🔵 Day 3 — Gobuster Tutorial
Day 180 — Advanced Kali Mastery
🔐
Authorised targets only. Gobuster sends a large volume of HTTP requests — this is clearly visible in server logs and will trigger IDS/WAF alerts on monitored systems. Only run Gobuster against
your own DVWA lab, TryHackMe, HackTheBox, or authorised bug bounty targets with explicit scope permission. Running directory brute-force against any system without written authorisation is illegal.
Need a lab? → Ethical Hacking Lab Setup at Home · DVWA Labs Hub /
Every web server has two kinds of pages: the ones linked from the homepage, and the ones that are not. The unlinked ones are where interesting things live — admin panels left over from development, backup files a developer forgot to delete, API endpoints the documentation never mentioned, configuration files accidentally made web-accessible, version control folders that expose the entire codebase. None of these appear in a sitemap. None of them show up in Google. The only way to find them is to ask the server about them directly, one path at a time. Gobuster asks thousands of times per second.
Day 3 of the Kali Linux Course teaches you Gobuster completely — every mode, every important flag, the right wordlists for every situation, and hands-on practice against DVWA. By the end you will have found your first hidden directory, understand how to hunt for file extensions and subdomains, and know exactly when to use Gobuster versus ffuf.
📋 What You’ll Master in Day 3
What Is Gobuster and How Does It Work?
Gobuster is a brute-forcing tool written in Go, built specifically for enumerating hidden content on web servers and in DNS. It works by taking a wordlist and sending one HTTP request (or DNS query) per word — appending each word to the target URL and recording which paths return a response that is not a 404. Unlike a web crawler, which follows links, Gobuster discovers content that is intentionally not linked.
3
Primary modes
(dir, dns, vhost)
Go
Written in Go
fast + concurrent
10+
Default threads
(configurable)
FREE
Pre-installed
on Kali Linux
Gobuster’s speed advantage over older tools like DirBuster or dirb comes from Go’s native concurrency — it fires multiple HTTP requests simultaneously, making a 220,000-word scan that took 45 minutes in DirBuster complete in under 5 minutes. This matters in time-limited engagements.
📚 Where Day 3 fits: You used Nmap on
Day 1 to find which ports are open — specifically ports 80 and 443. Day 3 follows that discovery: once you know a web server is running, Gobuster maps what is on it. Nmap finds the door; Gobuster finds everything behind it.
Installation & Verification
# Verify Gobuster is installed (Kali Linux — pre-installed)
gobuster –version
gobuster v3.6.0# If not installed:
sudo apt install gobuster -y
# Install SecLists (best wordlist collection — do this once):
sudo apt install seclists -y
# Installs to /usr/share/seclists/ — hundreds of categorised wordlists
# View Gobuster modes:
gobuster –help
Available Commands:
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode
vhost Uses virtual host brute-forcing mode
Wordlists — Which to Use and When
The wordlist determines what Gobuster looks for. A small wordlist means faster scans but more missed content. A large wordlist finds more but takes longer. The right choice depends on the phase of the engagement and what you already know about the target’s technology stack.
securityelites.comGOBUSTER WORDLIST SELECTION GUIDE — KALI LINUX COURSE DAY 3
Wordlist
Words
Speed
Best for
dirb/common.txt
4,614
~5 sec
Quick first pass — always run this first
dirb/big.txt
20,469
~30 sec
Wider coverage without massive time cost
SecLists directory-list-2.3-medium.txt
220K
3–8 min
Thorough engagement scan — most comprehensive
SecLists DNS/subdomains-top1million-5000.txt
5,000
Fast
Subdomain enumeration (dns mode)
SecLists CMS/wordpress.txt
Varies
Fast
CMS-specific — WordPress, Drupal, Joomla
STRATEGY: Run common.txt first (5 seconds). If interesting, escalate to medium.txt. For specific CMS use dedicated list. Always install SecLists: sudo apt install seclists
Gobuster Wordlist Selection Guide — Five wordlists ranked by size and time. Start with common.txt (4,614 words, ~5 seconds) for every engagement — fast and covers the most impactful paths. Escalate to the SecLists medium list (220K words) for thorough scans. Use CMS-specific wordlists when you know the technology stack. DNS subdomain lists go in dns mode, not dir mode.
