In the ever-evolving landscape of cybersecurity, understanding the vulnerabilities present in your web applications is crucial. Web directory enumeration, the process of systematically discovering hidden paths and directories on a target website, is a fundamental step in identifying potential security gaps.

One popular tool for conducting this task is Gobuster. In this comprehensive tutorial, we will guide you through the process of using Gobuster for efficient web directory enumeration.

What is Gobuster?

Gobuster is a command-line tool designed for directory and file brute-forcing on web servers. Developed in the Go programming language, it helps security professionals and penetration testers identify hidden or unprotected directories and files on a target web application.

By systematically trying different directories and file names, Gobuster can expose paths that might not be linked from the main pages of a website but are still accessible to users and potentially malicious actors.

Prerequisites

Before we dive into the tutorial, make sure you have the following:

  1. A working Linux environment (Gobuster is commonly used on Linux systems).
  2. Gobuster installed. You can download it from its official repository.

How to Install Gobuster

go install github.com/OJ/gobuster/v3@latest

Gobuster Parameters

Gobuster can use different attack modes against a webserver a DNS server and S3 buckets from Amazon AWS.

FeatureDescription
Directory EnumerationGobuster is designed for directory and file brute-forcing, allowing you to discover hidden paths and files on a target web application.
Command-Line ToolGobuster is a command-line tool, which provides flexibility and ease of use for penetration testers and security professionals.
EfficiencyGobuster efficiently tests a large number of directory and file names, helping to uncover obscure paths that might not be linked from the main pages.
Wordlist SupportThe tool supports custom wordlists, allowing you to tailor your enumeration efforts to your target’s context and improve results.
HTTP Response CodesGobuster provides HTTP response codes for each tested path, aiding in identifying accessible directories (e.g., 200 for OK, 403 for Forbidden).
CustomizationGobuster offers various flags for customization, including specifying the number of concurrent requests, extensions to search for, and more.
Multi-ThreadedGobuster supports multi-threading, enabling faster and more efficient enumeration by sending multiple requests simultaneously.
Extensions SupportYou can use the -x flag to specify file extensions to search for (e.g., .php, .html), helping to locate specific types of files.
Timeout OptionsGobuster allows you to set a timeout for requests, preventing the tool from waiting indefinitely for unresponsive paths.
Quiet ModeThe quiet mode (-q) suppresses unnecessary output, providing a cleaner display of results during enumeration.
Status Code FilteringWith the -s flag, you can filter results based on specific HTTP response codes, streamlining result analysis.
Recursive EnumerationGobuster can perform recursive enumeration, allowing you to dig deeper into directories and subdirectories.
Proxy SupportProxy support (-p) allows you to route Gobuster’s requests through a proxy server, enhancing anonymity during testing.

Attack Modes

/usr/bin/gobuster                    
Usage:
  gobuster [command]

Available Commands:
  dir         Uses directory/file enumeration mode
  dns         Uses DNS subdomain enumeration mode
  fuzz        Uses fuzzing mode
  help        Help about any command
  s3          Uses aws bucket enumeration mode
  version     shows the current version
  vhost       Uses VHOST enumeration mode

Optimization parameters

Flags:
      --delay duration    Time each thread waits between requests (e.g. 1500ms)
  -h, --help              help for gobuster
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -p, --pattern string    File containing replacement patterns
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist

Virtual Hosts enumeration

Usage:
  gobuster vhost [flags]
Flags:
  -c, --cookies string        Cookies to use for the requests
  -r, --follow-redirect       Follow redirects
  -H, --headers stringArray   Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
  -h, --help                  help for vhost
  -k, --no-tls-validation     Skip TLS certificate verification
  -P, --password string       Password for Basic Auth
  -p, --proxy string          Proxy to use for requests [http(s)://host:port]
      --timeout duration      HTTP Timeout (default 10s)
  -u, --url string            The target URL
  -a, --useragent string      Set the User-Agent string (default "gobuster/3.1.0")
  -U, --username string       Username for Basic Auth
gobuster vhost -u http://10.10.90.255 -w /home/kali/Desktop/Utilities/2m-subdomains.txt -o output.txt

Directory enumeration

Let’s walk through a practical example to illustrate the Gobuster directory enumeration process.

