GoBuster
GoBuster is a tool that can be used to enumerate websites such as DNS, vhost, pages, and perform directory brute-forcing.
Table of Content
- Installation
- Directory/File Enumeration
- DNS Subdomain Enumeration
Installation
To install GoBuster, we can use the following command:
apt install gobuster
Directory/File Enumeration
To use GoBuster to enumerate directories and files on the server, we can use dir module and the following command:
gobuster dir -u http://127.0.0.1 -w /path/to/wordlist/here
Command breakdown:
dir- Specifies the directory and file brute-forcing module.-u- Specifies the target URL.-w- Specifies the wordlist to use.
Example usage:
gobuster dir -u http://10.10.10.10 -w /usr/share/dirb/wordlists/common.txt
The below table will outline the different HTTP code types and what they usually mean:
| HTTP Code | Description |
|---|---|
| 200 | Indicates that the request was successful. |
| 301 | Indicates that the you are being redirected. Depending on the application, it does not mean that it is a fail. |
| 403 | Indicates that you are forbidden from accessing the resource. |
There are many more HTTP status codes. However, the above 3 will be the most encountered when on engagements.
DNS Subdomain Enumeration
There can also be resources hosted on subdomains. Some examples of this are admin panels or additional functionality that can potentially be exploited. To use this module, we can specify the "dns" module.
To use this module, we can use the following command:
gobuster dns -d domain_here.tld -w /path/to/wordlist/here
Command breakdown:
dns- Specifies gobuster to use the DNS module.-d- Specifies the domain to enumerate.-w- Specifies the wordlist to use.
Example usage:
gobuster dns -d gohspace.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt
By using different wordlists, switches, and modules, we can enumerate more using GoBuster.