🛠️ Gobuster

Installation

sudo apt install gobuster

Core Modes

This defines what you are brute-forcing.

ModeDescription
dirDirectories
dnsSubdomains
vhostVirtual hosts (one IP hosts multiple sites)
s3Public Amazon S3 buckets
fuzzGeneric fuzzing mode

Common Commands

  1. Directory Brute-Forcing
gobuster dir -u <target_URL> -w ~/Downloads/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
  1. Search for Specific File Extensions (.html, .php, .bak, .txt,…)
gobuster dir -u <target_URL> -w ~/Downloads/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x php,html,txt,bak
  1. Fuzzing for subdomains
gobuster dns -d example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  1. Fuzzing for virtual hosts
gobuster vhost -u <target_URL> -w ~/Downloads/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt --append-domain
  1. Speeding up
gobuster dir -u <target_URL> -w ~/Downloads/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -t 50
  1. Quiet Mode Omit banner and progress bar then pipe the output to a file.
gobuster dir -u <target_URL> -w ~/Downloads/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -q > found_dirs.txt
  1. Handling SSL/TLS issues Used when the target has an expired or self-signed certificate.
gobuster dir -u <target_URL> -w ~/Downloads/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -k
FileCreated
BKSEC - Low Effort SNSTuesday, February 17th 2026, 11:01:44 pm
HTB - Open SecretSaturday, March 28th 2026, 6:08:31 am