OpenSkillIndex← back to search
claude-code

Skillshub gobuster

Gobuster

install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/TerminalSkills/skills/gobuster" ~/.claude/skills/comeonoliver-skillshub-gobuster && rm -rf "$T"
manifest: skills/TerminalSkills/skills/gobuster/SKILL.md
source content

Gobuster

Overview

Gobuster is a fast brute-force tool for discovering hidden web content. Written in Go for speed (multi-threaded), it discovers directories, files, DNS subdomains, virtual hosts, and S3 buckets. Essential for finding admin panels, backup files, API documentation, and forgotten endpoints that weren't meant to be public.

Instructions

Step 1: Directory and File Discovery

# Basic directory brute force
gobuster dir -u https://target.example.com -w /usr/share/wordlists/dirb/common.txt
# dir: directory/file mode
# -w: wordlist (common.txt has ~4,600 entries)

# With extensions — find backup files, configs, source code
gobuster dir -u https://target.example.com \
  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  -x php,txt,html,js,json,xml,bak,old,sql,zip,tar.gz,env \
  -t 50 \
  --status-codes 200,204,301,302,307,401,403
# -x: file extensions to append
# -t 50: 50 concurrent threads
# --status-codes: only show these HTTP status codes

# Authenticated scanning
gobuster dir -u https://target.example.com/api/v1 \
  -w api-wordlist.txt \
  -H "Authorization: Bearer eyJ..." \
  -H "Cookie: session=abc123"

# Recursive scanning
gobuster dir -u https://target.example.com \
  -w common.txt \
  --no-error \
  -o results.txt
# -o: save results to file
# Run again against discovered directories

Step 2: DNS Subdomain Enumeration

# Discover subdomains
gobuster dns -d example.com \
  -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -t 50
# Finds: dev.example.com, staging.example.com, admin.example.com, etc.

# Use custom DNS resolver
gobuster dns -d example.com \
  -w subdomains.txt \
  -r 8.8.8.8
# -r: custom DNS resolver (bypass local DNS caching)

# Show IP addresses
gobuster dns -d example.com -w subdomains.txt --show-ips

Step 3: Virtual Host Discovery

# Find virtual hosts on the same IP
gobuster vhost -u https://target.example.com \
  -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  --append-domain
# Sends requests with different Host headers
# Finds virtual hosts not in public DNS

# Filter by response size (exclude default pages)
gobuster vhost -u https://10.0.0.1 \
  -w vhosts.txt \
  --exclude-length 11234

Step 4: S3 Bucket Enumeration

# Discover S3 buckets related to a company
gobuster s3 -w company-names.txt
# Tests: company.s3.amazonaws.com, company-dev, company-backup, etc.
# Finds: misconfigured public buckets with sensitive data

Guidelines

  • Use quality wordlists. SecLists (
    /usr/share/wordlists/seclists/
    ) is the standard.
  • -x
    extensions matter — 
    .bak
    , 
    .old
    , 
    .env
    , 
    .sql
    , 
    .zip
    often contain sensitive data.
  • Start with 
    common.txt
    (fast), then 
    directory-list-2.3-medium.txt
    (thorough).
  • 403 Forbidden
    is interesting — it confirms the path exists even if access is denied.
  • DNS mode bypasses web servers entirely — finds subdomains directly via DNS resolution.
  • VHost mode finds internal apps hosted on the same server but different Host headers.
  • Combine with Nmap: scan discovered subdomains for additional attack surface.
  • Save output (
    -o results.txt
    ) — you'll reference it throughout the engagement.