description |
---|
Gobuster: open-source security tool for web app testing. Supports HTTP methods, directory/file brute-force attacks, custom wordlists, and HTTP authentication. |
Gobuster is an open-source security tool designed for penetration testers, system administrators, and developers. The tool is widely used for identifying vulnerabilities and performing attacks on web applications. With its powerful features, Gobuster has become a popular tool in the information security industry.
Gobuster offers a simple and intuitive command-line interface that allows users to easily configure and run scans. It supports various HTTP methods, including GET, HEAD, and POST, and allows users to specify the parameters and payloads to use in their attacks. The tool also includes various plugins that can be used to extend its functionality, such as DNS resolution and SSL certificate verification.
One of the key features of Gobuster is its ability to perform directory and file brute-force attacks. This means that it can scan a web server for hidden files and directories that may contain sensitive information. Gobuster can also perform recursive scans, which means that it can follow directories and subdirectories to ensure that no files or directories are missed.
Gobuster also includes support for custom wordlists. This allows users to specify their own list of words to use in their brute-force attacks. The tool also includes a built-in list of common directories and files that can be used to quickly identify vulnerabilities.
In addition to its brute-force capabilities, Gobuster also includes support for HTTP authentication. This means that it can authenticate to a web server using various methods, including basic authentication and NTLM authentication. This feature can be useful for testing the security of web applications that require user authentication.
Overall, Gobuster is a powerful and versatile tool that can be used for a wide range of security testing tasks. Its simple and intuitive interface, combined with its powerful features, make it a popular choice among security professionals. Whether you are a penetration tester, system administrator, or developer, Gobuster is a must-have tool in your arsenal.
Scan a website (-u http://192.168.0.155/
) for directories using a wordlist (-w /usr/share/wordlists/dirb/common.txt
) and print the full URLs of discovered paths (-e
):
:~# gobuster -e -u http://192.168.0.155/ -w /usr/share/wordlists/dirb/common.txt
Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.0.155/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 301,302,307,200,204
[+] Expanded : true
=====================================================
http://192.168.0.155/blog (Status: 301)
http://192.168.0.155/index.html (Status: 200)
http://192.168.0.155/index (Status: 200)
http://192.168.0.155/photo (Status: 301)
http://192.168.0.155/wordpress (Status: 301)
=====================================================
\
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
Installed size: 7.51 MB
How to install: sudo apt install gobuster
Dependencies:
- libc6
gobuster
:~# gobuster -h
Usage:
gobuster [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body
gcs Uses gcs bucket enumeration mode
help Help about any command
s3 Uses aws bucket enumeration mode
tftp Uses TFTP enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)
Flags:
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-color Disable color output
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
Use "gobuster [command] --help" for more information about a command.
Updated on: 2023-Mar-08\