Ultimate Gobuster Cheat Sheet
Ultimate Gobuster Cheat Sheet
The high-speed directory, file, and DNS brute-forcer written in Go.
1. Directory Mode (dir)
Find hidden paths, files, and directories on a web server.
Basic Directory Scan
Search for File Extensions
Look for specific files like php, txt, or zip.
Filter Status Codes
Ignore redirects (301, 302) or standard errors (404).
-b: Blacklist status codes.
2. DNS Mode (dns)
Find subdomains (e.g., admin.target.com, dev.target.com).
Basic Subdomain Scan
Show IP Addresses
Show the IP of the found subdomains.
3. VHost Mode (vhost)
Find Virtual Hosts. Useful when the server uses the Host header to route traffic (common in CTFs and shared hosting).
DNS Mode asks a DNS server "Does this exist?".
VHost Mode visits the IP and changes the HTTP Host header to check if the web server responds differently.
4. S3 Bucket Mode (s3)
Enumerate open AWS S3 buckets.
5. Fuzzing Mode (fuzz)
Replaces the keyword FUZZ in the URL with words from your list. Great for API endpoints or parameters.
6. Performance & Flags
Tune Gobuster to be faster or stealthier.
| Flag | Description |
|---|---|
-t 50 | Number of threads (Default: 10). Increase for speed. |
-k | Skip SSL certificate verification (for self-signed certs). |
-a "UserAgent" | Set custom User-Agent string. |
-o result.txt | Save output to a file. |
--proxy "http://127.0.0.1:8080" | Route traffic through Burp Suite/Proxy. |
-t 200) may crash the target server or get your IP blocked by WAFs.
Post a Comment