Gobuster is a powerful tool commonly used in penetration testing and security assessments to discover hidden directories and files on web servers. It performs brute-force attacks using a wordlist to identify resources that are not publicly linked.

Command Overview

gobuster -u http://fakebank.thm -w wordlist.txt dir

This command tells Gobuster to scan the target website for hidden directories using a predefined wordlist.

Breaking Down the Command

• -u http://fakebank.thm — Specifies the target URL to scan.
• -w wordlist.txt — Defines the wordlist file containing potential directory names.
• dir — Sets the mode to directory brute-forcing.

How It Works

Gobuster takes each entry from the wordlist and appends it to the base URL. For example:

• http://fakebank.thm/admin
• http://fakebank.thm/login
• http://fakebank.thm/uploads

It then sends HTTP requests to these URLs and checks the server's response. If the server returns a valid status code (such as 200 OK), Gobuster reports it as a discovered directory.

Example Output

/admin           (Status: 200)
/login           (Status: 301)
/backup          (Status: 403)

Each result shows a potential directory along with its HTTP status code, which helps determine accessibility and relevance.

Why It Matters

Hidden directories may contain sensitive information such as admin panels, backups, configuration files, or internal tools. Discovering these can help identify security weaknesses in a web application.

Best Practices

• Use large and well-maintained wordlists for better results.
• Respect legal boundaries — only scan systems you have permission to test.
• Combine Gobuster with other tools for comprehensive security analysis.

Wordlist dictionary You can find here: https://github.com/matteo741/Gobuster/blob/main/wordlist.txt

Conclusion

Gobuster is a fast and efficient tool for discovering hidden directories on web servers. By leveraging wordlists and brute-force techniques, security professionals can uncover valuable insights and improve system security.

Cost: €