GoBuster
is a fast and versatile resource search tool that allows us to identify files, directories, DNS entries, vhosts, or storage buckets.
The manual consists of the following sections:
- Installation
- DIR mode
- DNS mode
- VHOST mode
- FUZZ mode
- Amazon S3 buckets
- Google Cloud buckets
- TFTP servers
- STDIN
- Final notes
Installation:
The first step will be to install the software. We can do this using binaries, go install, or by compiling manually:
pkg install gobuster
go install github.com/OJ/gobuster/v3@latest
git clone https://github.com/OJ/gobuster.git
cd gobuster
make
We download some lists of directories, domains, and bucket names:
wget
https://github.com/daviddias/node-dirbuster/raw/master/lists/directory-list-2.3-big.txt
wget https://raw.githubusercontent.com/rbsec/dnscan/master/subdomains-10000.txt
wget https://raw.githubusercontent.com/koaj/aws-s3-bucket-wordlist/master/list.txt
wget https://raw.githubusercontent.com/rbsec/dnscan/master/subdomains-10000.txt
wget https://raw.githubusercontent.com/koaj/aws-s3-bucket-wordlist/master/list.txt
DIR mode:
We launch GoBuster with the dir parameter:
gobuster dir -u
http://nonexistentdomain.com
-w directory-list-2.3-big.txt -r
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://nonexistentdomain.com
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 55680]
/rss (Status: 200) [Size: 16783]
/img (Status: 403) [Size: 162]
/default (Status: 200) [Size: 55678]
/sitemap (Status: 200) [Size: 40197]
/media (Status: 403) [Size: 162]
/0 (Status: 200) [Size: 55678]
/assets (Status: 403) [Size: 162]
/css (Status: 403) [Size: 162]
/Index (Status: 200) [Size: 55447]
/lib (Status: 403) [Size: 162]
/js (Status: 403) [Size: 162]
/RSS (Status: 200) [Size: 16783]
/api (Status: 200) [Size: 55678]
/SiteMap (Status: 500) [Size: 30565]
/dist (Status: 403) [Size: 162]
/mapa (Status: 403) [Size: 162]
/noticias (Status: 200) [Size: 50580]
/siteMap (Status: 500) [Size: 30565]
/fotos (Status: 200) [Size: 40348]
/Sitemap (Status: 200) [Size: 40197]
/captcha (Status: 500) [Size: 30565]
/Rss (Status: 200) [Size: 16783]
/INDEX (Status: 200) [Size: 55447]
/contacto (Status: 200) [Size: 31773]
/API (Status: 200) [Size: 55680]
Progress: 1273833 / 1273834 (100.00%)
===============================================================
Finished
===============================================================
There are occasions when the web server responds with codes that GoBuster considers non-existent:
Error: the server returns a status code that matches the provided options for non existing urls. http://nonexistentdomain.com/5237066a-2070-4858-ab06-c8eac059389f => 500 (Length: 184). To continue please exclude the status code or the length
In these cases, we can blacklist the 500 code or responses with a length of 184:
gobuster dir -u
http://nonexistentdomain.com
-w directory-list-2.3-big.txt -r -b 500
GoBuster also allows us to tunnel traffic through HTTP or SOCKS5 proxies (only in dir/vhost mode):
gobuster dir --help
--proxy string Proxy to use for requests [http(s)://host:port] or [socks5://host:port]
gobuster dir -u
http://nonexistentdomain.com
-w directory-list-2.3-big.txt -r --proxy socks5://127.0.0.1:7783
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://nonexistentdomain.com
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] Proxy: socks5://127.0.0.1:7783
[+] User Agent: gobuster/3.6
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 55680]
/rss (Status: 200) [Size: 16783]
/img (Status: 403) [Size: 162]
/default (Status: 200) [Size: 55678]
/sitemap (Status: 200) [Size: 40197]
/media (Status: 403) [Size: 162]
/0 (Status: 200) [Size: 55678]
/assets (Status: 403) [Size: 162]
/css (Status: 403) [Size: 162]
/Index (Status: 200) [Size: 55447]
/lib (Status: 403) [Size: 162]
/js (Status: 403) [Size: 162]
/RSS (Status: 200) [Size: 16783]
/api (Status: 200) [Size: 55678]
/SiteMap (Status: 500) [Size: 30565]
/dist (Status: 403) [Size: 162]
/mapa (Status: 403) [Size: 162]
/noticias (Status: 200) [Size: 50580]
/siteMap (Status: 500) [Size: 30565]
/fotos (Status: 200) [Size: 40348]
/Sitemap (Status: 200) [Size: 40197]
/captcha (Status: 500) [Size: 30565]
/Rss (Status: 200) [Size: 16783]
/INDEX (Status: 200) [Size: 55447]
/contacto (Status: 200) [Size: 31773]
/API (Status: 200) [Size: 55680]
Progress: 1273833 / 1273834 (100.00%)
===============================================================
Finished
===============================================================
DNS mode:
To brute-force possible DNS subdomains, we will run GoBuster with the dns parameter:
gobuster dns -d nonexistentdomain.com -w subdomains-10000.txt -i
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: nonexistentdomain.com
[+] Threads: 10
[+] Show IPs: true
[+] Timeout: 1s
[+] Wordlist: subdomains-10000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Found: mail.nonexistentdomain.com [A.B.C.D,a02:1234:4444:700::2031]
Found: www.nonexistentdomain.com [A.B.C.D]
Found: webmail.nonexistentdomain.com [A.B.C.D,a02:1234:4444:700::2031]
Found: ftp.nonexistentdomain.com [A.B.C.D]
Found: admin.nonexistentdomain.com [A.B.C.D]
Found: api.nonexistentdomain.com [A.B.C.D]
Progress: 9985 / 9986 (99.99%)
===============================================================
Finished
===============================================================
We can use a specific DNS server by specifying the -r parameter:
gobuster dns -d nonexistentdomain.com -w subdomains-10000.txt -i -r 1.1.1.1
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: nonexistentdomain.com
[+] Threads: 10
[+] Resolver: 1.1.1.1
[+] Show IPs: true
[+] Timeout: 1s
[+] Wordlist: subdomains-10000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Found: mail.nonexistentdomain.com [A.B.C.D,a02:1234:4444:700::2031]
Found: www.nonexistentdomain.com [A.B.C.D]
Found: webmail.nonexistentdomain.com [A.B.C.D,a02:1234:4444:700::2031]
Found: ftp.nonexistentdomain.com [A.B.C.D]
Found: admin.nonexistentdomain.com [A.B.C.D]
Found: api.nonexistentdomain.com [A.B.C.D]
Progress: 9985 / 9986 (99.99%)
===============================================================
Finished
===============================================================
VHOST mode:
In this mode, it will connect to the IP of the domain but will change the Host field of the HTTP request.
We generate the list of subdomains with the main domain of interest:
MAINDOMAIN=nonexistentdomain.com
sed “s/$/.$MAINDOMAIN/g” subdomains-10000.txt > vhostlist.txt
sed “s/$/.$MAINDOMAIN/g” subdomains-10000.txt > vhostlist.txt
We launch GoBuster:
gobuster vhost -u
http://nonexistentdomain.com
-w vhostlist.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://nonexistentdomain.com
[+] Method: GET
[+] Threads: 10
[+] Wordlist: vhostlist.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: api.nonexistentdomain.com Status: 200 [Size: 2147]
Progress: 9985 / 9986 (99.99%)
===============================================================
Finished
===============================================================
Using ngrep, we can see the vhost being sent: Host: domaincontrolpanel.nonexistentdomain.com.
T 192.168.69.4:21259 -> A.B.C.D:80 [AP]
GET / HTTP/1.1.
Host: domaincontrolpanel.nonexistentdomain.com.
User-Agent: gobuster/3.6.
Accept-Encoding: gzip.
.
NOTE: This mode also allows the use of proxies as explained in the dir mode.
FUZZ mode:
By fuzzing, we will discover files or directories through more complex requests, simply indicating with the word FUZZ the part of the URL to replace.
