Using SecLists with Gobuster on Kali Linux

One of the fastest ways to uncover hidden files and directories on a target is by combining Gobuster with high-quality wordlists. In this tutorial, we’ll install SecLists on Kali Linux and walk through practical examples of using it to supercharge your reconnaissance.

Sebastian Gogola

When performing web application reconnaissance, one of the most common techniques is directory and file brute forcing. Tools like Gobuster rely on high-quality wordlists to discover hidden paths.

The most widely used collection of wordlists in the security community is SecLists by Daniel Miessler. In this tutorial, I’ll show you how to install SecLists on Kali Linux, where to find the most useful lists, and how to use them effectively with Gobuster.

What is SecLists?

SecLists is a community-maintained repository of wordlists used in security assessments. It contains lists for:

Web content discovery (directories, files, parameters)
Passwords and usernames
Fuzzing payloads
Vulnerability testing

For Gobuster, we’ll focus mainly on the Web-Content lists.

Step 1: Install SecLists on Kali Linux

Kali doesn’t always come with the latest SecLists preinstalled, so it’s best to grab it straight from GitHub.

cd /usr/share/wordlists
sudo git clone https://github.com/danielmiessler/SecLists.git

If git isn’t installed, run:

sudo apt install git -y

This will create a full SecLists directory under /usr/share/wordlists/SecLists.

Step 2: Explore Useful Wordlists

Inside the SecLists folder, you’ll find thousands of files. For Gobuster, the most commonly used lists live in:

/usr/share/wordlists/SecLists/Discovery/Web-Content/

Some of the most popular are:

common.txt → Quick scan, good for initial discovery
directory-list-2.3-small.txt → Balanced scan, decent coverage
directory-list-2.3-medium.txt → Larger scan, more comprehensive
directory-list-2.3-big.txt → Exhaustive scan, but slower

Step 3: Run Gobuster with SecLists

Basic directory brute force with the common.txt list:

gobuster dir -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

Using the larger medium list for deeper enumeration:

gobuster dir -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt

If you want to check for specific file extensions (e.g., PHP):

gobuster dir -u http://target.com -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x php,html,txt

Step 4: Keep SecLists Updated

Since SecLists is actively maintained, update it regularly:

cd /usr/share/wordlists/SecLists
sudo git pull

This ensures you always have the latest wordlists and improvements.

Tips

Start with common.txt for speed, then move up to medium if you want more depth.
Combine Gobuster with other tools (like dirsearch or feroxbuster) for broader coverage.
Remember: some lists are huge — be mindful of rate limiting and server logs.

Conclusion

Using SecLists with Gobuster is an essential skill for penetration testers and bug bounty hunters. With the right wordlist, you can uncover hidden directories, files, and attack surfaces that might otherwise remain invisible.

Happy hunting – and don’t forget to update your wordlists often!