Gobuster Cheat Sheet

Fast directory, DNS, vhost, and S3 bucket brute-forcer written in Go.

Scanning & Enumerationdirectory-bruteforcednsvhostwebUpdated 2026-06-02

Overview

Gobuster discovers hidden web paths, subdomains (DNS mode), virtual hosts, and cloud buckets using wordlists. It is a staple for content discovery after identifying live HTTP services.

Authorized testing only. Directory brute force can stress web servers and fill logs. Use rate limits and approved wordlists on production.

Install

sudo apt install -y gobuster

go install github.com/OJ/gobuster/v3@latest

gobuster version

Essential commands

Directory brute force

gobuster dir -u https://target.example.com -w /usr/share/wordlists/dirb/common.txt

With extensions

gobuster dir -u https://target.example.com -w common.txt -x php,html,txt,bak

DNS subdomain brute force

gobuster dns -d target.example.com -w subdomains.txt

Quick one-liners

Brute-force web directories

gobuster dir -u https://target.example.com -w /usr/share/wordlists/dirb/common.txt

Brute-force with common extensions

gobuster dir -u https://target.example.com -w common.txt -x php,html,txt,bak

Enumerate subdomains via DNS

gobuster dns -d target.example.com -w subdomains.txt

Discover virtual hosts on a web server

gobuster vhost -u https://target.example.com -w vhosts.txt

Hunt for open S3 bucket names

gobuster s3 -w bucket-names.txt -k

Common workflows

Recursive / filtered —

gobuster dir -u https://target.example.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

-x php,asp,aspx -s 200,204,301,302,307,401,403 -t 50 -o gobuster_dirs.txt

Virtual host discovery —

gobuster vhost -u https://target.example.com -w vhosts.txt --append-domain

Authenticated / headers —

gobuster dir -u https://target.example.com -w common.txt

-H "Cookie: session=TOKEN" -H "Authorization: Bearer TOKEN"

S3 buckets —

gobuster s3 -w bucket-names.txt -k

Flags: gobuster dir

`-u http://target/`	Target URL
`-w wordlist.txt`	Path wordlist
`-x php,html,txt`	Append extensions
`-s 200,204,301,302`	Show only these status codes
`-t 50`	Threads

Flags: gobuster dns

`-d example.com`	Target domain
`-w subdomains.txt`	Subdomain wordlist
`-r 8.8.8.8`	Custom resolver

Flags: gobuster vhost

`-u http://10.10.10.5`	Base URL (IP or catch-all host)
`-w vhosts.txt`	Host header wordlist

Flags: gobuster s3

`-w buckets.txt`	Bucket name wordlist
`-k`	Skip TLS certificate verification

Flags: gobuster (global)

`-o results.txt`	Output file
`-q`	Quiet (no banner/progress)
`-k`	Insecure SSL
`-H "Cookie: session=abc"`	Custom header
`-p http://127.0.0.1:8080`	HTTP proxy

Tips

Exclude size false positives: -b (blacklist length) or -s status whitelist.
ffuf and feroxbuster offer more fuzzing flexibility; gobuster stays simple and fast.
Use SecLists wordlists sized to environment (directory-list-2.3-medium.txt vs common.txt).
For API routes, combine with .json extensions and custom wordlists from JS analysis.