When scanning internal lab environments or machines with self-signed SSL certificates, use the -k flag to skip validation checks and prevent the scan from failing.
gobuster fuzz -u http://target.com/FUZZ -w wordlist.txt
The Ultimate Gobuster Commands Guide: Up To Date for 2026 Gobuster is a staple in the toolkit of any penetration tester, security researcher, or bug bounty hunter. Written in Go, this command-line utility excels at brute-forcing directories, files, DNS subdomains, Virtual Host (VHost) mappings, and cloud storage buckets.
Web servers return different HTTP status codes that indicate what you've found:
The -s flag filters results to only show the specified status codes. gobuster commands upd
Internal networks or specific configurations might require querying a dedicated DNS resolver rather than your local system's default settings. gobuster dns -d internal.local -w wordlist.txt -r 1.1.1.1 Use code with caution. 3. Virtual Host Enumeration ( vhost mode)
By default, Gobuster considers a wide range of status codes as valid hits. You can fine-tune this using -s (status codes to include) or -b (status codes to blacklist).
gobuster version gobuster -h
New (v3.x+):
Allows fuzzing any part of the request (URL, headers, body) using the FUZZ keyword.
Hide the real-time progress bar (useful when saving clean logs). -o, --output Redirect the standard output results to a specific file. 1. Directory and File Brute-Forcing ( dir mode)
gobuster dir -u http://10.10.10 -w /usr/share/wordlists/dirb/common.txt -b 403,404 Use code with caution. 4. Bypassing TLS/SSL Verification
gobuster vhost -u http://10.10.10.100 -w vhosts.txt --domain target.com --append-domain --exclude-length 250-300 When scanning internal lab environments or machines with
Or view the full help menu:
gobuster s3 -u http://bucket-name.s3.amazonaws.com -w bucket-names.txt
Updated for Gobuster version 3.8.2 (March 2026)
gobuster vhost -u http://10.10.10 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --exclude-length 3124 Use code with caution. ☁️ Amazon S3 Bucket Enumeration ( s3 ) Web servers return different HTTP status codes that
| Flag | Description | |------|-------------| | --delay | Time each thread waits between requests (e.g., 1500ms) | | --no-color | Disable color output | | --no-error | Don't display errors | | -z, --no-progress | Don't display progress | | -o, --output | Output file to write results | | -p, --pattern | File containing replacement patterns | | -q, --quiet | Don't print the banner | | -t, --threads | Number of concurrent threads (default: 10) | | --timeout | HTTP timeout (default: 10s) | | -v, --verbose | Verbose output (errors) | | -w, --wordlist | Path to the wordlist |
On macOS with Homebrew: