This tutorial will guide you through steps to install Gobuster on Ubuntu, configuring it, and basic to advanced usage tips, including working with wordlists and uninstalling if needed.
Gobuster is a command-line utility written in Go, making it highly efficient and fast for brute-forcing URIs (directories and files) as well as DNS subdomains. It's particularly useful in penetration testing and vulnerability assessments where discovering hidden directories or DNS records can reveal potential security flaws.
Steps to Install Gobuster on Ubuntu
Before installing Gobuster, ensure that you have:
- A version of Ubuntu OS.
- Terminal access with sudo privileges.
- An internet connection to download the necessary packages.
Step 1: Update Your System
Always start by updating your system's package list to ensure you have the latest versions of software and dependencies. This command must be executed by either root user or with normal user having sudo privilege:
sudo apt update
Step 2: Installing Go (Optional)
If you're installing the latest version of Gobuster, you'll need Go installed on your system. You can skip this step if you're installing Gobuster from Ubuntu's package repository, which might not be the latest version or if you already have a go version installed. You can also choose to remove the existing version and install the latest version.
Download the latest Go version from the official site using wget or curl or any alternate tool:
wget https://go.dev/dl/go1.22.0.linux-amd64.tar.gz
sudo tar -xvf go1.22.0.linux-amd64.tar.gz -C /usr/local
Set Go paths .bashrc vs .bash_profile [Which one to use?]:
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.profile source ~/.profile
Verify the installation by checking the Go version:
go version
Step 3: Installing Gobuster
Method 1: Installing from Ubuntu's Repository
For a quick and straightforward installation, you can install Gobuster from Ubuntu's package repository:
sudo apt install gobuster -y
This method installs an older version but is sufficient for basic use.
Method 2: Installing the Latest Version with Go
To install the latest version of Gobuster, use the Go tool:
go install github.com/OJ/gobuster/v3@latest
This command downloads and installs the latest version of Gobuster directly from its GitHub repository.
After installation, you might need to add the Go bin directory to your PATH if you haven't already:
echo 'export PATH=$PATH:~/go/bin' >> ~/.profile source ~/.profile
Step 4: Verifying the Installation
To ensure Gobuster is installed correctly, you can check its version:
gobuster version
Now if you had installed gobuster using Ubuntu repository then it may have installed older version of gobuster, in my case it was 2.0.1-1build2 which did not had any option to check the installed version so I was getting blow error:
$ gobuster version 2024/03/02 10:28:47 [!] 2 errors occurred: * WordList (-w): Must be specified (use `-w -` for stdin) * Url/Domain (-u): Must be specified
But when installed with the latest available version of gobuster, we get proper output:
Basic Usage of GoBuster
To effectively test the usage of Gobuster, you'll need an environment where you have permission to perform scans. This setup can involve using your own web server, a virtual machine, or a legally permissible penetration testing lab environment.
1. Directory Enumeration (dir mode)
To search for hidden directories and files in a web server:
gobuster dir -u http://yourwebserver.com -w /path/to/wordlist.txt
-uspecifies the target URL.-wpoints to the path of your wordlist.
For Example:
gobuster dir -u http://localhost -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
2. DNS Subdomain Enumeration (dns mode)
To find subdomains of a domain:
gobuster dns -d yourdomain.com -w /path/to/wordlist.txt
-dis used to specify the domain.-wpoints to your DNS wordlist file.
Remember, for DNS enumeration, the wordlist should contain potential subdomain names rather than paths.
For Example:
gobuster dns -d example.com -w /usr/share/wordlists/dirb/common.txt -t 50
3. Virtual Host Enumeration (vhost mode)
To enumerate virtual hosts (VHOSTs) on a server:
gobuster vhost -u http://yourwebserver.com -w /path/to/wordlist.txt
-uspecifies the target URL or IP.-wpoints to the path of your wordlist, which should contain potential virtual host names.
For Example:
gobuster vhost -u http://192.168.1.1 -w /usr/share/wordlists/dirb/common.txt
Steps to Test using GoBuster
Preparing the Environment
- Local Web Server: Set up a local web server using software like Apache, Nginx, or any simple HTTP server on Linux. Ensure it has multiple directories and files that can be targeted for enumeration.
- Virtual Machine (VM): Tools like VirtualBox or VMware can run VMs with vulnerable web applications such as DVWA (Damn Vulnerable Web Application) or OWASP Juice Shop for a safe, legal environment to test Gobuster.
