This is the most powerful "new" addition. It allows you to brute force parameters in the URL, headers, or POST data. You replace the part you want to fuzz with the keyword FUZZ .
go install github.com/OJ/gobuster/v3@latest
This command will brute-force directories on the target URL http://example.com using the wordlist directory-list-2.3-small.txt .
Gobuster is a mode-based tool. Each mode requires you to specify the operation you want to perform before listing your flags. The general syntax is:
The dir mode is used to discover hidden directories and files on a web server by appending wordlist entries to a base URL.
-t 50 : Sets the number of concurrent execution threads (default is 10). Increase for speed; decrease to prevent overloading targets.
/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt 8. Summary Cheat Sheet Example Command Find Hidden Directories dir -u [URL] -w [list] gobuster dir -u http://site.com -w list.txt Find Specific Extensions dir -x [ext1,ext2] gobuster dir -u http://site.com -w list.txt -x php,txt Discover Subdomains dns -d [domain] -w [list] gobuster dns -d site.com -w list.txt Uncover Virtual Hosts vhost -u [URL] -w [list] gobuster vhost -u http://site.com -w list.txt Ignore Specific Code dir -b [status_codes] gobuster dir -u http://site.com -w list.txt -b 403
