Gobuster Training Lab - Web House

What is Gobuster?

Gobuster is a fast, efficient directory/file and DNS brute-forcing tool written in Go. It's designed to help security professionals discover hidden content on web servers, enumerate subdomains, and identify potential attack vectors that aren't linked or easily discoverable through normal browsing.

Unlike web crawlers that follow links, Gobuster uses wordlists to systematically test for the existence of directories, files, and subdomains. This makes it invaluable for:

Finding hidden admin panels, configuration files, and backup directories
Discovering API endpoints that aren't publicly documented
Enumerating subdomains to map an organization's attack surface
Identifying forgotten or unprotected resources on web servers
Reconnaissance during penetration testing engagements

Why Gobuster?

Written in Go for blazing-fast performance, Gobuster can make thousands of requests per second. It's simple, efficient, and doesn't have the bloat of older tools. No GUI, no Java runtime - just pure speed.

Gobuster Modes

1. Directory/File Enumeration (dir mode)

The most common mode - discovers hidden directories and files on web servers.

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

Tests every word in the wordlist against the target URL
Identifies valid paths based on HTTP status codes
Can specify file extensions to search for (.php, .html, .txt, etc.)
Supports custom headers, cookies, and authentication

2. DNS Subdomain Enumeration (dns mode)

Discovers subdomains by brute-forcing DNS queries.

gobuster dns -d example.com -w /usr/share/wordlists/subdomains.txt

Finds subdomains like dev.example.com, api.example.com, admin.example.com
Essential for mapping an organization's infrastructure
Can reveal staging servers, internal tools, and forgotten resources
Uses DNS resolution instead of HTTP requests

3. Virtual Host Enumeration (vhost mode)

Discovers virtual hosts by testing Host headers on a single IP.

gobuster vhost -u http://192.168.1.100 -w /usr/share/wordlists/vhosts.txt

Useful when multiple sites are hosted on one IP
Tests different Host header values to find hidden sites
Can reveal internal applications not meant to be public

4. Fuzzing Mode (fuzz mode)

Generic fuzzing - replace FUZZ keyword in URL with wordlist entries.

gobuster fuzz -u http://target.com/?id=FUZZ -w /usr/share/wordlists/numbers.txt

Test parameters, IDs, or any part of a URL
More flexible than dir mode for custom fuzzing
Can fuzz headers, body content, or any request component

Pro Tip: Choose the Right Mode

Use dir for initial web enumeration, dns for subdomain discovery before scanning, vhost when you find shared hosting, and fuzz for custom parameter testing.

Essential Gobuster Options

Core Options

-u URL           # Target URL (required for dir/vhost/fuzz)
-d DOMAIN        # Target domain (required for dns)
-w WORDLIST      # Path to wordlist file (required)
-t THREADS      # Number of concurrent threads (default: 10)
-o OUTPUT        # Write results to file
                            

Directory Mode Specific

-x EXTENSIONS   # File extensions to search (.php,.html,.txt)
-s STATUSCODES  # Positive status codes (200,301,302)
-b STATUSCODES  # Negative status codes to exclude
-k                # Skip SSL certificate verification
-r                # Follow redirects
-c COOKIE        # Specify cookie for the requests
-H HEADER        # Add custom header (can use multiple times)
-a USERAGENT    # Set custom User-Agent string
-P PASSWORD     # Password for Basic Auth
-U USERNAME     # Username for Basic Auth
                            

Performance Tuning

-t 50            # Increase threads for faster scanning
--delay 1s       # Delay between requests (avoid rate limiting)
--timeout 10s     # HTTP timeout (default: 10s)
-q                # Quiet mode (less output)
-v                # Verbose mode (more output)
                            

Performance vs. Stealth

Higher thread counts (-t) mean faster scans but more detectable traffic. Use delays and lower thread counts for stealthier enumeration on real engagements.

Common Wordlists

Kali Linux Built-in Wordlists

Kali Linux comes with several excellent wordlists for different purposes:

# Directory/File wordlists
/usr/share/wordlists/dirb/common.txt           # 4,614 entries - good starting point
/usr/share/wordlists/dirb/big.txt              # 20,469 entries - more comprehensive
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  # 220,560 entries

# DNS/Subdomain wordlists
/usr/share/wordlists/dnsmap.txt                # Common subdomains
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# SecLists (must install separately)
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
                            

Choosing the Right Wordlist

Small (< 5,000 words): Quick scans, testing, initial reconnaissance
Medium (5,000-50,000 words): Standard penetration testing engagements
Large (> 50,000 words): Comprehensive audits, CTFs, thorough testing
Custom wordlists: Target-specific (company names, technologies, known patterns)

SecLists - Essential Collection

Install SecLists for the most comprehensive wordlist collection: sudo apt install seclists or clone from github.com/danielmiessler/SecLists

Practical Examples

Basic Directory Enumeration

gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt

Directory Scan with File Extensions

gobuster dir -u http://example.com -w common.txt -x php,html,txt,js

Fast Scan with Custom Threads

gobuster dir -u http://example.com -w common.txt -t 50 -o results.txt

Scan with Authentication

gobuster dir -u http://example.com -w common.txt -U admin -P password123

Subdomain Enumeration

gobuster dns -d example.com -w /usr/share/wordlists/subdomains.txt -t 50

Virtual Host Discovery

gobuster vhost -u http://example.com -w subdomains.txt -t 50

API Endpoint Discovery

gobuster dir -u http://api.example.com -w api-endpoints.txt -x json

Save Your Results

Always use -o filename.txt to save scan results. You'll want to review them later, compare scans, or include in reports.