# Key wordlist paths on Kali Linux:
/usr/share/wordlists/dirb/common.txt # 4.6K — start here
/usr/share/wordlists/dirb/big.txt # 20K — next step up
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt # 220K
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt # 87K
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # DNS
/usr/share/seclists/Discovery/Web-Content/CMS/wordpress.txt # WP
dir Mode — Directory & File Discovery
gobuster dir is the mode you will use in almost every web application assessment. It sends GET requests for every word in your wordlist appended to the base URL and reports everything that returns a non-404 response.
# ─── Basic syntax ─────────────────────────────────────────────────
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt# ─── Against DVWA in your home lab ────────────────────────────────
gobuster dir \
-u http://192.168.56.101/dvwa/ \
-w /usr/share/wordlists/dirb/common.txt \
-t 50 \ # 50 threads — fast on local lab
-v \ # verbose — show all attempts
-o dvwa_dirs.txt # save output
# ─── HTTPS target ─────────────────────────────────────────────────
gobuster dir -u https://target.com -w wordlist.txt -k
# -k = skip SSL certificate verification (for self-signed certs)
# ─── With authentication (cookie) ─────────────────────────────────
gobuster dir -u http://target.com -w wordlist.txt \
-c “PHPSESSID=abc123; security=low” # inject session cookie
# ─── With custom header ───────────────────────────────────────────
gobuster dir -u http://target.com -w wordlist.txt \
-H “Authorization: Bearer eyJhbGci…”
File Extension Discovery — The -x Flag
The -x flag appends file extensions to every wordlist entry. This transforms a directory scan into a file discovery scan — finding backup files, config files, source code, and documentation that the server serves but never links to. Some of the highest-value findings in web application testing come from this technique.
# ─── File extension scan — the high-value combo ───────────────────
gobuster dir \
-u http://target.com \
-w /usr/share/wordlists/dirb/big.txt \
-x php,html,txt,bak,zip,conf,xml,json,sql,log \
-t 50 -o files_found.txt
# What these extensions find:
.php # PHP source files, login pages
.bak # Backup files: config.php.bak, index.php.bak ← goldmine
.zip # Archive files: backup.zip, site.zip
.conf # Config files: nginx.conf, apache.conf
.sql # SQL dumps: db.sql, backup.sql ← critical if found
.log # Log files: error.log, access.log ← may expose paths/users
.txt # robots.txt, sitemap, credentials.txt (yes, this happens)
⚠️ Thread count & politeness: Against local DVWA labs, -t 50 or even -t 100 is fine. Against production systems in authorised engagements, keep -t 10 or lower and add --delay 100ms to avoid overwhelming the server. Crashing a production system during a pentest is a very bad day for everyone.
Status Code Filtering — Cutting Through the Noise
Some web servers return 200 for every path — even paths that do not exist — by serving a custom “page not found” page. Without filtering, Gobuster reports thousands of false positives. These flags let you cut through them:
# ─── Include only specific status codes ──────────────────────────
gobuster dir -u http://target.com
-w wordlist.txt
-s 200,204,301,302,307,401,403# ─── Exclude specific status codes ───────────────────────────────
gobuster dir -u http://target.com -w wordlist.txt –exclude-length 1234
# If the custom 404 page is always 1234 bytes, exclude it
# ─── What each status means: ─────────────────────────────────────
200 OK — path exists, content returned # HIGH VALUE
301 Moved Permanently — redirects to /path/ # FOLLOW IT
302 Found (temp redirect) — path exists # CHECK TARGET
401 Unauthorised — path exists, requires auth # INTERESTING
403 Forbidden — path exists, access denied # TRY TO BYPASS
404 Not Found — path does not exist # IGNORE
500 Server Error — path triggered an error # INVESTIGATE
💡 403 is not the end: A 403 Forbidden response means the path exists but access is blocked. In real bug bounty testing, 403 responses are often bypassable with header manipulation — try adding X-Original-URL: /admin or X-Forwarded-For: 127.0.0.1 to see if the server grants access. Never ignore 403s in your output.
dns Mode — Subdomain Enumeration
gobuster dns performs DNS-based subdomain discovery — it resolves WORD.target.com for every word in the wordlist and reports which subdomains exist. This is passive from the web server’s perspective but generates DNS queries. Use for bug bounty recon and authorised external assessments.
