explaingit

oj/gobuster

13,691GoAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

Gobuster is a command-line security tool that rapidly tests thousands of guessed paths, subdomains, or cloud bucket names against a target to find hidden content during authorized penetration testing.

Mindmap

mindmap
  root((Gobuster))
    What it does
      Brute-force discovery
      Web path scanning
      Subdomain finding
    Modes
      Directory mode
      DNS mode
      Cloud bucket mode
    Tech Stack
      Go
      Docker
    Audience
      Pen testers
      Security auditors
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Map hidden directories and admin pages on a web server during an authorized penetration test

USE CASE 2

Enumerate subdomains of a target domain to discover forgotten or exposed services

USE CASE 3

Check whether publicly accessible Amazon S3 or Google Cloud Storage buckets exist under guessed names as part of a cloud security audit

Tech stack

GoDocker

Getting it running

Difficulty · easy Time to first run · 30min

Requires a wordlist file such as those from SecLists, and explicit written permission to test any target you scan.

In plain English

Gobuster is a command-line tool used by security professionals to find hidden content on websites and servers. The core idea is brute-forcing: you give it a list of words (called a wordlist), point it at a target, and it tries each word rapidly to see what exists. It does this across several categories of targets, which the tool calls modes. In directory mode, Gobuster sends requests to a web server appending each word in the wordlist as a potential path, like /admin, /backup, or /login. If the server responds with a valid page rather than a "not found" error, Gobuster flags that path as discovered. This helps security testers map out parts of a website that are not publicly linked. DNS mode works similarly but against subdomains: it tries thousands of potential subdomain names against a domain and records which ones actually resolve to a server. Virtual host mode checks whether a web server is hosting multiple sites under different names at the same address. The tool also includes modes for cloud storage: it can check whether Amazon S3 or Google Cloud Storage buckets with guessed names are publicly accessible, which is a common misconfiguration in real systems. There is a general fuzzing mode as well, where you can insert guessed values into any part of a URL, header, or form data. Gobuster is written in Go, which makes it fast by design. It runs multiple checks in parallel and lets you control how many threads it uses. It is available as a direct install via the Go toolchain, as pre-built binaries, or as a Docker image. The README is clear that this tool is intended for authorized security testing only. Every section of the documentation includes a reminder to get permission before pointing the tool at any target you do not own. It is a standard tool in penetration testing work, not for unauthorized use.

Copy-paste prompts

Prompt 1
Write a Gobuster command in directory mode to scan a target web server for common admin paths using a standard SecLists wordlist
Prompt 2
Show me how to use Gobuster DNS mode to enumerate subdomains of a domain I have explicit permission to test
Prompt 3
Write a Gobuster command that checks for exposed S3 buckets using a wordlist of common company name patterns during a cloud security review
Prompt 4
How do I run Gobuster with 50 threads, filter out 404 responses, and save the discovered paths to a results file?
Open on GitHub → Explain another repo

← oj on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.