- Penetration Testing Lab: Platforms like Hack The Box or TryHackMe offer controlled environments designed for penetration testing practice. These labs often contain targets specifically designed to be scanned and exploited for educational purposes.
Set up Apache2 web server
For our example we will setup a apache2 web server running on port 8080:
Install Apache:
sudo apt install apache2 -y
Navigate to the Apache root directory:
cd /var/www/html
Create sample directories and files:
sudo mkdir dir1 dir2 echo "Sample File for dir1" | sudo tee dir1/sample1.html echo "Sample File for dir2" | sudo tee dir2/sample2.html
These commands create two directories (dir1 and dir2) and place a sample HTML file in each.
Since we want our apache2 to run on port 8080 so we will update the required configuration:
sudo nano /etc/apache2/ports.conf
Update Listen 8080, save and close the file.
Apache serves files from the directory defined in its virtual host files. You can either modify an existing virtual host file or create a new one to listen on the new port.
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/8080-mytestsite.conf
Then, edit the new virtual host file:
Change the <VirtualHost *:80> line to <VirtualHost *:8080> at the beginning of the file. Configure the DocumentRoot and any other necessary directives according to your needs. Since we are using /var/www/html so no other change required.
If you created a new virtual host file, enable it with the a2ensite command:
sudo a2ensite 8080-mytestsite.conf
Apply the changes by restarting Apache:
sudo systemctl restart apache2
Create wordlist
Wordlists are an essential component in the toolkit of cybersecurity professionals, especially when conducting penetration testing or security assessments. These lists are used with tools like Gobuster to automate the process of discovering hidden or sensitive directories, files, DNS records, and other web assets.
Recommendations for Wordlists
- SecLists: This is one of the most popular collections of wordlists for various types of security assessments, including directory and file brute-forcing. SecLists is comprehensive and includes lists for directories, filenames, passwords, usernames, and more. It's an invaluable resource for penetration testers.
- DirBuster Lists: Originally made for the DirBuster tool, these lists are also widely applicable for similar purposes with Gobuster. They include a variety of file names and paths commonly found on web servers.
- Daniel Miessler's Wordlists (part of SecLists): Compiled by a well-known security professional, these wordlists are curated to be both comprehensive and efficient, ensuring a broad coverage without unnecessary bloat.
Since you know you have dir1 and dir2, you can test to see if Gobuster finds them. For demonstration purposes, let's use a simple wordlist you create:
echo -e "dir1\ndir2" > ~/wordlist.txt
This command creates a wordlist with dir1 and dir2, the directories we want to find.
Testing with Gobuster
After setting up your apache2 web server, you can run Gobuster against it by specifying the new port in the URL:
gobuster dir -u http://localhost:8080 -w ~/wordlist.txt
Here's a breakdown of what Gobuster did:
- Targeted URL: Gobuster targeted the web server running on
http://localhost:8080. This is the base URL from which it started its enumeration process. - Wordlist: It used the wordlist provided at
/home/deepak/wordlist.txt, which contains a list of directory names to check for existence on the web server. - Scanning Process: For each entry in the wordlist, Gobuster made HTTP GET requests to the web server to see if those directories exist. For example, it would construct URLs like
http://localhost:8080/dir1andhttp://localhost:8080/dir2, and then attempt to access them. - Status Codes: Gobuster reports the HTTP status codes for each request. A status code of
301indicates that the directory exists but has been permanently moved to a new URL, which in this case, is the same URL with a trailing slash (/). This is a common behavior in web servers designed to standardize directory URLs. - Results: The successful discovery of
/dir1and/dir2with status codes of301means that these directories do indeed exist on the server. The size[Size: 312]refers to the size of the HTTP response, which in cases of a301redirect, usually includes the 'Location' header pointing to the correct URL of the directory.
Uninstalling Gobuster
If you need to uninstall Gobuster, you can use the following command:
sudo apt remove gobuster -y
And if you installed it using Go:
go clean -i github.com/OJ/gobuster/v3@latest
Conclusion
Gobuster is a versatile tool for web penetration testers, offering fast and efficient enumeration of web directories and DNS subdomains. By following this guide, you should now have Gobuster installed on your Ubuntu system and understand the basics of using it for security assessments. Remember to use Gobuster ethically and only scan targets you have permission to test.
This guide provides a comprehensive overview of installing Gobuster on Ubuntu, including preparation steps, installation methods, and basic usage instructions. With Gobuster, penetration testers and security enthusiasts can enhance their testing capabilities, uncovering hidden directories and files that could expose vulnerabilities within a target system.
