Bruteforce Any Website With GoBuster, Step-By-Step Guide

While enumerating any web application, initial step is to collect as much info about the target web application. By extracting its open ports, services or finding directories. By collecting such info, according to ethical hacking researcher of international institute of cyber security it makes easy to prepare for next pentesting phase. That’s why Gobuster is used to extract information about the target. Gobuster is written in GO-Lang. Some very common scanners like dirbuster or other scanners.

For testing we are using Kali Linux 2019.1 amd64. Open terminal type
- sudo apt-get update
- sudo apt-get install gobuster
After installation type gobuster

root@kali:/home/iicybersecurity/Downloads# gobuster
 Usage:
   gobuster [command]
 Available Commands:
   dir         Uses directory/file brutceforcing mode
   dns         Uses DNS subdomain bruteforcing mode
   help        Help about any command
   vhost       Uses VHOST bruteforcing mode
 Flags:
   -h, --help              help for gobuster
   -z, --noprogress        Don't display progress
   -o, --output string     Output file to write results to (defaults to stdout)
   -q, --quiet             Don't print the banner and other noise
   -t, --threads int       Number of concurrent threads (default 10)
   -v, --verbose           Verbose output (errors)
   -w, --wordlist string   Path to the wordlist

Finding Files/ Directories

On Target side we will be using DVWA (Dam Vulnerable Web Application). Download from https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/
Type gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt
-u is used to assign target URL, 192.168.1.105 is our target/DVWA.
-w is used to assign wordlist. /usr/share/wordlists/dirb/common.txt is the wordlist location.

root@kali:/home/iicybersecurity# gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://192.168.1.105/dvwa
 [+] Threads:        10
 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Timeout:        10s
 2019/11/01 01:20:19 Starting gobuster
 /.hta (Status: 403)
 /.svn (Status: 301)
 /.htpasswd (Status: 403)
 /.svn/entries (Status: 200)
 /.htaccess (Status: 403)
 /css (Status: 301)
 /images (Status: 301)
 /includes (Status: 301)
 /js (Status: 301)
 2019/11/01 01:20:25 Finished

Above query has scanned all the files & directories on the target URL.

Printing Files With Full Path

Type gobuster dir -e -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt
-e is used to print full path of the files.
-u is used to assign target URL 192.168.1.105 is our target.
-w is used to assign wordlist. /usr/share/wordlists/dirb/common.txt is the wordlist location.

root@kali:/home/iicybersecurity# gobuster dir -e -u  http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://192.168.1.105/dvwa
 [+] Threads:        10
 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Expanded:       true
 [+] Timeout:        10s
 2019/11/01 01:21:34 Starting gobuster
 http://192.168.1.105/dvwa/.hta (Status: 403)
 http://192.168.1.105/dvwa/.htpasswd (Status: 403)
 http://192.168.1.105/dvwa/.svn (Status: 301)
 http://192.168.1.105/dvwa/.htaccess (Status: 403)
 http://192.168.1.105/dvwa/.svn/entries (Status: 200)
 http://192.168.1.105/dvwa/css (Status: 301)
 http://192.168.1.105/dvwa/images (Status: 301)
 http://192.168.1.105/dvwa/includes (Status: 301)
 http://192.168.1.105/dvwa/js (Status: 301)
 2019/11/01 01:21:39 Finished

Above you can find the full path of the target URL. This query can help to prepare for the initial level of information gathering.

