Deep Dive into Hidden Web
How to perform Pentest Recon using Gobuster.
The first step to start attacking a web application is to perform recon on your target. Recon stands for reconnaissance of the target web application. Recon refers to the process in which hackers and penetration testers dig deep into an application to gather information and discover the additional content that is not normally exposed to the user.
An inportant step is to discover hidden content like obsecure subdomains, secret directories, and virtual hosts. Today, let’s talk about a recon tool that help us accomplish these goals: GoBuster.
GoBuster is a tool for brute-forcing to discover subdomains, hidden directories and files (URIs), and virtual hostnames on the target web applications.
Installing GoBuster
Let’s start by installing GoBuster! You can find GoBuster’s project here.
You most likely will not need to build the project from source. On most Linux distributions, you can istall GoBuster via the apt-get command.
apt-get install gobuster
Otherwise, if you have a Go language enviroment ready, then you can use:
go install -v github.com/OJ/gobuster dns
Using GoBuster
Now that you have program installed, let’s jump right into performing recon using GoBuster! GoBuster has three available modes: “dns” , “dir”, and “vhost”. They are used to brute-force subdomains, hidden directories and files, and virtual hosts respectively.
DNS Mode
The DNS mode is used for DNS subdomain brute-forcing. You can use it to find subdomains for a given domain. In this mode, you can use the flag “-d” to specify the domain you want to brute-force and “-w” to specify the wordlist you want to use.
gobuster dns -d <target domain> -w <wordlist>
You can use your own custom wordlists for this, but a good option is to use a wordlist published online. For example, the Seclist Github Repository has a pretty extensive wordlist for subdomain brute-forcing: danielmiessler/SecLists.
Dir mode
The Dir mode is used to find addition content on a specific domain or subdomain. This includes hidden directories and files.
In this mode, you can use the flag “-u” to specify the target domain you want to brute-force and “-w” to specify the wordlist you want to use.
gobuster dir -u <target.com> -w <wordlist>
You can find a list of web content wordlist to use here: SecList.
Vhost mode
Lastly, you can use the Vhost mode to find virtual host of a target server.
Virtual Hosting is when a organization host multiple domain names on a single server or cluster of server. This allows one server to share its resouces with multiple hostnames. Finding virtual hostname on a server can reveal additional web content belonging to an organization.
gobuter vhost -y <target url> -w <wordlist>
For brute-forcing virtual hosts, you can use the same wordlist as brute-forcing subdomain va the DNS mode.
Advance Options
For exaple, in dir mode, you can brute-force files with specific file extension using the “ -x ” flag.
gobuster dir -u <target-url> -w <wordlist> -x .php
For dir and vhost modes, you can use -k to skip SSL certificate verification and supress SSL errors.
gobuster dir -u <target-url> -w <wordlist> -k
And for both dir and vhost modes, you can even use the “ -c “ flag to spacify the cookies that should accoumpany you requests.
gobuster dir -u <target-url> -w <wordlist> -c 'sssion=123456'
END!!
Happy Hacking
Good Recon skills are one of the keys to being to successful as a hacker or a penetration tester. And GoBuster is a simple and powerfull tool to add to your recon toolkit!
Until then;
WAKE | EAT | HACK | REPEAT🔥
