Gobuster is a VHost brute-force Pentesting Tool, written in Golang

Gobuster is a VHost brute-force Pentesting Tool, written in Golang
Photo by Kaur Kristjan / Unsplash

Gobuster is a tool used to brute-force. This project is born out of the necessity to have something that didn't have a fat Java GUI (console FTW), something that did not do recursive brute force, something that allowed me to brute force folders and multiple extensions at once, something that compiled to native on multiple platforms, something that was faster than an interpreted script (such as Python), and something that didn't require a runtime.

The app provides several modes, like the classic directory brute-forcing mode, DNS subdomain brute-forcing mode, the mode that enumerates open S3 buckets and looks for existence and bucket listings, and the virtual host brute-forcing mode (not the same as DNS!).

Since this tool is written in Go you need to install the Go language/compiler/etc. Full details of installation and set up can be found on the Go language website. Once installed you have two options. You need at least go 1.16.0 to compile gobuster.

Features

  • URIs (directories and files) in web sites
  • DNS subdomains (with wildcard support)
  • Virtual Host names on target web servers
  • Open Amazon S3 buckets
  • New CLI options so modes are strictly separated
  • Ability to enumerate vhost names
  • Open Google Cloud buckets
  • TFTP servers
  • enumerate public AWS S3 buckets
  • fuzzing mode
  • Option to supply custom HTTP headers
  • specify HTTP method
  • Easy to install using binaries or Docker
  • Wordlist offset parameter to skip x lines from the wordlist
  • prevent double slashes when building up an url in dir mode
  • allow for multiple values and ranges on --exclude-length
  • Enable TLS1.0 and TLS1.1 support
  • Support TLS client certificates / mtls
  • support loading extensions from file
  • support fuzzing POST body, HTTP headers and basic auth
  • new option to not canonicalize header names
  • color output
  • retry on timeout
  • google cloud bucket enumeration

Available Modes

  • dir - the classic directory brute-forcing mode
  • dns - DNS subdomain brute-forcing mode
  • s3 - Enumerate open S3 buckets and look for existence and bucket listings
  • gcs - Enumerate open google cloud buckets
  • vhost - virtual host brute-forcing mode (not the same as DNS!)
  • fuzz - some basic fuzzing, replaces the FUZZ keyword
  • tftp - bruteforce tftp files

License

Apache License V2.0

Resources & Downloads

Gobuster
Download Gobuster for free. Directory/File, DNS and VHost busting tool written in Go. Gobuster is a tool used to brute-force. This project is born out of the necessity to have something that didn’t have a fat Java GUI (console FTW), something that did not do recursive brute force, something that allowed me to brute force folders and multiple extensions at once, something that compiled to native on multiple platforms, something that was faster than an interpreted script (such as Python), and something that didn’t require a runtime.
GitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in Go
Directory/File, DNS and VHost busting tool written in Go - GitHub - OJ/gobuster: Directory/File, DNS and VHost busting tool written in Go

Read more