gobuster – finding files, directories and subdomains

What is it?

gobuster is actually quite a multitool: when you look at the help page there are modules to find subdomains, directories, files and more.

Most of the time you will use gobuster to find directories and files on a webserver by using a wordlist.

Secondly you can use it to find subdomains – also by using wordlists.

This is where it differs from sublist3r and the likes: Those tools are in the OSINT category. So sublister uses openly available data source to find subdomains and therefor doesn’t touch the target.

gobuster does touch to target.

It uses the entries in the wordlist and checks if that file. directory or subdomain is available.

So lets look at help first

So we see 7 commands (or modules if you like).

We will talk about the dir and dns command here -wich probably are the two that are used most often.

The dir command

This command finds directories – and with the -x switch also files – on a webserver.

We will use the

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

wordlist here.

Lets start with the most basic case:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.103.116

So: gobuster goes through the wordlist and checks each entry if it maches a directory on the server.

As you can see here it has finished a bit over one percent and found one directory: assets

Directories are nice – but how about files?

Looking at the help file we find the -x switch that takes files extensions as argument.

gobuster dir -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.103.116

 

So again a bit more than 1% finished – this time gobuster also finds the files that correspond to the extensions we provided to the -x switch: html, php, txt.

So you get the idea.

The parameters I probably use most often are these:

gobuster dir -e -t50 -q -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.103.116

 

The -e switch prints out the whole URL, with the -t switch you can control the number of threads to be used by the tool. And therefore how nosy and quick it will act.

-q supresses all output but the URL gobuster finds.

There are more switches to explore – but these are the ones I use most often.

The DNS command

The DNS command looks for subdomains for a given domain by going through a given wordlist.

We will use

/usr/share/wordlists/seclists/Discovery/DNS/shubs-subdomains.txt

here.

Lets try it out with a basic example again:

gobuster dns -w /usr/share/wordlists/seclists/Discovery/DNS/shubs-subdomains.txt -d google.de

We see that based on the wordlist we found quite a few subdomains here.

Of course we also add some switches here to make the output a bit less noisy and a bit more convenient.

gobuster dns -q -t50 -w /usr/share/wordlists/seclists/Discovery/DNS/shubs-subdomains.txt -d google.de

These are the two commands within gobuster that are probably used most often.

We will look at the remaining commands in a later article.

As always: let me know what you think in the comments

Leave a Reply

Your email address will not be published. Required fields are marked *