Printing Output Using Verbose

Type gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt -v
-u is used to assign target URL. 192.168.1.105 is our target.
-w is used to assign wordlist. /usr/share/wordlists/dirb/common.txt is the wordlist location.
-v is used for verbose mode.

root@kali:/home/iicybersecurity# gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt -v
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://192.168.1.105/dvwa
 [+] Threads:        10
 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Verbose:        true
 [+] Timeout:        10s
 2019/11/01 01:33:32 Starting gobuster
 Missed: /.bashrc (Status: 404)
 Missed: /.cvs (Status: 404)
 Missed: /.cvsignore (Status: 404)
 Missed: /.forward (Status: 404)
 Missed: /.config (Status: 404)
 Missed: /.git/HEAD (Status: 404)
 Missed: /.cache (Status: 404)
 Found: /.hta (Status: 403)
 Missed: /.profile (Status: 404)
 Missed: /.history (Status: 404)
 Missed: /.mysql_history (Status: 404)
 Missed: /.passwd (Status: 404)
 Missed: /.listings (Status: 404)
 Missed: /.perf (Status: 404)
 Missed: /.sh_history (Status: 404)
 Found: /.htpasswd (Status: 403)
 Missed: /.listing (Status: 404)
 Missed: /.rhosts (Status: 404)
 Found: /.svn/entries (Status: 200)
 Missed: /.subversion (Status: 404)
 Missed: /.ssh (Status: 404)
 Missed: /.web (Status: 404)
 Missed: /archive (Status: 404) Found: /.svn (Status: 301) Missed: /@ (Status: 404) Missed: /.swf (Status: 404) Found: /.htaccess (Status: 403) Missed: /_backup (Status: 404) Missed: /.bash_history (Status: 404) Missed: /_adm (Status: 404) Missed: /_borders (Status: 404) Missed: /_cache (Status: 404) Missed: /_admin (Status: 404) Missed: /_baks (Status: 404) Missed: /_catalogs (Status: 404) Missed: /_code (Status: 404) Missed: /_assets (Status: 404) Missed: /_common (Status: 404) Missed: /_conf (Status: 404) Missed: /_ajax (Status: 404) Missed: / (Status: 404)
 Missed: /_files (Status: 404)
 Missed: /_css (Status: 404)
 Missed: /_data (Status: 404)
 Missed: /_database (Status: 404)
 Missed: /_db_backups (Status: 404)
 Missed: /_derived (Status: 404)
 Missed: /_dev (Status: 404)
 Missed: /_config (Status: 404)
 Missed: /_flash (Status: 404)
 Missed: /_dummy (Status: 404)
 Missed: /_inc (Status: 404)
 Missed: /_fpclass (Status: 404)
 Missed: /_includes (Status: 404)
 Missed: /_install (Status: 404)
 Missed: /_images (Status: 404)
 Missed: /_js (Status: 404)
 Missed: /_layouts (Status: 404)
 Missed: /_img (Status: 404)
 Missed: /_lib (Status: 404)
 Missed: /_media (Status: 404)
 Missed: /_mm (Status: 404)
 Missed: /_mygallery (Status: 404)

Above query has try to find files in verbose mode. Showing HTTP status code on each request.

Printing Files with No Status

Type gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt -n
-u is used to assign target URL. 192.168.1.105 is our target URL.
-w is used to assign wordlist. /usr/share/wordlists/dirb/common.txt is the wordlist location.
-n is used to print with no status codes.

root@kali:/home/iicybersecurity# gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt -n
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://192.168.1.105/dvwa
 [+] Threads:        10
 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] No status:      true
 [+] Timeout:        10s
 2019/11/01 02:36:35 Starting gobuster
 /.hta
 /.htpasswd
 /.svn
 /.svn/entries
 /.htaccess
 /css
 /images
 /includes
 /js
 2019/11/01 02:36:38 Finished

Above query has printed with data without any status codes.

