The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Gobuster: The brute force security tool

posted on 31.5.2023 by Below Surface in "Gobuster"

Disclaimer: Please only use these commands if you have permission to use them on the IP address of your choice.

GoBuster is a tool for brute forcing URIs, DNS subdomains, virtual host names, Amazon s3 buckets, Google cloud buckets and TFTP servers.

Example 1: Searching for subdomains.

This example makes use of the subdomains-top1million-5000.txt word list. If you don't have it yet, install it with:

sudo apt install seclists

Then run this command to search for the above mentioned things on the target machine. Please make sure to add the flag "--append-domain" if you are using GoBuster v3.2 or higher.

sudo gobuster vhost -u -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

A positive result for an open s3 bucket could look like this:

Found: Status: 404 [Size: 21]

Example 2: Find a .php file that could be used to authenticate.

gobuster dir --url http://yourmachinesipaddress/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html

In this case, GoBuster found a file called "login.php", which was exactly what we were looking for.

More examples to be added in the future.


uri bruteforce
dns subdomain
virtual host names
s3 bucket bruteforce
google cloud bruteforce
tftp server bruteforce