Test with GoBuster! (Powerful bruteforcing tool of golang)

directory 스캔 도구의 dirbuster가 아주 강세였습니다만, 올해부터 gobuster가 더 많이쓰이는 것 같은 느낌이 듭니다. 당연히 스캔 도구는 이젠 golang이 압도적일겁니다. (고루틴과 고채널의 힘이란..)
The directory scan tool's dirbuster has been very strong, but it feels like gobuster going to be more popular this year. Of course, now the scanners are going to be dominated by golang.

오늘은 golang으로 만들어진 gobuster에 대한 이야기를 하려고 합니다.
Today I'm going to write about a gobuster made of golang.



Install gobuster

go get을 이용하여 설치해줍시다. 덤으로 alias 설정까지 해주면 더더욱 베스트.

$ go get github.com/OJ/gobuster
# check gobuster path and copy
$ ls ~/go/bin/gobuster
/Users/hahwul/go/bin/gobuster

# edit your terminal rc (zsh, bash, etc..)
$ vim ~/.zshrc

alias gobuster='/Users/hahwul/go/bin/gobuster'

# reload rc file
$ source ~/.zshrc

run gobuster

$ gobuster
Usage:
gobuster [command]

Available Commands:
dir Uses directory/file brutceforcing mode
dns Uses DNS subdomain bruteforcing mode
help Help about any command
vhost Uses VHOST bruteforcing mode

Flags:
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
-z, --noprogress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist

Use "gobuster [command] --help" for more information about a command.


gobuster scanning mode?

gobuster는 총 3가지의 모드를 지원합니다. dir dns vhost 이며 각각 항목들에 대해 bruteforcing이 가능합니다.
The gobuster supports a total of three modes: It is ‘dir’, ‘dns’ and ‘vhost’ and each item can be bruteforcing.

dir         Uses directory/file brutceforcing mode
dns Uses DNS subdomain bruteforcing mode
vhost Uses VHOST bruteforcing mode

dir은 url(-u) 와 wordlist(-w)가 필수 파라미터입니다.
The dir url wordlist and (-u) (-w) required parameters.

dns는 domain(-d) 와 wordlist(-w)가 필수 파라미터입니다.
The dns domain wordlist and (-d) (-w) required parameters.

vhost는 url(-u) 와 wordlist(-w)가 필수 파라미터입니다.
The vhost url wordlist and (-u) (-w) required parameters.

Finding directory and file using gobuster

$ gobuster dir -u https://www.hahwul.com -w Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://www.hahwul.com
[+] Threads: 10
[+] Wordlist: Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/12/26 01:59:03 Starting gobuster
===============================================================
/1000 (Status: 200)
/1001 (Status: 200)
/1990 (Status: 200)
/1994 (Status: 200)
/1992 (Status: 200)
.......
snip...

Finding Subdomain using gobuster

$ gobuster dns -d hahwul.com -w ./Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Domain: hahwul.com
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: ./Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
2019/12/26 01:56:35 Starting gobuster
===============================================================
Found: localhost.hahwul.com
Found: www.hahwul.com
Found: test.hahwul.com
Found: phoenix.hahwul.com
Found: WWW.hahwul.com
===============================================================
2019/12/26 01:57:08 Finished
===============================================================

Using Pipeline

-z(progress 출력하지 않음) -q(배너를 출력하지 않음) -o(결과 파일저장) 를 이용하면 충분히 pipeline에도 사용할 수 있습니다.
-z(no progress output) -q(no banner output) -o(save result file) is sufficient for pipeline.

$ gobuster dns -d hahwul.com -w ./Discovery/DNS/subdomains-top1million-5000.txt -z -q -o out.txt

$ cat out.txt
Found: www.hahwul.com
Found: localhost.hahwul.com
Found: test.hahwul.com
Found: phoenix.hahwul.com
Found: WWW.hahwul.com

이전에도 Amass와 Subjack을 이용한 Takeover 체크에 대한 을 썼었는데, 참고해보면 좋은 아이디어가 많이 나올 것 같아요.
I wrote about the check the subdomain takeover using Amass and SubJack. You see this, have any idea of testing.

Wordlist?

I used SecList!
https://github.com/danielmiessler/SecLists