Gobuster can be used to brute-force DNS records. The following command is used for DNS brute-forcing:
All Gobuster commands follow the same fundamental structure:
| Flag | Long Form | Description | Example | |------|-----------|-------------|---------| | -u | --url | Target URL | -u https://target.com | | -u | --url | With trailing slash (recommended) | -u https://target.com/ | gobuster commands upd
You can use multiple FUZZ keywords within the same URL:
What are you scanning? (Internal network, web app, cloud asset) Do you need to bypass a Web Application Firewall (WAF) ? Gobuster can be used to brute-force DNS records
Gobuster sends thousands of HTTP or DNS requests per second. This is clearly visible in server logs and will trigger IDS/WAF alerts on monitored systems.
| Mode | Command | |------|---------| | Directory | gobuster dir -u URL -w wordlist.txt | | Directory (with extensions) | gobuster dir -u URL -w wordlist.txt -x php,txt,html | | Directory (status whitelist) | gobuster dir -u URL -w wordlist.txt -s 200,301,302 | | Directory (status blacklist) | gobuster dir -u URL -w wordlist.txt -b 404,403 | | Directory (recursive) | gobuster dir -u URL -w wordlist.txt -r | | Directory (cookies) | gobuster dir -u URL -w wordlist.txt --cookie "session=abc" | | DNS | gobuster dns -d domain.com -w subdomains.txt | | DNS (show IPs) | gobuster dns -d domain.com -w subdomains.txt -i | | DNS (custom resolver) | gobuster dns -d domain.com -w subdomains.txt -r 8.8.8.8 | | VHost | gobuster vhost -u URL -w vhosts.txt | | S3 | gobuster s3 -u bucketURL -w bucket-names.txt | | Help | gobuster help or gobuster help <mode> | Gobuster sends thousands of HTTP or DNS requests per second
If the version from your package manager (apt/brew) is outdated, install the latest version from GitHub directly. Check the official releases page for the newest stable version.
gobuster vhost -u https://example.com --append-domain -w wordlist.txt Use code with caution. ☁️ Cloud & Specialized Modes