Understanding HTTP Status Codes

Important Status Codes for Enumeration

200 OK: Resource found and accessible - HIGH PRIORITY
301 Moved Permanently: Resource redirected - follow the location
302 Found: Temporary redirect - may indicate login required
401 Unauthorized: Authentication required - but resource exists!
403 Forbidden: Resource exists but access denied - try to bypass
404 Not Found: Resource doesn't exist - ignore (default hidden)
500 Internal Server Error: Server error - might reveal info in response
503 Service Unavailable: Temporarily unavailable - try later

403 is Your Friend

A 403 Forbidden status means the resource EXISTS but you don't have permission. This is valuable intelligence - you found something protected!

Customizing Status Code Detection

# Only show specific status codes
gobuster dir -u http://target.com -w common.txt -s "200,301,302,401,403"

# Exclude specific status codes
gobuster dir -u http://target.com -w common.txt -b "404,400"
                            

Gobuster vs. Other Tools

Gobuster vs. Dirb

Speed: Gobuster is significantly faster (written in Go vs C)
Threading: Gobuster has better multi-threading support
Simplicity: Gobuster has cleaner, more intuitive syntax
Maintenance: Gobuster is actively maintained; Dirb is legacy
When to use Dirb: If you need recursive scanning with specific depth control

Gobuster vs. DirBuster

Interface: Gobuster is CLI-only; DirBuster has a GUI
Speed: Gobuster is faster and more efficient
Maintenance: DirBuster is no longer actively developed
When to use DirBuster: If you absolutely need a GUI or are teaching beginners

Gobuster vs. Feroxbuster

Features: Feroxbuster has more bells and whistles (auto-recursive, filtering, etc.)
Speed: Both are very fast (both written in modern languages - Go vs Rust)
Simplicity: Gobuster is simpler and easier to learn
When to use Feroxbuster: For advanced filtering, auto-recursion, or more complex scans

Gobuster vs. ffuf

Purpose: ffuf is a general-purpose fuzzer; Gobuster is specialized
Flexibility: ffuf can fuzz any part of a request; Gobuster is focused on dirs/DNS
Ease of Use: Gobuster is simpler for basic enumeration
When to use ffuf: For parameter fuzzing, complex matching, or advanced scenarios

The Professional's Choice

Most modern penetration testers use Gobuster for directory/DNS enumeration due to its speed, simplicity, and reliability. Keep it in your core toolkit.

Legal and Ethical Considerations

CRITICAL: AUTHORIZED TESTING ONLY

Using Gobuster or any enumeration tool against systems you don't own or have explicit written permission to test is ILLEGAL and can result in criminal prosecution under laws like the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide.

Legal Testing Scenarios

Your Own Systems: Servers, websites, and applications you own
Authorized Penetration Tests: With signed contracts and defined scope
Bug Bounty Programs: Following the program's rules and scope exactly
Capture The Flag (CTF): HackTheBox, TryHackMe, PentesterLab, etc.
Educational Labs: DVWA, WebGoat, Juice Shop, and this training environment

Responsible Enumeration

Respect Rate Limits: Use --delay to avoid DoS-like traffic
Stay in Scope: Only test the URLs/domains explicitly authorized
Reduce Thread Count: Lower threads on production systems to minimize impact
Time Your Scans: Run intensive scans during low-traffic periods
Document Everything: Keep your authorization and scope documents accessible

When Things Go Wrong

If you accidentally scan the wrong target, STOP IMMEDIATELY
Notify the system owner if you cause any issues
Never hide or destroy logs - be transparent
Review your scope documents before every scan

Professional Ethics

As security professionals, our goal is to improve security, not exploit it. Always operate with integrity, respect boundaries, and use your skills to make systems safer.

Next Steps

Ready to start practicing? Here's your learning path:

Explore the Enumeration Lab: Practice Gobuster commands in a safe simulated environment
Complete the Challenges: 10 auto-graded exercises to test your knowledge
Reference Tab: Quick reference for commands, options, and status codes
Install Gobuster: sudo apt install gobuster on Kali Linux
Practice on Legal Targets: TryHackMe, HackTheBox, or your own web server

You're Ready!

Head to the Enumeration Lab tab to start practicing commands, or jump to Challenges to test your skills!

