-H            # Add custom headers

Example with custom headers:

gobuster dir -u http://target.com -w common.txt -H "Authorization: Bearer TOKEN"

Pro Tips

  • Use larger wordlists for deeper brute-forcing (e.g., SecLists: directory-list-2.3-medium.txt)
  • Always inspect HTTP response codes (403 may still be interesting)
  • Add file extensions like .bak, .zip, .tar, .old, .dev — you’d be surprised what turns up
  • Don’t just stop at /admin — GoBuster is how you find /admin_dev/old/
  • Don’t hammer production servers recklessly — it will get you noticed

Final Thoughts

GoBuster is a no-nonsense tool. Fast, scriptable, and reliable. Whether you’re in recon or post-exploitation, if there’s a web server involved — GoBuster should be on your mind.

When used creatively and precisely, it becomes more than a brute-force tool — it becomes a surgical instrument for extracting hidden gems from the web layer.

Related Posts

Scroll to Top