Gobuster — Install, Use, Optimise (2026)

Multi-threaded directory, DNS, vhost, and S3 bucket brute-forcer in Go — simpler interface than ffuf.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Go install

go install github.com/OJ/gobuster/v3@latest

Linux (apt)

sudo apt install gobuster

Source

git clone https://github.com/OJ/gobuster && cd gobuster && go build

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Directory bust

gobuster dir -u https://target.com -w wordlist.txt

DNS subdomain

gobuster dns -d target.com -w subdomains.txt

Virtual host enumeration

gobuster vhost -u https://target.com -w subdomains.txt

S3 bucket discovery

gobuster s3 -w bucket-names.txt

GCS buckets

gobuster gcs -w bucket-names.txt

TFTP enumeration

gobuster tftp -s 10.0.0.5 -w files.txt

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• -t 50 default threads. Bump to 200 on robust targets, drop to 10 on fragile.
• --no-tls-validation -k skips cert verification (target with self-signed).
• -x html,php,bak,old for extension-aware fuzzing — finds backup files commonly missed.
• -b 404,403 to filter status codes (default just 404).
• For DNS mode: -r 1.1.1.1 uses Cloudflare resolver — faster than default system.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Default User-Agent is “gobuster/X.X” — many WAFs block. Set -a "Mozilla/5.0...".
• -r follows redirects — accidentally returns hits via redirect chains. Disable for cleaner results.
• No built-in recursion. ffuf or feroxbuster better for recursive directory enumeration.
• No rate-limit option — for production, run from a host with traffic-shaping.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• ffuf — faster, more features.
• feroxbuster — Rust, recursive by default.
• dirsearch — Python, larger built-in wordlists.

India context and engagement notes

Gobuster’s simplicity wins when you just need quick directory busting. ffuf’s ergonomics are better for advanced workflows. Both have their place; pick whichever fits your script style.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.