Terminal - Simulated Gobuster Environment

================================================

Gobuster Training Lab - Simulation Environment

================================================

Type 'help' for available commands

Press TAB for autocomplete suggestions

Example: gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

root@kali:~#

Gobuster Modes

Mode	Purpose	Example
dir	Directory/file brute-forcing	gobuster dir -u http://target.com -w wordlist.txt
dns	Subdomain enumeration	gobuster dns -d example.com -w subdomains.txt
vhost	Virtual host discovery	gobuster vhost -u http://target.com -w vhosts.txt
fuzz	Generic fuzzing with FUZZ keyword	gobuster fuzz -u http://target.com/FUZZ -w wordlist.txt

Essential Flags

Flag	Description	Example
-u URL	Target URL (dir/vhost/fuzz)	-u http://example.com
-d DOMAIN	Target domain (dns)	-d example.com
-w WORDLIST	Wordlist path	-w /usr/share/wordlists/dirb/common.txt
-t THREADS	Number of threads	-t 50
-x EXTENSIONS	File extensions (dir mode)	-x php,html,txt,js
-s CODES	Positive status codes	-s "200,204,301,302,307,401,403"
-b CODES	Negative status codes	-b "404,400"
-o OUTPUT	Save output to file	-o results.txt
-k	Skip SSL verification	-k
-r	Follow redirects	-r
-c COOKIE	Use cookie for requests	-c "session=abc123"
-H HEADER	Add custom header	-H "Authorization: Bearer token"
-a AGENT	Custom User-Agent	-a "Mozilla/5.0"
-U USERNAME	Username for Basic Auth	-U admin
-P PASSWORD	Password for Basic Auth	-P password123
--delay DURATION	Delay between requests	--delay 100ms
--timeout DURATION	HTTP timeout	--timeout 10s
-q	Quiet mode	-q
-v	Verbose mode	-v

HTTP Status Codes

Code	Meaning	Significance for Enumeration
200	OK	Resource found and accessible - investigate further
201	Created	Resource was created - might indicate API endpoint
204	No Content	Request succeeded but no content - valid endpoint
301	Moved Permanently	Follow redirect to find new location
302	Found (Temporary Redirect)	May indicate login required or conditional access
307	Temporary Redirect	Similar to 302, preserves request method
400	Bad Request	Malformed request - try different format
401	Unauthorized	Authentication required - resource exists!
403	Forbidden	Access denied - resource exists, try to bypass
404	Not Found	Resource doesn't exist - typically filtered out
405	Method Not Allowed	Wrong HTTP method - try GET/POST/PUT/DELETE
500	Internal Server Error	Server error - may reveal info in response
502	Bad Gateway	Proxy/gateway error - backend may be down
503	Service Unavailable	Temporarily unavailable - try again later

Common Wordlists

Wordlist	Size	Use Case
/usr/share/wordlists/dirb/common.txt	4,614	Quick initial scans, common directories
/usr/share/wordlists/dirb/big.txt	20,469	More comprehensive web content
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt	220,560	Thorough directory enumeration
/usr/share/seclists/Discovery/Web-Content/common.txt	4,713	General web content discovery
/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt	62,284	Comprehensive directory scanning
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt	5,000	Popular subdomain names
/usr/share/wordlists/dnsmap.txt	~1,000	Common subdomain patterns

Quick Command Examples

Scenario	Command
Basic directory scan	gobuster dir -u http://target.com -w common.txt
Scan with file extensions	gobuster dir -u http://target.com -w common.txt -x php,html,txt
Fast scan with 50 threads	gobuster dir -u http://target.com -w common.txt -t 50
Scan with output to file	gobuster dir -u http://target.com -w common.txt -o results.txt
Subdomain enumeration	gobuster dns -d example.com -w subdomains.txt
Virtual host discovery	gobuster vhost -u http://target.com -w vhosts.txt
Skip SSL verification	gobuster dir -u https://target.com -w common.txt -k
With authentication	gobuster dir -u http://target.com -w common.txt -U admin -P pass123
Custom User-Agent	gobuster dir -u http://target.com -w common.txt -a "Mozilla/5.0"
With cookie	gobuster dir -u http://target.com -w common.txt -c "session=abc123"

Export Progress

Save your challenge progress and command history to continue later.

Export your progress data

Import Progress

Load previously saved progress.

Import progress data

Reset Progress

Clear all challenge progress and command history.

This cannot be undone!

Statistics

Total Challenges Completed 0

Total Points Earned 0

Commands Executed 0

Directories Discovered 0

Learning Panel

Welcome to Gobuster Training!

This interactive lab will teach you how to use Gobuster for directory enumeration, DNS brute-forcing, and web reconnaissance.

Getting Started

Start with the Learn tab for fundamentals, then practice commands in the Enumeration Lab!

Your Progress

Challenges: 0/10

Points: 0/200

Quick Targets

Try these scenarios:

Remember

Only test systems you own or have explicit written permission to test. Unauthorized enumeration is illegal!