π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
DAY 3 OF 180
KALI LINUX MASTERY COURSE
FREE β ALL 180 DAYS
π΅ Day 3 β Gobuster Tutorial
Day 180 β Advanced Kali Mastery
π
Authorised targets only. Gobuster sends a large volume of HTTP requests β this is clearly visible in server logs and will trigger IDS/WAF alerts on monitored systems. Only run Gobuster against your own DVWA lab, TryHackMe, HackTheBox, or authorised bug bounty targets with explicit scope permission. Running directory brute-force against any system without written authorisation is illegal.
Need a lab? β Ethical Hacking Lab Setup at Home Β· DVWA Labs Hub
/
Every web server has two kinds of pages: the ones linked from the homepage, and the ones that are not. The unlinked ones are where interesting things live β admin panels left over from development, backup files a developer forgot to delete, API endpoints the documentation never mentioned, configuration files accidentally made web-accessible, version control folders that expose the entire codebase. None of these appear in a sitemap. None of them show up in Google. The only way to find them is to ask the server about them directly, one path at a time. Gobuster asks thousands of times per second.
Day 3 of the Kali Linux Course teaches you Gobuster completely β every mode, every important flag, the right wordlists for every situation, and hands-on practice against DVWA. By the end you will have found your first hidden directory, understand how to hunt for file extensions and subdomains, and know exactly when to use Gobuster versus ffuf.
π What Youβll Master in Day 3
What Is Gobuster & How It Works
Installation & Verification
Wordlists β Which to Use When
dir Mode β Directory Discovery
File Extension Discovery (-x)
Status Code Filtering & False Positives
dns Mode β Subdomain Enumeration
vhost Mode β Virtual Host Discovery
Gobuster vs ffuf β When to Use Each
Real Pentest Workflow
Command Reference Card
What Is Gobuster and How Does It Work?
Gobuster is a brute-forcing tool written in Go, built specifically for enumerating hidden content on web servers and in DNS. It works by taking a wordlist and sending one HTTP request (or DNS query) per word β appending each word to the target URL and recording which paths return a response that is not a 404. Unlike a web crawler, which follows links, Gobuster discovers content that is intentionally not linked.
3
Primary modes
(dir, dns, vhost)
Go
Written in Go
fast + concurrent
10+
Default threads
(configurable)
FREE
Pre-installed
on Kali Linux
Gobusterβs speed advantage over older tools like DirBuster or dirb comes from Goβs native concurrency β it fires multiple HTTP requests simultaneously, making a 220,000-word scan that took 45 minutes in DirBuster complete in under 5 minutes. This matters in time-limited engagements.
π Where Day 3 fits: You used Nmap on Day 1 to find which ports are open β specifically ports 80 and 443. Day 3 follows that discovery: once you know a web server is running, Gobuster maps what is on it. Nmap finds the door; Gobuster finds everything behind it.
Installation & Verification
Verify Gobuster is installed (Kali Linux β pre-installed)
gobuster βversion
gobuster v3.6.0
If not installed: sudo apt install gobuster -y
Install SecLists (best wordlist collection β do this once): sudo apt install seclists -y # Installs to /usr/share/seclists/ β hundreds of categorised wordlists
View Gobuster modes: gobuster βhelp Available Commands: Β Β dir Uses directory/file enumeration mode Β Β dns Uses DNS subdomain enumeration mode Β Β fuzz Uses fuzzing mode Β Β vhost Uses virtual host brute-forcing mode
Wordlists β Which to Use and When
The wordlist determines what Gobuster looks for. A small wordlist means faster scans but more missed content. A large wordlist finds more but takes longer. The right choice depends on the phase of the engagement and what you already know about the targetβs technology stack.
securityelites.com
GOBUSTER WORDLIST SELECTION GUIDE β KALI LINUX COURSE DAY 3
Wordlist
Words
Speed
Best for
dirb/common.txt
4,614
~5 sec
Quick first pass β always run this first
dirb/big.txt
20,469
~30 sec
Wider coverage without massive time cost
SecLists directory-list-2.3-medium.txt
220K
3β8 min
Thorough engagement scan β most comprehensive
SecLists DNS/subdomains-top1million-5000.txt
5,000
Fast
Subdomain enumeration (dns mode)
SecLists CMS/wordpress.txt
Varies
Fast
CMS-specific β WordPress, Drupal, Joomla
STRATEGY: Run common.txt first (5 seconds). If interesting, escalate to medium.txt. For specific CMS use dedicated list. Always install SecLists: sudo apt install seclists
Gobuster Wordlist Selection Guide β Five wordlists ranked by size and time. Start with common.txt (4,614 words, ~5 seconds) for every engagement β fast and covers the most impactful paths. Escalate to the SecLists medium list (220K words) for thorough scans. Use CMS-specific wordlists when you know the technology stack. DNS subdomain lists go in dns mode, not dir mode.
Key wordlist paths on Kali Linux:
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)