gobuster

Gobuster is a command-line tool used by security professionals to find hidden content on websites and servers. The core idea is brute-forcing: you give it a list of words (called a wordlist), point it at a target, and it tries each word rapidly to see what exists. It does this across several categories of targets, which the tool calls modes.

In directory mode, Gobuster sends requests to a web server appending each word in the wordlist as a potential path, like /admin, /backup, or /login. If the server responds with a valid page rather than a "not found" error, Gobuster flags that path as discovered. This helps security testers map out parts of a website that are not publicly linked. DNS mode works similarly but against subdomains: it tries thousands of potential subdomain names against a domain and records which ones actually resolve to a server. Virtual host mode checks whether a web server is hosting multiple sites under different names at the same address.

The tool also includes modes for cloud storage: it can check whether Amazon S3 or Google Cloud Storage buckets with guessed names are publicly accessible, which is a common misconfiguration in real systems. There is a general fuzzing mode as well, where you can insert guessed values into any part of a URL, header, or form data.

Gobuster is written in Go, which makes it fast by design. It runs multiple checks in parallel and lets you control how many threads it uses. It is available as a direct install via the Go toolchain, as pre-built binaries, or as a Docker image.

The README is clear that this tool is intended for authorized security testing only. Every section of the documentation includes a reminder to get permission before pointing the tool at any target you do not own. It is a standard tool in penetration testing work, not for unauthorized use.