Gobuster Cheatsheet



Gobuster Cheatsheet

Gobuster is a tool for brute forcing URIs (Files and Directories) and DNS subdomains.

The help section can provide options for Gobuster.

gobuster -h

Common Command line options

  1. -fw – force processing of a domain with wildcard results.

  2. -np – hide the progress output.

  3. -m  – which mode to use, either dir or dns (default: dir).

  4. -q – disables banner/underline output.

  5. -t

  6.  – number of threads to run (default: 10).

  7. -u  – full URL (including scheme), or base domain name.

  8. -v – verbose output (show all results).

  9. -w  – path to the wordlist used for brute forcing (use – for stdin).

Command line options for dns mode

  1. -cn – show CNAME records (cannot be used with ‘-i’ option).

  2. -i – show all IP addresses for the result.

Command line options for dir mode

  1. -a <user agent string> – specify a user agent string to send in the request header.

  2. -c <http cookies> – use this to specify any cookies that you might need (simulating auth).

  3. -e – specify extended mode that renders the full URL.

  4. -f – append / for directory brute forces.

  5. -k – Skip verification of SSL certificates.

  6. -l – show the length of the response.

  7. -n – “no status” mode, disables the output of the result’s status code.

  8. -o <file> – specify a file name to write the output to.

  9. -p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).

  10. -r – follow redirects.

  11. -s <status codes> – comma-separated set of the list of status codes to be deemed a “positive” (default: 200,204,301,302,307).

  12. -x <extensions> – list of extensions to check for, if any.

  13. -P <password> – HTTP Authorization password (Basic Auth only, prompted if missing).

  14. -U <username> – HTTP Authorization username (Basic Auth only).

  15. -to <timeout> – HTTP timeout. Examples: 10s, 100ms, 1m (default: 10s).

Wordlist Usage

gobuster -w <wordlist.txt>

URL Usage

gobuster -u <url>

Thread Usage

gobuster -t <Num>

Extension Usage

gobuster -x <ext>

String Usage

gobuster -s “<string>”

Expanded Mode Usage

gobuster -e

No Status Usage

gobuster -n

Verbose Mode

gobuster -v

User Agent

gobuster -a <useragent>

Export Option

gobuster -o <filename>

Recent Posts

See All

Nikto Cheatsheet

Nikto is a powerful assessment tools for finding vulnerabilities in web servers. Scanning a host Nikto -h <Hostname/IP> Scanning specific ports Nikto -h <Hostname/IP> -port <Port Number>,<Port Number>