Penetration tests are one of the services offered by AWARE7 GmbH. We search for security holes in web applications or other systems and document them professionally. In our weekly blog series we present some tools that we use in most penetration tests. This week’s pentest tool #2 is gobuster.
Pentest tool #2 – gobuster
As last week, when we explained the tool dirbuster in detail, this week’s Pentest Tool #2 will also be used in penetration tests of web applications. One of the first steps in any penetration test is to find out as much information as possible about the target.
If this step is seen from the attacker’s perspective, it is often called reconnaissance. This includes the collection of open ports, system applications, version numbers and e.g. contact persons with corresponding email addresses. In this phase there is no unnecessary data, but everything that can be found somewhere in the system is collected first.
A lot of hidden information can be found in subpages or forgotten files on a web server. Similar to dirbuster gobuster tries to find exactly such subpages. The process of finding such subpages is almost identical. With the help of a list of words gobuster tries out common names that are typically used for subpages or files and automatically saves the results. The biggest difference between the two open source pentest tools is that gobuster is programmed in the newer programming language Go.
gobuster in practice
The following video shows our pentest tool #2 gobuster in practice. gobuster is pre-installed in the Kali Linux version, so that it can be executed quickly via the terminal. There is no user interface, which means that all parameters must be inserted in the command.
To get an overview of the possibilities that gobuster provides the command: “gobuster -h” is sufficient. After that the help text appears in the terminal, where all commands are explained with their syntax.
In our example we use a word list that is also included in Kali Linux. A small collection of word lists can be found in the folder /usr/share/wordlists. From this folder we use the “small” list contained in the dirbuster folder. Since dirbuster has the same goal as gobuster, we can easily use a word list that was created for dirbuster.
We add the list with the command “-w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt”. To let the program know which website we want to examine, we have to specify our destination with the command “-u”, in this case the website of the Westfälische Hochschule. As “mode” we choose directory/file bruteforcing.
The tool already finds the first subpages very quickly. Some of these subpages are not linked on the main page, which means that they can only be found by trial and error.
Pentest tool comparison: gobuster vs. dirbuster
Now the question arises which tool to use to find subpages from different web servers. Basically both tools can be used, but it is advisable to adapt the tool to the respective situation. dirbuster has the advantage that we can make all settings through one user interface without getting confusing. If we want to change many settings on gobuster, the command will be very long and sometimes confusing.
Another advantage of dirbuster compared to gobuster is that a recursive search is possible. This means that dirbuster can detect very deep nesting of subpages with only one command. gobuster can only collect one subpage of “deep” results per command.
Besides these two disadvantages gobuster has another big advantage over dirbuster, namely speed. Because of the programming language used in gobuster the search is much faster and especially for large websites it makes sense to use the time advantage of gobuster.