← Back to search

Directory & API Brute Force with Gobuster

recontool

Summary

Brute force web directories and API endpoints with Gobuster; use -k for HTTPS and a pattern file to fuzz versioned API paths.

Walkthrough

Gobuster discovers hidden directories, files, and API routes by brute forcing paths against a target web server.

Steps

  1. Run a standard directory scan with dir -u <url> -w <wordlist>; add -k to skip certificate validation on HTTPS targets.
  2. Swap in alternate wordlists (e.g. raft-medium-directories.txt) when the first pass is thin.
  3. For API enumeration, create a pattern file containing templates like {GOBUSTER}/v1 and {GOBUSTER}/v2, then pass it with -p pattern so each word is expanded into versioned routes.
  4. Follow up discovered API roots with deeper scans (e.g. /users/v1/admin/) using a smaller wordlist.

Commands

bash

gobuster dir -u http://<IP>/ -w /home/kali/Desktop/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -k

bash

gobuster dir -u http://<IP>/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt

bash

gobuster dir -u http://<IP>:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern

bash

gobuster dir -u http://<IP>:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt