As with many other tools that interact with web servers, you’ll want to do two things:
- Override the default user agent string with one taken from a current mainstream web browser to avoid signature-based defenses.
- Know how the server responds to “file not found” situations: It’s not always HTTP 404.
The command below uses a Firefox for MacOS (version 101.0, current as of 2022-06-08) user agent string, the raft-medium-directories.txt (case-sensitive) wordlist, and tells gobuster to treat any responses that are 123 bytes or 456 bytes or 789 bytes in length the same as HTTP 404.
gobuster dir --useragent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0' --wordlist /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --output gobuster.out --exclude-length 123,456,789 --url https://bhis.co
See also: --status-codes (positive) and --status-codes-blacklist (negative)