loading
loading
Discovery
Brute-force directories and files on web servers with a wordlist.
overview
gobuster dir mode aims a wordlist at a web server and requests every path in turn, reporting the ones the server answers. Written in Go, it is fast enough to throw a large list at a host and still finish quickly, which is why it is a staple for turning up admin panels, backups, config files, and endpoints the application never links to.
You decide what counts as a hit. Keep the default positive status codes or narrow them with -s, drop noise with a -b blacklist, and add -l to print the body length so a soft-404 stands out from a real page. -x appends extensions such as php or bak so a run hunts files as well as directories, and -H, -c, -a, -U with -P, and --no-tls-validation let it reach targets behind custom headers, cookies, a set user agent, basic auth, or a self-signed certificate.
In a Trickest workflow it slots in after a prober confirms a host is live: wire a URL and a wordlist into the node and it writes the discovered paths to a file and a folder that the next probing or testing stage reads. Schedule it and each run re-checks the surface for content that appeared since the last pass.
source github.com/OJ/gobuster
use cases
Brute-force a live host with a content wordlist to surface admin pages, backups, and endpoints that are not referenced anywhere on the site.
Append extensions like php, bak, or zip to each word so the run also looks for source, backup, and archive files behind known paths.
Tune the positive or blacklisted status codes and include the body length so soft-404s and boilerplate pages do not flood the results.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | The target URL to brute-force. |
| wordlist | FILE | -w | Wordlist of paths to request against the target. |
| extensions | STRING | -x | File extension(s) to append to each word, e.g. php,bak,zip. |
| threads | STRING | -t | Number of concurrent threads (default 10). |
| positive-status-codes | STRING | -s | Status codes counted as hits (default 200,204,301,302,307,401,403). |
| blacklist-status-codes | STRING | -b | Status codes to drop; overrides the positive list when set. |
| no-tls-validation | BOOLEAN | --no-tls-validation | Skip TLS certificate verification for self-signed or expired certs. |
| useragent | STRING | -a | Set the User-Agent string (default gobuster/3.1.0). |
Showing key inputs. gobuster-dir exposes 19 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | The target URL |
| proxy | STRING | -p | Proxy to use for requests [http(s)://host:port] |
| cookies | STRING | -c | Cookies to use for the requests |
| headers | STRING | -H | Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2' |
| threads | STRING | -t | Number of concurrent threads (default 10) |
| timeout | STRING | --timeout | HTTP Timeout (default 10s) |
| wordlist | FILE | -w | Provide a wordlist |
| add-slash | BOOLEAN | -f | Append / to each request |
| useragent | STRING | -a | Set the User-Agent string (default "gobuster/3.1.0") |
| extensions | STRING | -x | File extension(s) to search for |
| expanded-mode | BOOLEAN | -e | Expanded mode, print full URLs |
| include-length | BOOLEAN | -l | Include the length of the body in the output |
| follow-redirect | BOOLEAN | -r | Follow redirects |
| no-tls-validation | BOOLEAN | --no-tls-validation | Skip TLS certificate verification |
| basic-auth-password | STRING | -P | Password for Basic Auth |
| basic-auth-username | STRING | -U | Username for Basic Auth |
| positive-status-codes | STRING | -s | Positive status codes (will be overwritten with status-codes-blacklist if set) (default "200,204,301,302,307,401,403") |
| blacklist-status-codes | STRING | -b | Negative status codes (will override status-codes if set) |
| force-continued-wildcard | BOOLEAN | --wildcard | Force continued operation when wildcard found |
example
# brute-force directories and files, show body lengthgobuster dir -u https://example.com -w /wordlists/common.txt -x php,bak -t 50 -l/.htaccess (Status: 403) [Size: 278]/admin (Status: 301) [Size: 315] [--> https://example.com/admin/]/backup (Status: 301) [Size: 316] [--> https://example.com/backup/]/config.php (Status: 200) [Size: 0]/index.php (Status: 200) [Size: 10842]/login (Status: 200) [Size: 4210]/robots.txt (Status: 200) [Size: 142]/server-status (Status: 403) [Size: 300]/uploads (Status: 301) [Size: 317] [--> https://example.com/uploads/]guidance
Use gobuster-dir to brute-force content on a host you already know is live. It is simple and fast for directory and file discovery. For richer filtering and parameter or vhost fuzzing, reach for ffuf or feroxbuster instead.
More general FUZZ engine with richer response filtering plus parameter and vhost modes.
Recursive content discovery with smart defaults; walks into directories it finds automatically.
Python directory brute-forcer with built-in extension handling and recursion.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A target URL and a wordlist feed gobuster-dir, which brute-forces paths and writes the directories and files it discovers as a queryable output.
Facts on this page come from the live Trickest tool library.