Dev (#379)

* update to go 1.17

* more go 1.17 updates

* update sponsors

* update makefile

* gitignore

* remove todo

* Fixed errors mixing with progress in stderr by removing progress string with \r

* Added --retry option for dir, fuzz, s3 and vhost modes

* first dev version

* wording

* fix retries

* update help text

* first work for #298

allow for a totalrequests change from within a plugin

* use defer

* ignore invalid control character urls

* add goreleaser

* gitignore

* output color, better status printing

* more color output

* fix nil panics

* Added support for Google Cloud Storage (GCS) bucket scanning. The scanning finds all public buckets listable by anonymous users

* fix gcs module

* update readme

* go 1.18

* go mod tidy

* makefile

* readme

* readme

* better error message

* use generics for set

* use the new netip type

* update version

* colors

* cspell

* improve readability of GobusterVhost (#334)

* improve readability of GobusterVhost

* fix for the merge side effect

* lint

* update

* update

* more work

* remove unused method

* retries

* colored output

* Closes issue #349 (#356)

* fix version

* Closes issue #349

Co-authored-by: firefart <firefart@gmail.com>

* Closes issue #315 (#359)

* Closes issue #315

* Syntax fix

* support mtls

* readme

* check for fuzz keyword

* allow for http header fuzzing

* better description

* new option to not canonicalize header names

* basic auth fuzzing

* fix typo in vhost command (#361)

* update

* check error

* error handling

* dev

* enable tls1.0 and 1.1 support

* Bump golang.org/x/term from 0.1.0 to 0.2.0 (#369)

Bumps [golang.org/x/term](https://github.com/golang/term) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/golang/term/releases)
- [Commits](golang/term@v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump golang.org/x/crypto from 0.1.0 to 0.2.0 (#368)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.1.0 to 0.2.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](golang/crypto@v0.1.0...v0.2.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Adds LF after the work end (#373)

* typo

* Reformat: Add `\n` after the end

Co-authored-by: firefart <105281+firefart@users.noreply.github.com>

* Bump golang.org/x/crypto from 0.2.0 to 0.3.0 (#374)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](golang/crypto@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#376)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](golang/crypto@v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump actions/checkout from 3.1.0 to 3.2.0 (#377)

Bumps [actions/checkout](https://github.com/actions/checkout) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3.1.0...v3.2.0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add tftp mode

* better output on tftp mode

* Bump goreleaser/goreleaser-action from 3 to 4 (#378)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 3 to 4.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@v3...v4)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* readme

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: alexmozzhakov <5459149+alexmozzhakov@users.noreply.github.com>
Co-authored-by: Nicolas Lykke Iversen <nlykkei@gmail.com>
Co-authored-by: Neal Caffery <neal1991@sina.com>
Co-authored-by: n30nx <22144985+n30nx@users.noreply.github.com>
Co-authored-by: IPv4v6 <mail.ipv4v6@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: _Magenta_ <0_magenta_0@mail.ru>

.github/workflows/go.yml

@@ -14,7 +14,7 @@ jobs:
           go-version: ${{ matrix.go }}
 
       - name: Check out code
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v3.2.0
 
       - name: build cache
         uses: actions/cache@v3

.github/workflows/golangci-lint.yml

@@ -5,7 +5,7 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3.1.0
+      - uses: actions/checkout@v3.2.0
 
       - uses: actions/setup-go@v3
         with:

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v3.2.0
         with:
           fetch-depth: 0
       - name: Fetch all tags
@@ -23,7 +23,7 @@ jobs:
         with:
           go-version: 1.19
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest

README.md

@@ -1,4 +1,4 @@
-# Gobuster v3.2.0
+# Gobuster
 
 Gobuster is a tool used to brute-force:
 
@@ -22,6 +22,11 @@ All funds that are donated to this project will be donated to charity. A full lo
 
 # Changes
 
+## 3.4
+
+- Enable TLS1.0 and TLS1.1 support
+- Add TFTP mode to search for files on tftp servers
+
 ## 3.3
 