Gobuster can be used to brute force a directory in a web server it has many arguments to control and filter the execution.

To verify the options on directory enumeration execute:

Usage:
  gobuster dir [flags]
Flags:
  -f, --add-slash                       Append / to each request
  -c, --cookies string                  Cookies to use for the requests
  -d, --discover-backup                 Upon finding a file search for backup files
      --exclude-length ints             exclude the following content length (completely ignores the status). Supply multiple times to exclude multiple sizes.
  -e, --expanded                        Expanded mode, print full URLs
  -x, --extensions string               File extension(s) to search for
  -r, --follow-redirect                 Follow redirects
  -H, --headers stringArray             Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
  -h, --help                            help for dir
      --hide-length                     Hide the length of the body in the output
  -m, --method string                   Use the following HTTP method (default "GET")
  -n, --no-status                       Don't print status codes
  -k, --no-tls-validation               Skip TLS certificate verification
  -P, --password string                 Password for Basic Auth
      --proxy string                    Proxy to use for requests [http(s)://host:port]
      --random-agent                    Use a random User-Agent string
  -s, --status-codes string             Positive status codes (will be overwritten with status-codes-blacklist if set)
  -b, --status-codes-blacklist string   Negative status codes (will override status-codes if set) (default "404")
      --timeout duration                HTTP Timeout (default 10s)
  -u, --url string                      The target URL
  -a, --useragent string                Set the User-Agent string (default "gobuster/3.1.0")
  -U, --username string                 Username for Basic Auth
      --wildcard                        Force continued operation when wildcard found
/usr/bin/gobuster dir -u http://10.10.90.255 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -o output.txt

Files enumeration

gobuster dir -u http://10.10.90.255 -x zip,bak,old,php -w /usr/share/wordlists/dirb/common.txt -o output.txt

DNS enumeration

Usage:
  gobuster dns [flags]
Flags:
  -d, --domain string      The target domain
  -h, --help               help for dns
  -r, --resolver string    Use custom DNS server (format server.com or server.com:port)
  -c, --show-cname         Show CNAME records (cannot be used with '-i' option)
  -i, --show-ips           Show IP addresses
      --timeout duration   DNS resolver timeout (default 1s)
      --wildcard           Force continued operation when wildcard found

Gobuster Recursive

S3 Enumeration

Uses AWS bucket enumeration mode

/usr/bin/gobuster s3 --help 
Uses aws bucket enumeration mode

Usage:
  gobuster s3 [flags]

Flags:
  -h, --help               help for s3
  -m, --maxfiles int       max files to list when listing buckets (only shown in verbose mode) (default 5)
      --proxy string       Proxy to use for requests [http(s)://host:port]
      --random-agent       Use a random User-Agent string
      --timeout duration   HTTP Timeout (default 10s)
  -a, --useragent string   Set the User-Agent string (default "gobuster/3.1.0")

Fuzzing Mode

Uses fuzzing mode

sage:
  gobuster fuzz [flags]

Flags:
  -c, --cookies string              Cookies to use for the requests
      --exclude-length ints         exclude the following content length (completely ignores the status). Supply multiple times to exclude multiple sizes.
  -b, --excludestatuscodes string   Negative status codes (will override statuscodes if set)
  -r, --follow-redirect             Follow redirects
  -H, --headers stringArray         Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
  -h, --help                        help for fuzz
  -m, --method string               Use the following HTTP method (default "GET")
  -k, --no-tls-validation           Skip TLS certificate verification
  -P, --password string             Password for Basic Auth
      --proxy string                Proxy to use for requests [http(s)://host:port]
      --random-agent                Use a random User-Agent string
      --timeout duration            HTTP Timeout (default 10s)
  -u, --url string                  The target URL
  -a, --useragent string            Set the User-Agent string (default "gobuster/3.1.0")
  -U, --username string             Username for Basic Auth
      --wildcard                    Force continued operation when wildcard found

https://github.com/OJ/gobuster

Categorized in:

Penetration Testing Tools,