Skip to content
Authors: fire1ce | Created: 2021-08-27 | Last update: 2026-07-14

Gobuster CheatSheet

Gobuster is a fast brute-forcing tool for URIs (directories and files), DNS subdomains, virtual hosts, and cloud storage buckets. This cheat sheet covers the most common commands and the full flag reference as of Gobuster 3.8.

Short flags changed

Modern Gobuster uses multi-character short flags (e.g. -do for --domain, -np for --no-progress). The single-letter forms from older versions no longer all apply.

Available Modes

Mode Description
dir Directory and file brute-forcing (the classic mode)
dns DNS subdomain brute-forcing
vhost Virtual host brute-forcing (not the same as DNS)
fuzz Custom fuzzing with the FUZZ keyword
s3 Enumerate open Amazon S3 buckets
gcs Enumerate open Google Cloud Storage buckets
tftp Enumerate files on TFTP servers

Common Commands

dir Mode

Basic directory scan:

gobuster dir -u https://example.com -w ~/wordlists/shortlist.txt

Search for specific file extensions:

gobuster dir -u https://example.com -w wordlist.txt -x php,html,js,txt

Show the response length, and filter by positive status codes:

gobuster dir -u https://example.com -w wordlist.txt -l -s 200,301,302

Status-code filtering changed

Gobuster now filters by a blacklist by default: --status-codes-blacklist (-b) defaults to 404, and --status-codes (-s) is empty. Set -s to switch to a positive whitelist (it overrides the blacklist), or clear the blacklist with -b "".

dns Mode

Basic subdomain scan (note -do/--domain):

gobuster dns -do example.com -w ~/wordlists/subdomains.txt

Use a custom resolver and more threads:

gobuster dns -do example.com -w ~/wordlists/subdomains.txt -r 8.8.8.8:53 -t 50

vhost Mode

Virtual-host scan. Pass --append-domain to append the base domain to each wordlist entry (this is no longer the default):

gobuster vhost -u https://example.com --append-domain -w ~/wordlists/vhosts.txt

fuzz Mode

Fuzz any part of the request with the FUZZ keyword:

gobuster fuzz -u "https://example.com?param=FUZZ" -w wordlist.txt

s3 / gcs / tftp Modes

gobuster s3 -w bucket-names.txt
gobuster gcs -w bucket-names.txt
gobuster tftp -s 10.0.0.1 -w wordlist.txt

Global Flags

These apply to every mode.

Short Long Description
-w --wordlist Path to the wordlist (set to - to read STDIN)
-t --threads Number of concurrent threads (default 10)
-d --delay Time each thread waits between requests (e.g. 1500ms)
-o --output Output file to write results to (defaults to stdout)
-q --quiet Don't print the banner and other noise
-np --no-progress Don't display progress
-ne --no-error Don't display errors
-nc --no-color Disable color output
-p --pattern File containing replacement patterns
-wo --wordlist-offset Resume from a given position in the wordlist
-v --verbose Verbose output
--debug Enable debug output

HTTP Options

Shared by the HTTP-based modes (dir, vhost, fuzz).

Short Long Description
-u --url The target URL
-c --cookies Cookies to use for the requests
-H --headers Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-r --follow-redirect Follow redirects
-k --no-tls-validation Skip TLS certificate verification
-a --useragent Set the User-Agent string
-rua --random-agent Use a random User-Agent string
-to --timeout HTTP timeout (default 10s)
-ra --retry-attempts Times to retry on request timeout
-U --username Username for Basic Auth
-P --password Password for Basic Auth
-m --method HTTP method to use
--proxy Proxy to use for requests [http(s)://host:port]

dir Mode Options

Short Long Description
-x --extensions File extension(s) to search for
--extensions-file Read file extensions from a file
-s --status-codes Positive status codes (overrides the blacklist if set)
-b --status-codes-blacklist Negative status codes (default 404; overrides -s)
-l --include-length Include the length of the body in the output
--hide-length Hide the length of the body from the output
--exclude-length Exclude responses of a given content length
-f --add-slash Append / to each request
-e --expanded Expanded mode, print full URLs
-n --no-status Don't print status codes
-d --discover-backup Upon finding a file, also search for backup files

dns Mode Options

Short Long Description
-do --domain The target domain
-r --resolver Use a custom DNS server (server.com or server.com:port)
-c --check-cname Also check CNAME records
-to --timeout DNS resolver timeout (default 1s)
-wc --wildcard Force continued operation when a wildcard is found
-nf --no-fqdn Don't automatically add a trailing dot to the domain

vhost Mode Options

Short Long Description
--append-domain Append the base domain to each wordlist entry
--exclude-length Exclude responses of a given content length
--exclude-hostname-length Adjust --exclude-length dynamically by hostname length
--exclude-status Negative status codes to hide

Credit

Gobuster is created and maintained by OJ Reeves (@TheColonial).

Comments