Gobuster is a tool for brute-forcing URIs (directories and files), DNS subdomains, virtual host names, and S3 buckets. Written in Go, it's fast and supports multiple modes.
# Basic directory brute force
gobuster dir -u https://target.com -w wordlist.txt
# With extensions
gobuster dir -u https://target.com -w wordlist.txt -x php,html,txt
# With status code filtering
gobuster dir -u https://target.com -w wordlist.txt -s 200,301,302
# With authentication
gobuster dir -u https://target.com -w wordlist.txt \
-c "session=abc123"# Subdomain enumeration
gobuster dns -d target.com -w subdomains.txt
# With resolver
gobuster dns -d target.com -w wordlist.txt -r 8.8.8.8
# Show IPs
gobuster dns -d target.com -w wordlist.txt -i# Enumerate vhosts
gobuster vhost -u https://target.com -w vhosts.txt-t Number of threads (default 10)
-o Output file
-q Quiet mode
-k Skip TLS verification
-a User agent string