 - Support TLS client certificates / mtls

cli/cmd/tftp.go

@@ -0,0 +1,78 @@
+package cmd
+
+import (
+	"fmt"
+	"log"
+	"strings"
+	"time"
+
+	"github.com/OJ/gobuster/v3/cli"
+	"github.com/OJ/gobuster/v3/gobustertftp"
+	"github.com/OJ/gobuster/v3/libgobuster"
+	"github.com/spf13/cobra"
+)
+
+// nolint:gochecknoglobals
+var cmdTFTP *cobra.Command
+
+func runTFTP(cmd *cobra.Command, args []string) error {
+	globalopts, pluginopts, err := parseTFTPOptions()
+	if err != nil {
+		return fmt.Errorf("error on parsing arguments: %w", err)
+	}
+
+	plugin, err := gobustertftp.NewGobusterTFTP(globalopts, pluginopts)
+	if err != nil {
+		return fmt.Errorf("error on creating gobustertftp: %w", err)
+	}
+
+	if err := cli.Gobuster(mainContext, globalopts, plugin); err != nil {
+		return fmt.Errorf("error on running gobuster: %w", err)
+	}
+	return nil
+}
+
+func parseTFTPOptions() (*libgobuster.Options, *gobustertftp.OptionsTFTP, error) {
+	globalopts, err := parseGlobalOptions()
+	if err != nil {
+		return nil, nil, err
+	}
+	pluginOpts := gobustertftp.NewOptionsTFTP()
+
+	pluginOpts.Server, err = cmdTFTP.Flags().GetString("server")
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid value for domain: %w", err)
+	}
+
+	if !strings.Contains(pluginOpts.Server, ":") {
+		pluginOpts.Server = fmt.Sprintf("%s:69", pluginOpts.Server)
+	}
+
+	pluginOpts.Timeout, err = cmdTFTP.Flags().GetDuration("timeout")
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid value for timeout: %w", err)
+	}
+
+	return globalopts, pluginOpts, nil
+}
+
+// nolint:gochecknoinits
+func init() {
+	cmdTFTP = &cobra.Command{
+		Use:   "tftp",
+		Short: "Uses TFTP enumeration mode",
+		RunE:  runTFTP,
+	}
+
+	cmdTFTP.Flags().StringP("server", "s", "", "The target TFTP server")
+	cmdTFTP.Flags().DurationP("timeout", "", time.Second, "TFTP timeout")
+	if err := cmdTFTP.MarkFlagRequired("server"); err != nil {
+		log.Fatalf("error on marking flag as required: %v", err)
+	}
+
+	cmdTFTP.PersistentPreRun = func(cmd *cobra.Command, args []string) {
+		configureGlobalOptions()
+	}
+
+	rootCmd.AddCommand(cmdTFTP)
+}

cli/gobuster.go

@@ -87,6 +87,7 @@ func progressWorker(ctx context.Context, g *libgobuster.Gobuster, wg *sync.WaitG
 				}
 			}
 		case <-ctx.Done():
+			fmt.Println()
 			return
 		}
 	}

go.mod

@@ -5,15 +5,17 @@ go 1.19
 require (
 	github.com/fatih/color v1.13.0
 	github.com/google/uuid v1.3.0
+	github.com/pin/tftp/v3 v3.0.0
 	github.com/spf13/cobra v1.6.1
-	golang.org/x/crypto v0.1.0
-	golang.org/x/term v0.1.0
+	golang.org/x/crypto v0.4.0
+	golang.org/x/term v0.3.0
 )
 
 require (
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/sys v0.1.0 // indirect
+	golang.org/x/net v0.4.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
 )

go.sum

@@ -3,29 +3,38 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/pin/tftp/v3 v3.0.0 h1:o9cQpmWBSbgiaYXuN+qJAB12XBIv4dT7OuOONucn2l0=
+github.com/pin/tftp/v3 v3.0.0/go.mod h1:xwQaN4viYL019tM4i8iecm++5cGxSqen6AJEOEyEI0w=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
 github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8=
+golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
+golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

