lca

Overview

I mainly use the tool gobuster for directory scanning, although I use it less frequently. I use the tool ffuf more often, and I will also summarize the ffuf tool later.

Gobuster is a directory scanning, DNS, and vhost brute-forcing tool written in Go. Gobuster supports multiple modes, and you can choose different modes based on your purpose before using it. The scanning modes can be set to various types, such as dir, dns, s3, gcs, vhost, fuzz, tftp, etc.

The modes are as follows:

• Project address

• Installation

If you have set up the go environment, you can directly install it.

go install github.com/OJ/gobuster/v3@latest

If you want to view the help documentation, you can specify different modes on the command line to view different documents.

gobuster dir -h

gobuster dns -h

dir mode

• Basic usage

gobuster dir -u "http://example.com/" -w /Users/lca/pentesting/web-basic/p12-字典收集/fuzz1.txt

Some commonly used settings options for dir mode

-c: Specify cookie scanning, scan authentication background
-x: Specify scanned file extensions, such as php, jsp, asp
-m: Specify HTTP request method
-b: Specify unwanted status codes, default filtering 404 status code
-s: Only accept specific HTTP status codes
-u: Specify target URL
-w: Specify dictionary file
-q: Silent mode
-t: Specify scan threads, default is 10 threads
-f: Force a trailing / after each URL
--wildcard: Force scanning when a wildcard is discovered. This parameter tells gobuster how to handle wildcards or incomplete responses in the response, such as whether to continue scanning when encountering 404 pages, etc. When enabled, if these 404, 403 status codes are encountered, they will be forcibly scanned to ensure the completeness and accuracy of the scan.
-exclude-length ints: Exclude specified lengths of content
-r: Follow redirects
-e: Extension mode, print complete URL
-k: Skip TLS certificate verification

For example:

• Scan the target website mysite.com, specify cookie for login scanning, URL suffix is php, html, 50 threads, and the dictionary file is common-files.txt.

gobuster dir -u https://mysite.com/ -c 'session=123456' -t 50 -w common-files.txt -x .php,.html

• Use the --wildcard parameter to force scanning, filter 301, 401, 403, 404, 500, and use 20 threads.

gobuster dir -u https://mysite.com/ -w common-files.txt --wildcard -b 301,401,403,404,500 -t 20

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://mysite.com/ -f -t 200

dns mode

The dns mode is used to enumerate subdomains of the target.

• Basic usage

gobuster dns -d mysite.com -w ~/wordlists/subdomains.txt

• Common options

-d: Specify the domain name
-i: Display IP address
--wildcard: Similar to dir mode, force scanning of wildcards
-t: Specify scan speed

vhost mode

The vhost mode is a mode used to simulate virtual host attacks. It can help us enumerate the virtual hosts that exist on the target website without knowing all possible virtual hosts of the web application.

This mode is more commonly encountered when playing htb.

gobuster vhost -w /usr/share/wordlists/subnames.txt -u http://shoppy.htb

At the same time, in this mode, specifying dir can perform directory scanning.

gobuster vhost dir -u shoppy.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150

fuzz mode

The fuzz mode can be used to scan parameters of some URLs. For example, if there is a URL like this: http://example.com/about.php?id=1, and you need to enumerate the id parameter, you can use the fuzz mode to enumerate the parameters by replacing id with FUZZ.

gobuster fuzz -u http://example.com/about.php?FUZZ=1 -w parameter-names.txt

Other modes

These are less commonly used, so I will simply list their usage.

• s3

gobuster s3 -w bucket-names.txt

• gcs

gobuster gcs -w bucket-names.txt

• tftp

gobuster tftp -s tftp.example.com -w common-filenames.txt

There is a mind map about gobuster on @hacking articles.

References

• https://github.com/OJ/gobuster