Finding Length of the Response Files

Type gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt -l
-u is used to assign target URL. 192.168.1.105 is our target URL.
-w is used to assign wordlist location. -w /usr/share/wordlists/dirb/common.txt is our wordlist location.
-l is used find length of response files.

root@kali:/home/iicybersecurity# gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt -l
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://192.168.1.105/dvwa
 [+] Threads:        10
 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Show length:    true
 [+] Timeout:        10s
 2019/11/01 02:57:45 Starting gobuster
 /.hta (Status: 403) [Size: 1108]
 /.htpasswd (Status: 403) [Size: 1108]
 /.svn/entries (Status: 200) [Size: 256]
 /.htaccess (Status: 403) [Size: 1108]
 /.svn (Status: 301) [Size: 416]
 /css (Status: 301) [Size: 415]
 /images (Status: 301) [Size: 418]
 /includes (Status: 301) [Size: 420]
 /js (Status: 301) [Size: 414]
 2019/11/01 02:57:48 Finished

Above shows the files size. By this attacker can obtain type of files target uses to maintain their website and as per digital forensics expert of International Institute of Cyber Security file size is also one of the parameters in analyzing the malware.

Finding Files With Specific Extension

Type gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt -x .php
-u is used to assign URL. 192.168.1.105 is our target URL
-w is used to assign wordlist. -w /usr/share/wordlists/dirb/common.txt is wordlist location.
-x is used to extract specific extension files. .php will be extracted.

root@kali:/home/iicybersecurity# gobuster dir -u http://192.168.1.105/dvwa -w /usr/share/wordlists/dirb/common.txt -x .php
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://192.168.1.105/dvwa
 [+] Threads:        10
 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Extensions:     php
 [+] Timeout:        10s
 2019/11/01 03:32:20 Starting gobuster
 /.hta (Status: 403)
 /.hta.php (Status: 403)
 /.htpasswd (Status: 403)
 /.htpasswd.php (Status: 403)
 /.htaccess (Status: 403)
 /.htaccess.php (Status: 403)
 /.svn/entries (Status: 200)
 /.svn (Status: 301)
 /css (Status: 301)
 /images (Status: 301)
 /includes (Status: 301)
 /js (Status: 301)
 2019/11/01 03:32:25 Finished

Above query has found files with .php extension. This query can help attacker to create malicious files on specific extension.

Finding Username & Password

Type gobuster dir -u http://testphp.vulnweb.com/login.php -w /usr/share/wordlists/dirb/common.txt -U test -P test
-u is used to assign URL. 192.168.1.105 is our target URL
-w is used to assign wordlist. -w /usr/share/wordlists/dirb/common.txt is wordlist location.
-U is for username & -P is for password.

root@kali:/home/iicybersecurity# gobuster dir  -u http://testphp.vulnweb.com/login.php -w /usr/share/wordlists/dirb/common.txt -U test -P test
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://testphp.vulnweb.com/login.php
 [+] Threads:        10
 [+] Wordlist:       /usr/share/wordlists/dirb/common.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Auth User:      test
 [+] Timeout:        10s
 2019/11/01 04:31:34 Starting gobuster
 /admin.php (Status: 200)
 /index.php (Status: 200)
 /info.php (Status: 200)
 /phpinfo.php (Status: 200)
 /xmlrpc.php (Status: 200)
 /xmlrpc_server.php (Status: 200)
 2019/11/01 04:32:54 Finished

Above query has returned with address of 200 which means that username & password has matched.

Jim Gill

Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.

Bruteforce Any Website With GoBuster, Step-By-Step Guide

Finding Files/ Directories

Printing Files With Full Path

Printing Output Using Verbose

Printing Files with No Status

Finding Length of the Response Files

Finding Files With Specific Extension

Finding Username & Password

WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus

5 Techniques Hackers Use to Jailbreak ChatGPT, Gemini, and Copilot AI systems

This Hacker Toolkit Can Breach Any Air-Gapped System – Here’s How It Works

Hacking Pagers to Explosions: Israel’s Covert Cyber-Physical Sabotage Operation Against Hezbollah!

Five Techniques for Bypassing Microsoft SmartScreen and Smart App Control (SAC) to Run Malware in Windows

How Millions of Phishing Emails were Sent from Trusted Domains: EchoSpoofing Explained

How to implement Principle of Least Privilege(Cloud Security) in AWS, Azure, and GCP cloud

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Cyber Security Channel