gobustertftp/gobustertftp.go

@@ -0,0 +1,142 @@
+package gobustertftp
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/OJ/gobuster/v3/libgobuster"
+
+	"github.com/pin/tftp/v3"
+)
+
+// GobusterTFTP is the main type to implement the interface
+type GobusterTFTP struct {
+	globalopts *libgobuster.Options
+	options    *OptionsTFTP
+}
+
+// NewGobusterTFTP creates a new initialized NewGobusterTFTP
+func NewGobusterTFTP(globalopts *libgobuster.Options, opts *OptionsTFTP) (*GobusterTFTP, error) {
+	if globalopts == nil {
+		return nil, fmt.Errorf("please provide valid global options")
+	}
+
+	if opts == nil {
+		return nil, fmt.Errorf("please provide valid plugin options")
+	}
+
+	g := GobusterTFTP{
+		options:    opts,
+		globalopts: globalopts,
+	}
+	return &g, nil
+}
+
+// Name should return the name of the plugin
+func (d *GobusterTFTP) Name() string {
+	return "TFTP enumeration"
+}
+
+// PreRun is the pre run implementation of gobustertftp
+func (d *GobusterTFTP) PreRun(ctx context.Context) error {
+	_, err := tftp.NewClient(d.options.Server)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// ProcessWord is the process implementation of gobustertftp
+func (d *GobusterTFTP) ProcessWord(ctx context.Context, word string, progress *libgobuster.Progress) error {
+	c, err := tftp.NewClient(d.options.Server)
+	if err != nil {
+		return err
+	}
+	c.SetTimeout(d.options.Timeout)
+	wt, err := c.Receive(word, "octet")
+	if err != nil {
+		// file not found
+		if d.globalopts.Verbose {
+			progress.ResultChan <- Result{
+				Filename:     word,
+				Found:        false,
+				ErrorMessage: err.Error(),
+			}
+		}
+
+		return nil
+	}
+	result := Result{
+		Filename: word,
+		Found:    true,
+	}
+	if n, ok := wt.(tftp.IncomingTransfer).Size(); ok {
+		result.Size = n
+	}
+	progress.ResultChan <- result
+	return nil
+}
+
+func (d *GobusterTFTP) AdditionalWords(word string) []string {
+	return []string{}
+}
+
+// GetConfigString returns the string representation of the current config
+func (d *GobusterTFTP) GetConfigString() (string, error) {
+	var buffer bytes.Buffer
+	bw := bufio.NewWriter(&buffer)
+	tw := tabwriter.NewWriter(bw, 0, 5, 3, ' ', 0)
+	o := d.options
+
+	if _, err := fmt.Fprintf(tw, "[+] Server:\t%s\n", o.Server); err != nil {
+		return "", err
+	}
+
+	if _, err := fmt.Fprintf(tw, "[+] Threads:\t%d\n", d.globalopts.Threads); err != nil {
+		return "", err
+	}
+
+	if d.globalopts.Delay > 0 {
+		if _, err := fmt.Fprintf(tw, "[+] Delay:\t%s\n", d.globalopts.Delay); err != nil {
+			return "", err
+		}
+	}
+
+	if _, err := fmt.Fprintf(tw, "[+] Timeout:\t%s\n", o.Timeout.String()); err != nil {
+		return "", err
+	}
+
+	wordlist := "stdin (pipe)"
+	if d.globalopts.Wordlist != "-" {
+		wordlist = d.globalopts.Wordlist
+	}
+	if _, err := fmt.Fprintf(tw, "[+] Wordlist:\t%s\n", wordlist); err != nil {
+		return "", err
+	}
+
+	if d.globalopts.PatternFile != "" {
+		if _, err := fmt.Fprintf(tw, "[+] Patterns:\t%s (%d entries)\n", d.globalopts.PatternFile, len(d.globalopts.Patterns)); err != nil {
+			return "", err
+		}
+	}
+
+	if d.globalopts.Verbose {
+		if _, err := fmt.Fprintf(tw, "[+] Verbose:\ttrue\n"); err != nil {
+			return "", err
+		}
+	}
+
+	if err := tw.Flush(); err != nil {
+		return "", fmt.Errorf("error on tostring: %w", err)
+	}
+
+	if err := bw.Flush(); err != nil {
+		return "", fmt.Errorf("error on tostring: %w", err)
+	}
+
+	return strings.TrimSpace(buffer.String()), nil
+}

gobustertftp/options.go

@@ -0,0 +1,16 @@
+package gobustertftp
+
+import (
+	"time"
+)
+
+// OptionsTFTP holds all options for the tftp plugin
+type OptionsTFTP struct {
+	Server  string
+	Timeout time.Duration
+}
+
+// NewOptionsTFTP returns a new initialized OptionsTFTP
+func NewOptionsTFTP() *OptionsTFTP {
+	return &OptionsTFTP{}
+}