# ─── Basic subdomain enumeration ─────────────────────────────────
gobuster dns \
-d target.com \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-t 50 \
-o subdomains.txt
# ─── Show IP addresses of found subdomains ────────────────────────
gobuster dns -d target.com -w subdomains.txt -i
# -i = show IP addresses alongside found subdomains
# Sample output:
Found: dev.target.com [192.168.1.50] # Dev environment!
Found: staging.target.com [192.168.1.51] # Staging server!
Found: api.target.com [203.0.113.5] # API endpoint
Found: mail.target.com [203.0.113.6]
# dev. and staging. subdomains are often less hardened → priority targets
💡 Why dev & staging matter: Development and staging subdomains are often running older software, have weaker authentication, or have debugging features enabled that production does not. In bug bounty programmes,
dev.target.com is usually in scope when
*.target.com is listed — but always verify against the programme’s scope definition. More on recon workflow:
Bug Bounty Reconnaissance.
vhost Mode — Virtual Host Discovery
Virtual hosts allow a single server IP to serve multiple different websites using the HTTP Host header. Gobuster vhost mode brute-forces the Host header value to discover virtual hosts that are not resolvable through DNS — useful when a single IP is hosting multiple applications, some of which may not be documented.
# ─── Virtual host discovery ──────────────────────────────────────
gobuster vhost \
-u http://192.168.56.101 \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
–append-domain # Appends .target.com to each word# Gobuster sends: GET / HTTP/1.1 with Host: dev.target.com
# Reports responses that differ from baseline (vhost exists)
Gobuster vs ffuf — When to Use Each
| Aspect | Gobuster | ffuf |
|---|
| Best for | Directory + subdomain discovery | Complex fuzzing — parameters, headers, bodies |
| Syntax | Simpler — mode-based commands | More flexible — FUZZ keyword anywhere |
| FUZZ placement | URL path only | URL, headers, POST body, cookies, anywhere |
| Filter options | Status code, length | Status, size, words, lines, regex — very granular |
| Use when | Discovering directories, subdomains, vhosts | Fuzzing parameters, bypassing filters, POST data |
Full ffuf reference: ffuf Cheat Sheet (60+ Commands) | ffuf Guide for Ethical Hackers | Directory Bruteforce Guide
Real Pentest & Bug Bounty Workflow — In Order
securityelites.comKali Linux — Gobuster dir scan (Authorised Target)
$ gobuster dir -u http://192.168.56.101 -w /usr/share/wordlists/dirb/big.txt -x php,txt,bak -t 50 -o results.txt
===============================================================
Gobuster v3.6.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.101
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Extensions: php,txt,bak
===============================================================
/index.php (Status: 200) [Size: 891]
/phpinfo.php (Status: 200) [Size: 48291]
/phpMyAdmin (Status: 301) [Size: 322] → http://192.168.56.101/phpMyAdmin/
/test (Status: 301) [Size: 315] → http://192.168.56.101/test/
/twiki (Status: 301) [Size: 315]
/dav (Status: 301) [Size: 313] ← WebDAV!
/mutillidae (Status: 301) [Size: 321]
/dvwa (Status: 301) [Size: 314]
Progress: 81876 / 81880 (100.00%)
✓ phpMyAdmin exposed + WebDAV enabled → high-value findings for report
Gobuster dir scan against Metasploitable2. The scan reveals phpinfo.php (discloses server config), phpMyAdmin (database admin panel — test for default credentials), a WebDAV endpoint /dav (often allows arbitrary file uploads), and multiple web application paths. Every 301 redirect should be followed and its target directory scanned recursively. These are the findings that lead to exploitation in authorised assessments.
1
Quick pass — common.txt first
Always start with the 4.6K word common.txt scan. Takes 5 seconds. Finds the most impactful paths. Identifies the technology before you commit to a larger wordlist.
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -t 50
2
Identify technology → use targeted wordlist
If the quick scan reveals WordPress files, switch to the WordPress wordlist. If it reveals Django or Rails patterns, use the relevant SecLists CMS list. Targeted lists find more in less time.
3
Full scan — medium list + file extensions
Run the 220K SecLists medium list with -x php,txt,bak,zip,conf,sql while you investigate the quick scan results. Let it run in background.
4
Recursive scan on interesting directories
For every 301 redirect or interesting 200 directory found, run Gobuster again against that subdirectory. An /admin directory may contain /admin/upload, /admin/config, etc.
5
Investigate & document every finding
For every non-404 response: open in browser, capture in Burp, note the content. Grep results for admin, backup, config, upload, api, test. Every finding goes in your engagement notes. More on methodology:
Bug Bounty Hunting Methodology.
