Directory & API Brute Force with Gobuster
recontool
Summary
Brute force web directories and API endpoints with Gobuster; use -k for HTTPS and a pattern file to fuzz versioned API paths.
Walkthrough
Gobuster discovers hidden directories, files, and API routes by brute forcing paths against a target web server.
Steps
- Run a standard directory scan with
dir -u <url> -w <wordlist>; add-kto skip certificate validation on HTTPS targets. - Swap in alternate wordlists (e.g.
raft-medium-directories.txt) when the first pass is thin. - For API enumeration, create a
patternfile containing templates like{GOBUSTER}/v1and{GOBUSTER}/v2, then pass it with-p patternso each word is expanded into versioned routes. - Follow up discovered API roots with deeper scans (e.g.
/users/v1/admin/) using a smaller wordlist.
Commands
bash
gobuster dir -u http://<IP>/ -w /home/kali/Desktop/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -k
bash
gobuster dir -u http://<IP>/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
bash
gobuster dir -u http://<IP>:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern
bash
gobuster dir -u http://<IP>:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt