Gobuster is a tool used to brute force URLs (directories and files) from websites, DNS subdomains, Virtual Hostnames, and open Amazon S3 buckets. It can be particularly useful during CTF challenges that require you to brute force web server data, but also during pentest engagements.
Install Gobuster
First, you need to make sure you have Go installed on your Linux distribution, which is the programming language used to write the go-buster tool. Once all the dependencies are satisfied for Go, you can proceed to download and install go-buster. In order to install Go, you need to input the following command in your terminal window:
┌──(mrdev㉿mrdev)-[~]
└─$ sudo apt install golang-go
Once that installation is complete, you can proceed with installing the go-buster. If you have a Go environment ready to go, it is as easy as typing in the following command in your terminal:
┌──(mrdev㉿mrdev)-[~]
└─$ sudo apt install gobuster
Using Go-buster
In order to start our directory busting, we will need to discover what capabilities go buster has, and which ones can assist us. By looking at the tool’s help page, by typing in the gobuster -h command in our terminal, we receive a list of all possible switches for the tool and their description.
┌──(mrdev㉿mrdev)-[~]
└─$ gobuster --help
Usage:
gobuster [command]
Available Commands:
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode
help Help about any command
s3 Uses aws bucket enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode
Flags:
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
Use "gobuster [command] --help" for more information about a command.
┌──(mrdev㉿mrdev)-[~]
└─$
On the output you can see the modes that are available on brute-forcing:
- dir – the classic directory brute-forcing mode
- dns – DNS subdomain brute-forcing mode
- s3 – Enumerate open S3 buckets and look for existence and bucket listings
- vhost – virtual host brute-forcing mode (not the same as DNS!)
Usage for [Any] mode
Run the following command to find out the usage:
gobuster [Mode] –help
┌──(mrdev㉿mrdev)-[~]
└─$ gobuster dir --help
Uses directory/file enumeration mode
Usage:
gobuster dir [flags]
Flags:
-f, --add-slash Append / to each request
-c, --cookies string Cookies to use for the requests
-d, --discover-backup Upon finding a file search for backup files
--exclude-length ints exclude the following content length (completely ignores the status). Supply multiple times to exclude multiple sizes.
-e, --expanded Expanded mode, print full URLs
-x, --extensions string File extension(s) to search for
-r, --follow-redirect Follow redirects
-H, --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-h, --help help for dir
--hide-length Hide the length of the body in the output
-m, --method string Use the following HTTP method (default "GET")
-n, --no-status Don't print status codes
-k, --no-tls-validation Skip TLS certificate verification
-P, --password string Password for Basic Auth
--proxy string Proxy to use for requests [http(s)://host:port]
--random-agent Use a random User-Agent string
-s, --status-codes string Positive status codes (will be overwritten with status-codes-blacklist if set)
-b, --status-codes-blacklist string Negative status codes (will override status-codes if set) (default "404")
--timeout duration HTTP Timeout (default 10s)
-u, --url string The target URL
-a, --useragent string Set the User-Agent string (default "gobuster/3.1.0")
-U, --username string Username for Basic Auth
--wildcard Force continued operation when wildcard found
Global Flags:
--delay duration Time each thread waits between requests (e.g. 1500ms)
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
┌──(mrdev㉿mrdev)-[~]
└─$
Using Gobuster
We are going to test it with 10.129.56.242, as my target. So run it using the below commands:
┌──(mrdev㉿mrdev)-[~]
└─$ sudo gobuster dir -w /usr/share/wordlists/dirb/common.txt -u 10.129.56.242
[sudo] password for mrdev:
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.56.242
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/24 11:55:42 Starting gobuster in directory enumeration mode
===============================================================
/admin.php (Status: 200) [Size: 999]
===============================================================
2021/12/24 11:57:51 Finished
===============================================================
Now you can see “admin.php” existed, and was returned to us in the output, signaling that the webpage exists and we can navigate to it manually to check out its contents.
Reference: Go-buster: Brute force Directories and Files (technoscience.site)
Comments are closed