📋 Gobuster Command Reference Card — Screenshot This
securityelites.comGOBUSTER COMMAND REFERENCE — KALI LINUX COURSE DAY 3 — securityelites.com
QUICK FIRST PASS
gobuster dir -u http://TARGET -w …/dirb/common.txt -t 50
FULL SCAN + EXTENSIONS
gobuster dir -u http://TARGET -w …medium.txt -x php,bak,txt,zip,sql -t 50 -o out.txt
SUBDOMAIN ENUM (dns mode)
gobuster dns -d target.com -w …/subdomains-top1million-5000.txt -t 50 -i
HTTPS + SKIP SSL VERIFY
gobuster dir -u https://TARGET -w wordlist.txt -k -t 30
WITH COOKIE (AUTHENTICATED)
gobuster dir -u http://TARGET -w wordlist.txt -c “session=abc123”
KEY FLAGS QUICK REF
-u URL -w wordlist -x ext -t threads
-o output -k skip-SSL -c cookie -s status
-b blacklist-status –delay rate-limit
Full reference: securityelites.com/gobuster-tutorial-kali-linux/ · Authorised targets only
Gobuster Command Reference Card — Day 3 Kali Linux Course. Six command patterns: quick first pass (common.txt, 50 threads), full scan with extensions, subdomain enumeration (dns mode with -i for IPs), HTTPS with SSL skip, authenticated scan with cookie injection, and key flags summary. Screenshot for your second monitor.
Day 3 Complete — 177 Tools Still to Come
The Full Kali Linux Course — One Tool Per Day.
180 Days. All Free. No Registration.
Next: Day 4 covers Hydra — credential brute forcing. You found the paths with Gobuster. Now you test whether those login panels have weak passwords.
Frequently Asked Questions
What is Gobuster used for in ethical hacking?
Discovering hidden directories, files, and subdomains on web servers. Gobuster probes for paths not linked from any public page — admin panels, backup files, API endpoints, config files, and source code. Hidden endpoints are often where vulnerabilities live, making Gobuster a standard first step in every web application assessment.
What is the difference between Gobuster dir and dns mode?
Dir mode: brute-forces file and directory paths via HTTP GET requests on a known host. DNS mode: brute-forces subdomains via DNS resolution queries (WORD.target.com). Use dir on a known host to find what’s on it. Use dns during reconnaissance to find what hosts exist.
What is the best wordlist for Gobuster?
Start with common.txt (4.6K, ~5 seconds). Escalate to SecLists directory-list-2.3-medium.txt (220K) for thorough scans. For CMS-specific targets use SecLists CMS wordlists. Install SecLists: sudo apt install seclists.
What is the difference between Gobuster and ffuf?
Gobuster: simpler, focused on directory/subdomain/vhost discovery, wordlist applied to URL path only. ffuf: more flexible, the FUZZ keyword can go anywhere (URL, headers, POST body, cookies), finer filter control. Use Gobuster for straightforward discovery. Use ffuf for complex fuzzing scenarios. Full comparison:
ffuf Guide for Ethical Hackers.
How do I find hidden admin panels with Gobuster?
Run with the medium SecLists wordlist and PHP/HTML extensions. Then grep results: grep -i 'admin\|login\|dashboard\|panel\|manage\|console' results.txt. Common admin paths: /admin, /administrator, /admin.php, /wp-admin, /phpmyadmin, /manager, /console. Verify every finding in a browser.
Is Gobuster pre-installed on Kali Linux?
Yes. Verify with gobuster --version. If not present: sudo apt install gobuster. Written in Go — significantly faster than older Python-based tools like DirBuster.
📚 Further Reading and Resources
ME
Mr Elite
Founder, SecurityElites.com | Penetration Tester | Kali Linux Educator
In almost every web application assessment I have conducted, the highest-severity finding came from a path that Gobuster found — not from active exploitation. A backup file with database credentials. An admin panel using default authentication. A /.git directory that exposed the entire codebase. None of these were linked. None of them were documented. All of them were catastrophic. Gobuster is not sophisticated. It is systematic. That is what makes it effective.
Coming Up — Day 4
Hydra — Online Credential Brute Forcing
You found the admin panel with Gobuster. Now test whether the password is weak enough to crack.
Day 4: Hydra →
