-t 50 : Sets the number of concurrent execution threads (default is 10). Increase for speed; decrease to prevent overloading targets.
Below is an overview of the different modes.
gobuster vhost -u http://192.168.1.100 -w vhosts.txt
| Flag | Description | Default | |------|-------------|---------| | -t, --threads int | Number of concurrent threads | 10 | | -w, --wordlist string | Path to the wordlist | Required | | -o, --output string | File to write results to | stdout | | -q, --quiet | Suppress banner output | false | | -v, --verbose | Verbose output (show errors) | false | | --delay duration | Delay between requests (e.g., 1500ms) | 0 | | -z, --no-progress | Don't display progress | false | | --no-color | Disable colored output | false | gobuster commands upd
If you need to stay under security alarm thresholds, introduce an artificial delay between requests using the --delay flag (e.g., --delay 500ms ). Useful Wordlist Locations (Kali Linux)
First, always check your version:
Gobuster is an indispensable tool in any penetration tester's or security researcher's arsenal. Its speed, flexibility, and multiple scanning modes make it ideal for web reconnaissance, asset discovery, and vulnerability assessment. -t 50 : Sets the number of concurrent
Anything above the threshold is considered a wildcard and suppressed from output unless --show-wildcard is used.
gobuster dns -d targetdomain.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -i Use code with caution. 3. Custom DNS Server Routing
If you installed Gobuster from source:
| Flag | Description | Example (New in v3.6+) | |------|-------------|------------------------| | --exclude-length | Hide responses of exact length | --exclude-length 0,1256 | | --exclude-size | Same as above | --exclude-size 0 | | --exclude-status | Hide specific status codes | --exclude-status 404 | | --include-length | Show only specific lengths | --include-length 1024 | | --regex | Use regex on response body (fuzz mode) | --regex "admin|login" | | --timeout | HTTP timeout (seconds) | --timeout 10s | | --delay | Delay between requests | --delay 100ms |
Some servers return the same error page (like a custom 404) for every invalid vhost. Use --exclude-length to filter out false positives by ignoring responses of a specific content length:
Modern security workflows rely on automation. Here’s a bash script using the latest flags: gobuster vhost -u http://192
Vhost discovery now supports HTTPS properly and SNI (Server Name Indication):