GitHub: HorrorClause

Gobuster

Related Pages:

# Gobuster Help

 $ gobuster -h 
Usage:
  gobuster [command]

Available commands:
  dir         Uses directory/file enumeration mode
  dns         Uses DNS subdomain enumeration mode
  fuzz        Uses fuzzing mode
  help        Help about any command
  s3          Uses aws bucket enumeration mode
  version     shows the current version
  vhost       Uses VHOST enumeration mode

Flags: 
      --delay duration    Time each thread waits between requests (e.g. 1500ms)
  -h, --help              help for gobuster
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout) 
  -p, --pattern string    File containing replacement patters
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist

Directory Busting

$ gobuster dir -u http://soccer.htb/ -w <path to wordlist>

  • Dir : Specifies directory busting

  • -u : specifies target domain

  • -w : wordlist

  • -x: Specifies file extensions to look for

  • -t: specifies thread count

  • -k: ignore certificate checks

You can also scan for files by including the extensions to search for:

$ gobuster dir -u http://soccer.htb/ -w <path to wordlist> -x php

Enumerate Subdomains - Virtual Hosts

There are a couple of things you need to prepare to brute force Host headers:

  1. Target Identification: First, identify the target web server's IP address. This can be done through DNS lookups or other reconnaissance techniques.

  2. Wordlist Preparation: Prepare a wordlist containing potential virtual host names. You can use a pre-compiled wordlist, such as SecLists, or create a custom one based on your target's industry, naming conventions, or other relevant information.

The gobuster command to bruteforce vhosts generally looks like this:

$ gobuster vhost -u http://<target_IP_address> -w <wordlist_file> --append-domain

  • The -u flag specifies the target URL (replace <target_IP_address> with the actual IP).

  • The -w flag specifies the wordlist file (replace <wordlist_file> with the path to your wordlist).

  • The --append-domain flag appends the base domain to each word in the wordlist.

In newer versions of Gobuster, the --append-domain flag is required to append the base domain to each word in the wordlist when performing virtual host discovery. This flag ensures that Gobuster correctly constructs the full virtual hostnames, which is essential for the accurate enumeration of potential subdomains. In older versions of Gobuster, this functionality was handled differently, and the --append-domain flag was not necessary. Users of older versions might not find this flag available or needed, as the tool appended the base domain by default or employed a different mechanism for virtual host generation.

Gobuster will output potential virtual hosts as it discovers them. Analyze the results carefully, noting any unusual or interesting findings. Further investigation might be needed to confirm the existence and functionality of the discovered virtual hosts.

There are a couple of other arguments that are worth knowing:

  • Consider using the -t flag to increase the number of threads for faster scanning.

  • The -k flag can ignore SSL/TLS certificate errors.

  • You can use the -o flag to save the output to a file for later analysis.


d3lvx@htb[/htb]$ gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain 
=============================================================== 
Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== 
[+] Url:             http://inlanefreight.htb:81 
[+] Method:          GET 
[+] Threads:         10 
[+] Wordlist:        /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt 
[+] User Agent:      gobuster/3.6 
[+] Timeout:         10s 
[+] Append Domain:   true =============================================================== 
Starting gobuster in VHOST enumeration mode =============================================================== 
Found: forum.inlanefreight.htb:81 Status: 200 [Size: 100] [...] Progress: 114441 / 114442 (100.00%) =============================================================== 
Finished 
===============================================================

Virtual host discovery can generate significant traffic and might be detected by intrusion detection systems (IDS) or web application firewalls (WAF). Exercise caution and obtain proper authorization before scanning any targets.

Use vhost to specify subdomains:

$ gobuster vhost -w <path to wordlist> -u http://toppers.htb --append-domain word.toppers.htb

If you see you are getting hundreds of successful results, you can filter out the length of the most common ones with --exclude-length:

  • -w: Wordlist (/usr/share/seclist/Discovery/DNS/(subdomainlists)

  • -u: domain

  • --append-domain: need to tell gobuster where to add the word from the wordlists (word).thetoppers.htb

  • --exclude-length: Specify the response size you want to exclude from the results

DNS Subdomain Scan

Run a sub-domain scan on a website:

$ gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt
PreviousFfufNextDNS

Last updated