Introduction
In this lab, you will learn how to effectively use Gobuster, a popular tool for directory and file brute-forcing, to save its scan results to a file. Saving scan results is a fundamental practice in cybersecurity, allowing for detailed analysis, reporting, and future reference. We will walk through the process of constructing a Gobuster command, specifying an output file, executing the scan, and verifying the integrity of the saved results. This skill is essential for anyone involved in web application security testing or penetration testing, as it ensures that valuable findings are properly documented and accessible.
Construct a Standard gobuster dir Command
In this step, you will construct a basic gobuster dir command. The gobuster dir command is used for directory and file brute-forcing. We will specify the target URL and a common wordlist.
First, ensure you are in the ~/project directory.
cd ~/project
Now, let's construct the basic gobuster dir command. We will use http://127.0.0.1:8080 as our target URL and /usr/share/wordlists/dirb/common.txt as the wordlist.
gobuster dir -u http://127.0.0.1:8080 -w /usr/share/wordlists/dirb/common.txt
This command will start scanning the target for directories and files listed in the wordlist and display the results directly in the terminal.
Expected output (partial):
===============================================================
Gobuster v3.5
by OJ <oj@gobuster.io>
===============================================================
[+] Url: http://127.0.0.1:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Add Slash: false
[+] Allow Timeouts: false
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2024/01/01 12:00:00 Starting gobuster in directory enumeration mode
===============================================================
/admin.html (Status: 200)
/secret.txt (Status: 200)
/testdir (Status: 200)
...
Add the -o Flag to Specify an Output File
In this step, you will modify the gobuster command to include the -o flag, which allows you to specify an output file for the scan results. This is crucial for saving your findings for later analysis.
We will save the output to a file named gobuster_results.txt in your ~/project directory.
Modify the previous command by adding -o gobuster_results.txt:
gobuster dir -u http://127.0.0.1:8080 -w /usr/share/wordlists/dirb/common.txt -o gobuster_results.txt
This command will execute the scan and, instead of just printing to the console, it will also write all the findings to the specified file.
Execute the Scan
In this step, you will execute the gobuster command with the -o flag. This will start the directory enumeration process and save the results to gobuster_results.txt.
Run the command you constructed in the previous step:
gobuster dir -u http://127.0.0.1:8080 -w /usr/share/wordlists/dirb/common.txt -o gobuster_results.txt
The scan will run, and you might see some output in the terminal, but the full results will be directed to the file. Wait for the scan to complete. This might take a few moments depending on the wordlist size.
Expected output (partial, as most output goes to file):
===============================================================
Gobuster v3.5
by OJ <oj@gobuster.io>
===============================================================
[+] Url: http://127.0.0.1:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Add Slash: false
[+] Allow Timeouts: false
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2024/01/01 12:00:00 Starting gobuster in directory enumeration mode
===============================================================
Verify the Output File has been Created
In this step, you will verify that the gobuster_results.txt file has been successfully created in your ~/project directory after the scan completed.
Use the ls command to list the contents of your current directory and check for the presence of gobuster_results.txt.
ls -l
You should see gobuster_results.txt listed among the files.
Expected output (partial):
total 8
-rw-r--r-- 1 labex labex 1234 Jan 1 12:00 gobuster_results.txt
View the Contents of the Saved Results File
In this final step, you will view the contents of the gobuster_results.txt file to confirm that the scan results were correctly saved.
Use the cat command to display the content of the file:
cat gobuster_results.txt
You should see the discovered directories and files, along with their HTTP status codes, similar to what you would see in the terminal output of a gobuster scan.
Expected output (partial):
/admin.html (Status: 200)
/secret.txt (Status: 200)
/testdir (Status: 200)
This confirms that your gobuster scan results have been successfully saved to a file, which is a crucial step for documentation and further analysis in real-world scenarios.
Summary
In this lab, you have successfully learned how to save gobuster scan results to a file. You started by constructing a standard gobuster dir command, then enhanced it by adding the -o flag to specify an output file. After executing the scan, you verified the creation of the output file and viewed its contents, confirming that the results were correctly saved. This skill is fundamental for effective documentation and analysis in web security assessments and penetration testing.