Gobuster Tutorial : All You Need To Know 2025

Master Gobuster with this complete guide! Learn commands, wordlists, subdomain scans, and more. Perfect for cybersecurity beginners.

What Is Gobuster?

Gobuster is a free hacking tool loved by cybersecurity pros. It finds hidden folders, files, or subdomains on websites. Imagine it as a flashlight that uncovers secrets in the dark corners of the internet. It’s fast, works on any computer, and is beginner-friendly.

If you’re new to hacking, Gobuster is your best friend. Use it to test your website’s safety or learn how hackers operate. Let’s dive into Gobuster’s features and tricks to use it like a pro!

Gobuster Cheat Sheet

Here’s a handy list of Gobuster commands to save time:

• Scan Directories:

gobuster dir -u https://example.com -w wordlist.txt

• Search Subdomains:

gobuster dns -d example.com -w subdomains.txt

• Find Hidden Websites (VHost):

gobuster vhost -u https://example.com -w wordlist.txt

Pro Tips:

• Use -t 50 to speed up scans (50 threads).
• Add -x php,html to check for specific file types.
• Always test commands on a website you own!

Gobuster GitHub Guide

Gobuster’s official code lives on GitHub. Here’s what you can do there:

• Download the latest version.
• Report bugs or request new features.
• Read the official docs for troubleshooting.

Warning: Only download Gobuster from its official GitHub page. Fake copies might contain viruses.

How to Use Gobuster Vhost

VHost scanning helps find hidden websites on the same server. For example, a company might host admin.example.com and shop.example.com on one server. Gobuster can uncover these.

Command:

gobuster vhost -u https://example.com -w wordlist.txt

Use a focused wordlist like common-vhosts.txt for better results. If the scan shows “Found,” dig deeper to explore the hidden site.

Best Gobuster Wordlist TXT Files

Wordlists are text files filled with common names for folders or subdomains. Popular choices include:

• Quick Scans: small.txt (fast but basic).
• Detailed Scans: directory-list-2.3-medium.txt (covers more names).
• Custom Lists: Create your own for unique targets.

Always pick wordlists that match your goal. For example, use subdomains-top1million.txt for subdomain scans.

Subdomain Enumeration with Gobuster

Subdomains like mail.example.com or test.example.com can expose hidden parts of a website. Use this command:

gobuster dns -d example.com -w subdomains.txt -i

The -i flag shows the IP address of each subdomain. This helps track where the subdomain is hosted.

Exclude Status Codes in Gobuster

Gobuster shows HTTP status codes like 404 (Not Found) or 200 (OK). To hide codes that clutter results, use the -x flag:

gobuster dir -u https://example.com -w wordlist.txt -x 404,302

This skips showing “404” errors, making results cleaner.

Gobuster Wordlist GitHub

GitHub hosts tons of free wordlists for Gobuster. The best repo is SecLists. It includes:

• Discovery/Web-Content: For directory scans.
• Discovery/DNS: For subdomain searches.
• Miscellaneous/quick.txt: For fast tests.

Download these lists, customize them, and save time!

Understanding Gobuster Status Codes

Gobuster shows HTTP codes during scans. Here’s what they mean:

• 200: The page exists.
• 301/302: The page redirects elsewhere.
• 403: Access is forbidden.
• 404: Page not found.
• 500: Server error.

Focus on 200 or 403 codes—they often reveal important pages.

Gobuster DNS Enumeration

DNS scans find subdomains linked to a website. Use:

gobuster dns -d example.com -w subdomains.txt

Add flags like -t 50 for speed or -i to show IPs. For stubborn targets, try -fw to bypass wildcard DNS issues.

Gobuster vs Dirbuster

Gobuster is ideal for experts. Dirbuster suits beginners who prefer clicking over typing.

FAQs

Final Tips

• Update Gobuster regularly for bug fixes.
• Practice on safe sites like Hack The Box.
• Join forums to share tips with other users.

Gobuster unlocks the hidden web. Use it wisely, and you’ll master cybersecurity basics in no time!