How to Install GoBuster with Basic Usage on Ubuntu


This tutorial will guide you through steps to install Gobuster on Ubuntu, configuring it, and basic to advanced usage tips, including working with wordlists and uninstalling if needed.

Gobuster is a command-line utility written in Go, making it highly efficient and fast for brute-forcing URIs (directories and files) as well as DNS subdomains. It's particularly useful in penetration testing and vulnerability assessments where discovering hidden directories or DNS records can reveal potential security flaws.

 

Steps to Install Gobuster on Ubuntu

Before installing Gobuster, ensure that you have:

 

Step 1: Update Your System

Always start by updating your system's package list to ensure you have the latest versions of software and dependencies. This command must be executed by either root user or with normal user having sudo privilege:

sudo apt update

 

Step 2: Installing Go (Optional)

If you're installing the latest version of Gobuster, you'll need Go installed on your system. You can skip this step if you're installing Gobuster from Ubuntu's package repository, which might not be the latest version or if you already have a go version installed. You can also choose to remove the existing version and install the latest version .

Download the latest Go version from the official site using wget or curl or any alternate tool:

wget https://go.dev/dl/go1.22.0.linux-amd64.tar.gz

Extract the Go archive:

sudo tar -xvf go1.22.0.linux-amd64.tar.gz -C /usr/local

Set Go paths .bashrc vs .bash_profile [Which one to use?]:

echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.profile
source ~/.profile

Verify the installation by checking the Go version:

go version
How to Install GoBuster with Basic Usage on Ubuntu

 

Step 3: Installing Gobuster

Method 1: Installing from Ubuntu's Repository

For a quick and straightforward installation, you can install Gobuster from Ubuntu's package repository:

sudo apt install gobuster -y

This method installs an older version but is sufficient for basic use.

 

Method 2: Installing the Latest Version with Go

To install the latest version of Gobuster, use the Go tool:

go install github.com/OJ/gobuster/v3@latest
How to Install GoBuster with Basic Usage on Ubuntu

This command downloads and installs the latest version of Gobuster directly from its GitHub repository.

After installation, you might need to add the Go bin directory to your PATH if you haven't already:

echo 'export PATH=$PATH:~/go/bin' >> ~/.profile
source ~/.profile

 

Step 4: Verifying the Installation

To ensure Gobuster is installed correctly, you can check its version:

gobuster version

Now if you had installed gobuster using Ubuntu repository then it may have installed older version of gobuster, in my case it was 2.0.1-1build2 which did not had any option to check the installed version so I was getting blow error:

$ gobuster version
2024/03/02 10:28:47 [!] 2 errors occurred:
	* WordList (-w): Must be specified (use `-w -` for stdin)
	* Url/Domain (-u): Must be specified

But when installed with the latest available version of gobuster, we get proper output:

How to Install GoBuster with Basic Usage on Ubuntu

 

Basic Usage of GoBuster

To effectively test the usage of Gobuster, you'll need an environment where you have permission to perform scans. This setup can involve using your own web server, a virtual machine, or a legally permissible penetration testing lab environment.

 

1. Directory Enumeration (dir mode)

To search for hidden directories and files in a web server:

gobuster dir -u http://yourwebserver.com -w /path/to/wordlist.txt
  • -u specifies the target URL.
  • -w points to the path of your wordlist.

For Example:

gobuster dir -u http://localhost -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

 

2. DNS Subdomain Enumeration (dns mode)

To find subdomains of a domain:

gobuster dns -d yourdomain.com -w /path/to/wordlist.txt
  • -d is used to specify the domain.
  • -w points to your DNS wordlist file.

Remember, for DNS enumeration, the wordlist should contain potential subdomain names rather than paths.

For Example:

gobuster dns -d example.com -w /usr/share/wordlists/dirb/common.txt -t 50

 

3. Virtual Host Enumeration (vhost mode)

To enumerate virtual hosts (VHOSTs) on a server:

gobuster vhost -u http://yourwebserver.com -w /path/to/wordlist.txt
  • -u specifies the target URL or IP.
  • -w points to the path of your wordlist, which should contain potential virtual host names.

For Example:

gobuster vhost -u http://192.168.1.1 -w /usr/share/wordlists/dirb/common.txt

 

Steps to Test using GoBuster

Preparing the Environment

  1. Local Web Server: Set up a local web server using software like Apache, Nginx, or any simple HTTP server on Linux. Ensure it has multiple directories and files that can be targeted for enumeration.
  2. Virtual Machine (VM): Tools like VirtualBox or VMware can run VMs with vulnerable web applications such as DVWA (Damn Vulnerable Web Application) or OWASP Juice Shop for a safe, legal environment to test Gobuster.
  3. Penetration Testing Lab: Platforms like Hack The Box or TryHackMe offer controlled environments designed for penetration testing practice. These labs often contain targets specifically designed to be scanned and exploited for educational purposes.

