Advanced web directory and subdomain brute-forcing techniques for comprehensive reconnaissance.

Web application security testing begins with thorough enumeration. GoBuster combined with the SecLists wordlist collection provides a powerful toolkit for discovering hidden attack surfaces.

Comprehensive Directory Brute-Forcing:


# Basic directory discovery
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt

# Advanced with extensions and status codes
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,js,txt -b 404,500

# With specific headers for authenticated scanning
gobuster dir -u https://target.com -w wordlist.txt -H "Authorization: Bearer token123"

Subdomain Enumeration Strategies:


# Subdomain discovery
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# VHost enumeration
gobuster vhost -u https://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

SecLists Wordlist Selection Guide:

  • Quick Scans: directory-list-2.3-small.txt (87KB)
  • Comprehensive: directory-list-2.3-medium.txt (2.2MB)
  • API Endpoints: Discovery/Web-Content/api/ wordlists
  • Backup Files: Discovery/Web-Content/Backup/ wordlists
  • Parameter Discovery: Discovery/Web-Content/burp-parameter-names.txt

Advanced Techniques:


# Recursive scanning for discovered directories
gobuster dir -u https://target.com/admin -w wordlist.txt -r

# Rate limiting to avoid detection
gobuster dir -u https://target.com -w wordlist.txt -t 50 -d

# Output results for further analysis
gobuster dir -u https://target.com -w wordlist.txt -o results.txt

Real-World Discovery Chain:

During a bug bounty engagement, we found:

  1. Discovered /backup directory via GoBuster
  2. Found database backup files with plaintext credentials
  3. Used credentials to access admin panel
  4. Discovered SQL injection in admin search functionality

Defense Evasion Tips:

  • Use random User-Agent strings
  • Implement delays between requests
  • Rotate source IP addresses if possible
  • Use residential proxies for stealth scanning

Key Takeaways

  • Implement proper authorization and authentication
  • Regular security assessments and penetration testing
  • Stay updated with latest security threats and patches
  • Follow ethical hacking principles and responsible disclosure
Pro Tip

Always conduct security testing in authorized environments only and follow responsible disclosure practices.