A website is like a big house. It has a front door that everyone can see. But it also has hidden doors, secret rooms, and locked boxes. Gobuster is a tool that tries millions of keys very fast to find those hidden doors.
When you test a website to see if it is safe, you cannot just look at the main page. The real danger
is often in hidden folders. For example, a folder named /backups or
/admin_login. If there are no links to these pages, a normal user will never find them.
Gobuster solves this. It does not look for links. Instead, it guesses. It asks the website: "Do you have a folder called /admin? Do you have one called /test?" It does this thousands of times every second until the website says "Yes".
Gobuster cannot guess words from thin air. It needs a list to read from. This list is called a wordlist. It is just a text file with one word on every line.
Security testers share massive lists of the most common hidden folder names. Gobuster reads these files from top to bottom.
admin
backup
test
api
v1
staging
config
database
Go is a computer language built by Google. It is made to do many things at the exact same time without slowing down.
Gobuster has no mouse buttons or nice windows. It runs in plain text. This means your computer spends all its power on guessing words, not drawing pictures.
Instead of asking the website one question at a time, Gobuster can ask 50 or 100 questions at the exact same moment.
What it does: Looks for hidden folders and files on a website.
Example: It takes website.com and adds a word
to the end. It checks website.com/admin, then website.com/backup, and
so on.
What it does: Looks for hidden subdomains.
Example: It takes a word and puts it at the front. It
checks admin.website.com, then dev.website.com, and so on.
What it does: Looks for hidden virtual hosts on the same computer server.
Example: Sometimes one big computer holds many different websites. Gobuster tries to talk directly to the computer to see if it is hiding other websites that are not public.
When Gobuster asks the website a question, the website gives a number back. These numbers are called Status Codes. Here is what they mean:
Gobuster found the page, and you are allowed to look at it. This is a clear win.
The page is here, but the website is trying to send you to a different page instead.
Gobuster found the page! But the website says "You are not allowed to open this door."
The word did not match anything. The door does not exist. Gobuster usually ignores these.
Let us look at the pieces of a real command. Every letter tells Gobuster exactly what to do.
The Mode
Tells Gobuster we want to look for directories (folders).
The URL (Target)
This is the website we are pointing Gobuster at.
The Wordlist
This is the text file full of words that Gobuster will try to guess.
The Threads (Speed)
This tells Gobuster to try 50 words at the exact same time. The default is 10. Making it 50 makes it go much faster.
Before you can use Gobuster, you need to put it on your computer. If you are using Linux (which most security testers use), it is very simple.
Open your terminal and type this exact command:
To make sure it is ready, ask Gobuster for help. It should print out a list of instructions.
You do not have to write the words yourself. Other security testers have spent years collecting the best words.
If you use Kali Linux, the lists are already hiding on your computer. You just have to know where to look.
/usr/share/wordlists/
This is the most famous collection of lists on the internet. It has lists for everything you can imagine.
Search "SecLists Github" online
Sometimes you do not want to find folders. You want to find actual files, like a zip file of backups or a text file of passwords.
You can tell Gobuster to take every word in your list and glue a file ending
(extension) to it. Use the -x rule.
Gobuster prints answers on your screen really fast. When you close the screen, the answers are gone forever. You should always tell Gobuster to write the answers in a notebook (a file) so you can look at them later.
-o rule to
save.gobuster dir -u http://website.com -w list.txt -o my_results.txt
Sometimes a website lies. When Gobuster asks for a page that does not exist, the website might give a "200 OK" answer instead of a "404 Not Found" answer. This fills your screen with junk.
You can tell Gobuster to ignore certain answers using the -b (blacklist) rule.
"Hey Gobuster, if the website gives you a 404 or a 500 status code, do not show it to me. Just skip it."
Imagine a website has a private area. You can only see the hidden folders after you log in with a username and password. When you log in, the website gives your browser a special stamp called a Cookie.
Gobuster is a robot. It does not know your password. If it tries to guess folders, the website will just say "You are not logged in" to every single guess.
You log in yourself on your normal web browser. You copy the Cookie stamp.
Then, you hand that stamp to Gobuster using the -c rule.
If Gobuster asks a question and the website takes too long to answer, Gobuster will give up and mark it as an error. If the website is just slow, you will miss a lot of hidden folders.
You can tell Gobuster to be more patient and wait longer for an answer by using the --timeout rule.
If you just type -u website.com, Gobuster will fail. You must
tell it exactly how to connect by typing -u http://website.com or
https://.
Some wordlists have 10 million words. This can take days to finish and might break the website. Start with a small "common" list first.
If you use -t 200 (200 questions at once), the website's
security guards might think you are attacking them and ban your computer. -t 50
is a safe speed.
So, Gobuster told you that /admin_panel exists and gave you a
200 OK status. What do you do now?
Put the link directly into your normal web browser (like Chrome or Firefox) and see what the page looks like with your own eyes.
Run Gobuster AGAIN, but this time aim it at the new folder. (Example:
-u http://website.com/admin_panel/) to see what is hiding inside it.
If you are doing a professional security test, take a screenshot of the hidden page to put in your final report.
Gobuster makes a lot of noise. It sends thousands of requests to a server very quickly. Never use Gobuster on a website unless you own the website, or you have clear, written permission from the owner to test it.