Gobuster is a high-performance, command-line tool written in Go that is essential for penetration testers and bug bounty hunters to discover hidden paths and assets. It is primarily used for brute-forcing URIs (directories and files), DNS subdomains, and virtual hosts. Core Gobuster Modes
Gobuster operates using specialized modes, each tailored for a specific type of enumeration.
dir (Directory/File Mode): Used to find hidden content on web servers by appending wordlist entries to a target URL.
dns (DNS Mode): Discovers subdomains of a target domain through DNS resolution.
vhost (Virtual Host Mode): Identifies different websites (virtual hosts) hosted on the same IP address. gobuster commands upd
fuzz (Fuzzing Mode): A versatile mode that replaces a FUZZ keyword in URLs, headers, or request bodies.
s3 / gcs: Enumerates open Amazon S3 or Google Cloud Storage buckets. Top Gobuster Commands and Flags (2026 Updated)
The basic syntax follows a modular structure: gobuster [mode] [options]. 1. Directory and File Discovery (dir)
This is the most common use for uncovering hidden administrative panels, configuration files, or backups. gobuster | Kali Linux Tools Gobuster is a high-performance, command-line tool written in
While "upd" is not a native command within the tool itself, it is frequently used by security professionals as shorthand for the tool or their local environment before starting a scan.
Below is a guide on how to update Gobuster and a quick reference for its most essential commands. How to Update Gobuster
To ensure you have the latest features (like S3 and GCS bucket enumeration) and bug fixes, use one of these methods: Linux (apt): sudo apt update && sudo apt install gobuster
to pull the latest version from the Kali or Debian repositories. Go (Direct): If you prefer the latest build from source, use: go install github.com/OJ/gobuster/v3@latest macOS (Homebrew): brew upgrade gobuster Core Commands & Modes Gobuster operates in specific depending on your target. The general syntax is gobuster [mode] [options] Basic Command Example Find hidden files & directories gobuster dir -u http://site.com -w wordlist.txt Discover subdomains gobuster dns -d site.com -w subdomains.txt Discover virtual hosts gobuster vhost -u http://site.com -w vhosts.txt Find AWS S3 buckets gobuster s3 -w bucket-names.txt in URLs/headers gobuster fuzz -u http://site.com -w list.txt Essential Flags gobuster | Kali Linux Tools gobuster dir -u https://example
Here’s a full review of gobuster commands focused on updates, improvements, and deprecated changes across recent versions (v3.0 → v3.6+), plus practical command updates you should know.
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt
Now, let’s break down every critical parameter.
Many modern applications host multiple sites on a single IP address. "Dir" mode won't find these. You need to check the Host header. This is often where you find internal admin panels or hidden applications.
Note: Unlike directory scanning, vhost scanning returns many "200 OK" statuses even for non-existent hosts. You must filter by size (-b exclude by size).
gobuster vhost -u http://target.com -w wordlist.txt --append-domain
Gobuster now includes a native fuzzing subcommand, reducing the need for external tools like ffuf:
gobuster fuzz -u "https://example.com/api/v1/user/FUZZ" \
-w ids.txt \
--method PUT \
--header "Content-Type: application/json" \
--data '"name": "FUZZ"' \
--fail-status-codes 500,502,503
This is a major update from older versions that lacked fuzzing capabilities. You can even fuzz multiple positions:
gobuster fuzz -u "https://example.com/FUZZ/action/FUZ2" \
-w fuzz.txt -w actions.txt