We launch GoBuster:
gobuster fuzz -u "http://nonexistentdomain.com/index.php?p=source&file=FUZZ" -w directory-list-2.3-big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://nonexistentdomain.com/index.php?p=source&file=FUZZ
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-2.3-big.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in fuzzing mode
===============================================================
Found: [Status=301] [Length=178] [Word=12] http://nonexistentdomain.com/index.php?p=source&file=12
Found: [Status=301] [Length=178] [Word=warez] http://nonexistentdomain.com/index.php?p=source&file=warez
Found: [Status=301] [Length=178] [Word=full] http://nonexistentdomain.com/index.php?p=source&file=full
Found: [Status=301] [Length=178] [Word=2006] http://nonexistentdomain.com/index.php?p=source&file=2006
Progress: 6 / 7 (85.71%)
===============================================================
Finished
===============================================================
The requests will be similar to this:
T 192.168.69.4:39851 -> A.B.C.D:80 [AP]
GET /index.php?p=source&file=warez HTTP/1.1.
Host: nonexistentdomain.com.
User-Agent: gobuster/3.6.
Accept-Encoding: gzip.
.
NOTE: This mode also allows the use of proxies as explained in the dir mode.
Amazon S3 buckets:
The S3 storage buckets are hosted on Amazon servers; therefore, this type of reconnaissance is performed directly on their servers, which can potentially be problematic.
The idea is to add the name of the domain at the beginning and end of each word in the list, with the hope of finding a bucket with that name.
MAINDOMAIN=nonexistentdomain
sed "s/$/-$MAINDOMAIN/g" list.txt > s3.txt
sed "s/^/$MAINDOMAIN-/g" list.txt >> s3.txt
sed "s/$/-$MAINDOMAIN/g" list.txt > s3.txt
sed "s/^/$MAINDOMAIN-/g" list.txt >> s3.txt
We launch GoBuster:
gobuster s3 -w s3.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Threads: 10
[+] Wordlist: s3.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Maximum files to list: 5
===============================================================
Starting gobuster in S3 bucket enumeration mode
===============================================================
Progress: 4754 / 4755 (99.98%)
===============================================================
Finished
===============================================================
In this case, it hasn’t found any bucket that matches the supplied list.
NOTE: This mode also allows the use of proxies as explained in the dir mode.
Google Cloud buckets:
With Google buckets, the same situation occurs as with the ones from Amazon.
The idea is to add the name of the domain at the beginning and end of each word in the list, with the hope of finding a bucket with that name.
MAINDOMAIN=nonexistentdomain
sed "s/$/-$MAINDOMAIN/g" list.txt > gcs.txt
sed "s/^/$MAINDOMAIN-/g" list.txt >> gcs.txt
sed "s/$/-$MAINDOMAIN/g" list.txt > gcs.txt
sed "s/^/$MAINDOMAIN-/g" list.txt >> gcs.txt
We launch GoBuster:
gobuster gcs -w gcs.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Threads: 10
[+] Wordlist: gcs.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Maximum files to list: 5
===============================================================
Starting gobuster in GCS bucket enumeration mode
===============================================================
Progress: 4754 / 4755 (99.98%)
===============================================================
Finished
===============================================================
In this case, it hasn’t found any bucket that matches the supplied list.
NOTE: This mode also allows the use of proxies as explained in the dir mode.
TFTP servers:
GoBuster also allows enumerating files hosted on TFTP servers:
gobuster tftp -s nonexistentdomain.com -w directory-list-2.3-big.txt -r
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Server: nonexistentdomain.com:69
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: directory-list-2.3-big.txt
===============================================================
Starting gobuster in TFTP enumeration mode
===============================================================
Found: 1
Found: 2
Found: 3
Found: 3
Progress: 1273833 / 1273834 (100.00%)
===============================================================
Finished
===============================================================
STDIN:
Another very interesting functionality, especially if we are short on space, is to generate the words to check using some tool and pipe them directly to GoBuster:
crunch 1 3 | gobuster dir -u
http://nonexistentdomain.com
-w -
Crunch will now generate the following amount of data: 72384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 18278
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://nonexistentdomain.com
[+] Method: GET
[+] Threads: 10
[+] Wordlist: stdin (pipe)
[+] Negative Status codes: 302
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 18278
===============================================================
Finished
===============================================================
Final notes:
GoBuster is highly configurable. It allows us to modify HTTP headers, perform basic HTTP authentication, change the user-agent, add HTTP headers, use resume mode in wordlists, or search for backup files, among many other features.We can query the supported parameters for each mode as follows:
gobuster dir --help
gobuster dns --help
gobuster vhost --help
gobuster fuzz --help
gobuster s3 --help
gobuster gcs --help
gobuster tftp --help