 

Set up Apache2 web server

For our example we will setup a apache2 web server running on port 8080:

Install Apache:

sudo apt install apache2 -y

Navigate to the Apache root directory:

cd /var/www/html

Create sample directories and files:

sudo mkdir dir1 dir2
echo "Sample File for dir1" | sudo tee dir1/sample1.html
echo "Sample File for dir2" | sudo tee dir2/sample2.html

These commands create two directories (dir1 and dir2) and place a sample HTML file in each.

Since we want our apache2 to run on port 8080 so we will update the required configuration:

sudo nano /etc/apache2/ports.conf

Update Listen 8080, save and close the file.

Apache serves files from the directory defined in its virtual host files. You can either modify an existing virtual host file or create a new one to listen on the new port.

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/8080-mytestsite.conf

Then, edit the new virtual host file:

Change the <VirtualHost *:80> line to <VirtualHost *:8080> at the beginning of the file. Configure the DocumentRoot and any other necessary directives according to your needs. Since we are using /var/www/html so no other change required.

If you created a new virtual host file, enable it with the a2ensite command:

sudo a2ensite 8080-mytestsite.conf

Apply the changes by restarting Apache:

sudo systemctl restart apache2

 

Create wordlist

Wordlists are an essential component in the toolkit of cybersecurity professionals, especially when conducting penetration testing or security assessments. These lists are used with tools like Gobuster to automate the process of discovering hidden or sensitive directories, files, DNS records, and other web assets.

Recommendations for Wordlists

  1. SecLists: This is one of the most popular collections of wordlists for various types of security assessments, including directory and file brute-forcing. SecLists is comprehensive and includes lists for directories, filenames, passwords, usernames, and more. It's an invaluable resource for penetration testers.
  2. DirBuster Lists: Originally made for the DirBuster tool, these lists are also widely applicable for similar purposes with Gobuster. They include a variety of file names and paths commonly found on web servers.
  3. Daniel Miessler's Wordlists (part of SecLists): Compiled by a well-known security professional, these wordlists are curated to be both comprehensive and efficient, ensuring a broad coverage without unnecessary bloat.

Since you know you have dir1 and dir2, you can test to see if Gobuster finds them. For demonstration purposes, let's use a simple wordlist you create:

echo -e "dir1\ndir2" > ~/wordlist.txt

This command creates a wordlist with dir1 and dir2, the directories we want to find.

 

Testing with Gobuster

After setting up your apache2 web server, you can run Gobuster against it by specifying the new port in the URL:

gobuster dir -u http://localhost:8080 -w ~/wordlist.txt
How to Install GoBuster with Basic Usage on Ubuntu

Here's a breakdown of what Gobuster did:

  1. Targeted URL: Gobuster targeted the web server running on http://localhost:8080. This is the base URL from which it started its enumeration process.
  2. Wordlist: It used the wordlist provided at /home/deepak/wordlist.txt, which contains a list of directory names to check for existence on the web server.
  3. Scanning Process: For each entry in the wordlist, Gobuster made HTTP GET requests to the web server to see if those directories exist. For example, it would construct URLs like http://localhost:8080/dir1 and http://localhost:8080/dir2, and then attempt to access them.
  4. Status Codes: Gobuster reports the HTTP status codes for each request. A status code of 301 indicates that the directory exists but has been permanently moved to a new URL, which in this case, is the same URL with a trailing slash (/). This is a common behavior in web servers designed to standardize directory URLs.
  5. Results: The successful discovery of /dir1 and /dir2 with status codes of 301 means that these directories do indeed exist on the server. The size [Size: 312] refers to the size of the HTTP response, which in cases of a 301 redirect, usually includes the 'Location' header pointing to the correct URL of the directory.

 

Uninstalling Gobuster

If you need to uninstall Gobuster, you can use the following command:

sudo apt remove gobuster -y

And if you installed it using Go:

go clean -i github.com/OJ/gobuster/v3@latest

 

Conclusion

Gobuster is a versatile tool for web penetration testers, offering fast and efficient enumeration of web directories and DNS subdomains. By following this guide, you should now have Gobuster installed on your Ubuntu system and understand the basics of using it for security assessments. Remember to use Gobuster ethically and only scan targets you have permission to test.

This guide provides a comprehensive overview of installing Gobuster on Ubuntu, including preparation steps, installation methods, and basic usage instructions. With Gobuster, penetration testers and security enthusiasts can enhance their testing capabilities, uncovering hidden directories and files that could expose vulnerabilities within a target system.

 

Views: 185

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can reach out to him on his LinkedIn profile or join on Facebook page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment

GoLinuxCloud Logo


We try to offer easy-to-follow guides and tips on various topics such as Linux, Cloud Computing, Programming Languages, Ethical Hacking and much more.

Programming Languages

JavaScript

Python

Golang

Node.js

Java

Laravel