Authors: 2021-08-27 | Last update: 2022-08-02
| Created: Gobuster CheatSheet¶
Common Gobuster Commands¶
dir Mode¶
gobuster dir -u https://example.com -w ~/wordlists/shortlist.txt
With content length
gobuster dir -u https://example.com -w ~/wordlists/shortlist.txt -l
dns Mode¶
gobuster dns -d example.com -t 50 -w common-names.txt
gobuster dns -d example.com-w ~/wordlists/subdomains.txt
With Show IP
gobuster dns -d example.com -w ~/wordlists/subdomains.txt -i
Base domain validation warning when the base domain fails to resolve
gobuster dns -d example.com -w ~/wordlists/subdomains.txt -i
Wildcard DNS is also detected properly:
gobuster dns -d 0.0.1.xip.io -w ~/wordlists/subdomains.txt
vhost Mode¶
gobuster vhost -u https://example.com -w common-vhosts.txt
s3 Mode
gobuster s3 -w bucket-names.txt
Available Modes¶
Switch | Description |
---|---|
dir | the classic directory brute-forcing mode |
dns | DNS subdomain brute-forcing mode |
s3 | Enumerate open S3 buckets and look for existence and bucket listings |
vhost | irtual host brute-forcing mode (not the same as DNS!) |
Global Flags¶
Short Switch | Long Switch | Description |
---|---|---|
-z | --no-progress | Don't display progress |
-o | --output string | Output file to write results to (defaults to stdout) |
-q | --quiet | Don't print the banner and other noise |
-t | --threads int | Number of concurrent threads (default 10) |
-i | --show-ips | Show IP addresses |
--delay duration | DNS resolver timeout (default 1s) | |
-v, | --verbose | Verbose output (errors) |
-w | --wordlist string | Path to the wordlist |
DNS Mode Options¶
Short Switch | Long Switch | Description |
---|---|---|
-h, | --help | help for dns |
-d, | --domain string | The target domain |
-r, | --resolver string | Use custom DNS server (format server.com or server.com:port) |
-c, | --show-cname | Show CNAME records (cannot be used with '-i' option) |
-i, | --show-ips | Show IP addresses |
--timeout duration | DNS resolver timeout (default 1s) |
DIR Mode Options¶
Short Switch | Long Switch | Description |
---|---|---|
-h, | --help | help for dir |
-f, | --add-slash | Append / to each request |
-c, | --cookies string | Cookies to use for the requests |
-e, | --expanded | Expanded mode, print full URLs |
-x, | --extensions string | File extension(s) to search for |
-r, | --follow-redirect | Follow redirects |
-H, | --headers stringArray | Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2' |
-l, | --include-length | Include the length of the body in the output |
-k, | --no-tls-validation | Skip TLS certificate verification |
-n, | --no-status | Don't print status codes |
-P, | --password string | Password for Basic Auth |
-p, | --proxy string | Proxy to use for requests [http(s)://host:port] |
-s, | --status-codes string | Positive status codes (will be overwritten with status-codes-blacklist if set) (default "200,204,301,302,307,401,403") |
-b, | --status-codes-blacklist | string Negative status codes (will override status-codes if set) |
--timeout duration | HTTP Timeout (default 10s) | |
-u, | --url string | The target URL |
-a, | --useragent string | Set the User-Agent string (default "gobuster/3.1.0") |
-U, | --username string | Username for Basic Auth |
-d, | --discover-backup | Upon finding a file search for backup files |
--wildcard | Force continued operation when wildcard found |
vhost Mode Options¶
Short Switch | Long Switch | Description |
---|---|---|
-h | --help | help for vhost |
-c | --cookies string | Cookies to use for the requests |
-r | --follow-redirect | Follow redirects |
-H | --headers stringArray | Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2' |
-k | --no-tls-validation | Skip TLS certificate verification |
-P | --password string | Password for Basic Auth |
-p | --proxy string | Proxy to use for requests [http(s)://host:port] |
--timeout duration | HTTP Timeout (default 10s) | |
-u | --url string | The target URL |
-a | --useragent string | Set the User-Agent string (default "gobuster/3.1.0") |
-U | --username string | Username for Basic Auth |