// the find
OJ/gobuster
Directory/File, DNS and VHost busting tool written in Go
Gobuster is a command-line brute-forcing tool for discovering hidden web directories, DNS subdomains, virtual hosts, and cloud storage buckets. It's written in Go, ships as a single binary, and is a standard fixture in pentesting toolkits. The target audience is security professionals doing authorized recon.
The mode-based architecture (dir/dns/vhost/fuzz/s3/gcs/tftp as separate subcommands) keeps each scanner's options clean and independently testable — the per-mode package layout in the source reflects this well. Multi-threaded with configurable concurrency via goroutines, which is where Go earns its keep here; scanning is genuinely fast. Fuzz mode with a FUZZ keyword placeholder is flexible enough to cover header fuzzing, query params, and POST bodies without bolting on a separate tool. Active maintenance is evident: 3.8 shipped last month, dependency updates are automated via Dependabot, and the CI pipeline covers linting, Docker, and release builds.
No built-in rate limiting beyond a blunt thread count — you either hammer the target or manually fiddle with --delay and -t, which is clumsy for anything that requires adaptive throttling. The tool has no state: if a long scan dies halfway through, you start over (the --wordlist-offset flag is a workaround, not a solution). DNS wildcard handling exists but is noted as fragile; wildcard-heavy targets produce noisy output that requires manual filtering. There's no output format beyond plain text and a file dump — no JSON, no structured output for piping into downstream tooling, which is a gap when integrating gobuster into a larger automation pipeline.