Find hidden files and web directories with GoBuster
Howdy, this tutorial will show you how to enumerate website directories using GoBuster in Kali Linux. GoBuster is a directory bruteforce tool, it scans a website and returns a list of directories and pages. it’s super helpful for find hidden login pages and just general web recon.
If you’ve never used gobuster, you’ll need to install it (a similar tool named dirbuster is bundled with kali and from what I’m aware it’s essentially the GUI version of gobuster. But I like to spend as much time as I can in the CLI, it looks cooler.)
open up your terminal and download gobuster:
sudo apt install gobuster
GoBuster needs three parameters to run: the mode you wish to run it in (we’ll be using dir mode), a target website URL (-u), and a wordlist (-w). You should hopefully already know the target URL, and good ol’ kali comes with a plethora of wordlists for all occasions. take a look in /usr/share/wordlists/ for your options. in the ‘dirb’ folder there are directory-enumeration-specific wordlists of varying sizes.
In my home lab I’ve booted up my metasploitable2 machine with the IP 10.0.2.4, running a web service on port 80. I’ll use the wordlist ‘/usr/share/wordlists/dirb/common.txt’. First we feed gobuster the dir command to tell it we want to use the directory/file bruteforcing mode. We then use the -u flag to define the URL, and the -w flag to give it a wordlist. I’ll also throw in a -e flag to tell gobuster to supply us with the full ‘expanded’ URL of each directory found, just for fun.
the full gobuster command should look like this:
sudo gobuster dir -u http://10.0.2.4 -w /usr/share/wordlists/dirb/common.txt -e
if all is done correctly, the successfully enumerated files and folders will begin printing on screen, along with a status code describing it’s availibility. It should look something like this:
Status code 200 means you can access it and 403 is forbidden, and 301 is a redirection (you can usually still access it) . The 400’s and 500’s are generally client/server errors, and anything in the 300’s means some kind of redirect.
There you have it, the basic functionality of GoBuster. You can also use it for DNS subdomain and VHOST bruteforcing, if that’s your thing. Check out the GoBuster github readme for more info. Thanks for reading!