How to Install Apache, MySQL, and PHP on Ubuntu 24.04 LTS
June 17, 2025How to Install or Update Python on Kali Linux
June 18, 2025
How to Use GAU (GetAllUrls) on Kali Linux
Last verified for accuracy: July 25, 2025
🛡️ Ethical Use Reminder: All tools and techniques discussed in this post are intended for ethical, legal, and educational use only. Only perform security testing on systems you own or have explicit permission to test. This content is for researchers, students and professionals following responsible disclosure and legal guidelines.
What is GAU?
GAU is a robust reconnaissance tool designed for bug bounty hunters and penetration testers. It helps uncover hidden or forgotten URLs associated with a given domain by gathering data from a variety of public sources, including the Wayback Machine, Common Crawl, and AlienVault’s OTX. By pulling this information, GAU enables security researchers to discover subdomains, historical URLs and previously indexed content, all of which can reveal potential attack surfaces. In this guide, we will walk through the process of installing GAU on Kali Linux and running it directly from the terminal for easy and efficient URL discovery.
What is GAU Used For?
GAU is a powerful passive reconnaissance tool commonly used in bug bounty hunting and web application security testing. It gathers archived URLs and historical endpoints associated with a target domain from trusted public sources like the Wayback Machine, Common Crawl, and AlienVault OTX. By uncovering URLs that may not appear in regular scans, GAU helps security researchers and penetration testers discover hidden endpoints, legacy paths, and potential attack vectors, which could be critical for identifying vulnerabilities.
🔍 Use Cases
- Discover URLs with query parameters
- Uncover hidden directories and paths
- Find forgotten, old, or deprecated endpoints
- Feed into tools like httpx , gf or sqlmap
- Build custom wordlists for brute-force tools
🛠️ How GAU Works
GAU operates by retrieving URLs from a range of open web archives and threat intelligence sources, providing a comprehensive overview of historical and potentially overlooked endpoints. Some of the key data sources GAU pulls from include:
- Wayback Machine (archive.org): Offers snapshots of websites over time, uncovering previously indexed pages and resources.
- Common Crawl: A public dataset of web crawls, which helps identify URLs that have been indexed across millions of websites.
- AlienVault OTX: A threat intelligence platform that aggregates data on potential security risks, including URLs linked to malicious or suspicious domains.
- URLScan.io: A service that scans and analyzes URLs, capturing metadata and identifying resources associated with a given domain.
By pulling data from these public resources, GAU enables security researchers to uncover hidden endpoints, historical versions of websites, and other potentially valuable information that may not be immediately visible in standard scans.
1. Install GAU
You can install GAU via Go. First, ensure Golang is installed:
What do these commands do?
The two commands shown here are used to update your system and install Go (Golang) on your Kali Linux setup:
- sudo apt update: This command updates the list of available packages and their versions on your system. It ensures that your package manager (APT) knows about the latest software updates and dependencies, so you’re always installing the most up-to-date versions of software.
- sudo apt install golang: This installs the Go programming language (Golang) on your system. Go is a powerful, statically typed language often used for building fast and efficient tools, and it’s widely used in security research, bug bounty hunting, and web development. Running this command will download and set up Go for development purposes on your machine.
Then install GAU using Go:
Make sure your Go bin path is added to your shell profile:
If you’re using Zsh instead of Bash, the file would be ~/.zshrc instead of ~/.bashrc:
2. Run GAU on a Target
To fetch URLs for a domain, simply run:
gau example.comThis pulls all known URLs associated with example.com. You can redirect the output to a file:
gau example.com > urls.txt3. Filter Useful Endpoints
You can use grep to filter interesting URLs, such as those with query parameters:
cat urls.txt | grep "="Or limit results to a specific file type:
cat urls.txt | grep ".php"4. Combine with Other Tools
GAU works well in recon chains. Pipe results to tools like httpx or gf for vulnerability pattern matching:
gau example.com | httpx -silentOr:
gau example.com | gf xssThis command uses gau to gather archived URLs for example.com and pipes the output into gf with the xss template. GF is a pattern-matching tool that filters out URLs with potentially interesting query parameters commonly associated with cross-site scripting, like ?q=, ?search=, or ?input=. It’s a fast way to narrow down large URL lists to high-priority XSS targets during recon.
Wrap-Up
GAU is a simple but powerful tool to expand your attack surface discovery. Pair it with grep, httpx, and pattern matchers to automate early-stage recon on Kali Linux. It’s fast, easy to use, and great for scripting into larger toolchains.
