gobuster specify http header

Become a backer! -a, useragent string -> this used to specify a specific the User-Agent string and the default value is gobuster/3.0.1. Change). Gobuster can be used to brute force a directory in a web server it has many arguments to control and filter the execution. feroxbuster is a tool designed to perform Forced Browsing. Exposing hostnames on a server may reveal supplementary web content belonging to the target. Change), You are commenting using your Facebook account. And here is the result. Often, this is not that big of a deal, and other scanners can intensify and fill in the gaps for Gobuster in this area. Are you sure you want to create this branch? gobuster dir -e -u geeksforgeeks.org -w /usr/share/wordlists/dirb/common.txt wildcard, Obtaining Full Path for a directory or file. to use Codespaces. For this install lets play around with the Go install. Using -r options allows redirecting the parameters, redirecting HTTP requests to another, and changing the Status code for a directory or file. gobuster dir -u http://target.com/ -w /usr/share/dirb/common.txt -x php -r, -followredirect -> this option will Follow the redirects if there -H, -headers stringArray -> if you have to use a special header in your request then you can Specify HTTP headers, for example "-H 'Header1: val1' -H 'Header2: val2'" Again, the 2 essential flags are the -u URL and -w wordlist. Lets start by looking at the help command for dns mode. -x : (--extensions [string]) File extension(s) to search for. To install Gobuster on Mac, you can use Homebrew. How wonderful is that! 0 upgraded, 0 newly installed, 0 to remove and 11 not upgraded. Unless your content discovery tool was configured to . If you want to install it in the $GOPATH/bin folder you can run: Base domain validation warning when the base domain fails to resolve. Enter your email address to subscribe to this blog and receive notifications of new posts by email. gobuster dir -u https://www.geeksforgeeks.com w /usr/share/wordlists/big.txt -x php,html,htm. It is an extremely fast tool so make sure you set the correct settings to align with the program you are hunting on. By clicking Sign up for GitHub, you agree to our terms of service and Fill in your details below or click an icon to log in: You are commenting using your WordPress.com account. Already on GitHub? Overall, Gobsuter is a fantastic tool to help you reduce your applications attack surface. If you are new to wordlists, a wordlist is a list of commonly used terms. Gobuster is a tool used to brute-force: URIs (directories and files) in web sites. Gobuster, a record scanner written in Go Language, is worth searching for. So after experimenting, found out this is the correct syntax: 1500ms)-v, verbose Verbose output (errors)-w, wordlist string Path to the wordlist, Usage: gobuster dir [flags]Flags:-f, addslash Append / to each request-c, cookies string Cookies to use for the requests-e, expanded Expanded mode, print full URLs-x, extensions string File extension(s) to search for-r, followredirect Follow redirects-H, headers stringArray Specify HTTP headers, -H Header1: val1 -H Header2: val2-h, help help for dir-l, includelength Include the length of the body in the output-k, insecuressl Skip SSL certificate verification-n, nostatus Dont print status codes-P, password string Password for Basic Auth-p, proxy string Proxy to use for requests [http(s)://host:port]-s, statuscodes string Positive status codes (will be overwritten with statuscodesblacklist if set) (default 200,204,301,302,307,401,403)-b, statuscodesblacklist string Negative status codes (will override statuscodes if set) timeout duration HTTP Timeout (default 10s)-u, url string The target URL-a, useragent string Set the User-Agent string (default gobuster/3.0.1)-U, username string Username for Basic Auth wildcard Force continued operation when wildcard found Global Flags:-z, noprogress Dont display progress-o, output string Output file to write results to (defaults to stdout)-q, quiet Dont print the banner and other noise-t, threads int Number of concurrent threads (default 10) delay duration Time each thread waits between requests (e.g. ). For example, if you have a domain named mydomain.com, sub-domains like admin.mydomain.com, support.mydomain.com, and so on can be found using Gobuster. If you're backing us already, you rock. brute-force, directory brute-forcing, gobuster, gobuster usage. Feel free to: Usage: gobuster dns [flags] Flags:-d, domain string The target domain-h, help help for dns-r, resolver string Use custom DNS server (format server.com or server.com:port)-c, showcname Show CNAME records (cannot be used with -i option)-i, showips Show IP addresses timeout duration DNS resolver timeout (default 1s) wildcard Force continued operation when wildcard found Global Flags:-z, noprogress Dont display progress-o, output string Output file to write results to (defaults to stdout)-q, quiet Dont print the banner and other noise-t, threads int Number of concurrent threads (default 10) delay duration Time each thread waits between requests (e.g. ), Create a custom wordlist for the target containing company names and so on. --timeout [duration] : HTTP Timeout (default 10s). Theres much more to web servers and websites than what appears on the surface. The length of time depends on how large the wordlist is. Since Gobuster is written in the Go language, we need to install the Go environment on our Kali machine. So the URL above is using the root web directory. Gobuster's directory mode helps us to look for hidden files and URL paths. This feature is also handy in s3 mode to pre- or postfix certain patterns. Subscribe to the low volume list for updates. ** For more information, check out the extra links and sources. The Go module system was introduced in Go 1.11 and is the official dependency management Start with a smaller size wordlist and move to the larger ones as results will depend on the wordlist chosen. How to Install Gobuster go install github.com/OJ/gobuster/v3@latest Gobuster Parameters Gobuster can use different attack modes against a webserver a DNS server and S3 buckets from Amazon AWS. Stories about how and why companies use Go, How Go can help keep you secure by default, Tips for writing clear, performant, and idiomatic Go code, A complete introduction to building software with Go, Reference documentation for Go's standard library, Learn and network with Go developers from around the world. There are many scenarios where we need to extract the directories of a specific extension over the victim server, and then we can use the -X parameter of this scan. 1500ms)-v, verbose Verbose output (errors)-w, wordlist string Path to the wordlist, Usage: gobuster vhost [flags]Flags:-c, cookies string Cookies to use for the requests-r, followredirect Follow redirects-H, headers stringArray Specify HTTP headers, -H Header1: val1 -H Header2: val2-h, help help for vhost-k, insecuressl Skip SSL certificate verification-P, password string Password for Basic Auth-p, proxy string Proxy to use for requests [http(s)://host:port] timeout duration HTTP Timeout (default 10s)-u, url string The target URL-a, useragent string Set the User-Agent string (default gobuster/3.0.1)-U, username string Username for Basic AuthGlobal Flags:-z, noprogress Dont display progress-o, output string Output file to write results to (defaults to stdout)-q, quiet Dont print the banner and other noise-t, threads int Number of concurrent threads (default 10) delay duration Time each thread waits between requests (e.g. Lets see how to install Gobuster. For example --delay 1s in other words, if threads is set to 4 and --delay to 1s, this will send 4 requests per second. gobuster dir -u https://www.geeksforgeeks.org/ -w /usr/share/wordlists/big.txt. Virtual Host names on target web servers. **. Something that was faster than an interpreted script (such as Python). -h, help -> to view the help of gobuster like the up photo. gobuster dir -u http://127.0.0.1:8000/ -w raft-medium-directories.txt In the output section, we can see that gobuster picked up the /important directory. Set the User-Agent string (default "gobuster/3.1.0")-U,--username string: Username for Basic Auth-d,--discover-backup: Upon finding a file search for backup files Just place the string {GOBUSTER} in it and this will be replaced with the word. Gobuster is a tool used to brute-force: URIs (directories and files) in web sites. The usual approach is to rely on passive enumeration sites like crt.sh to find sub-domains. A brute-force attack consists of matching a list of words or a combination of words hoping that the correct term is present in the list. This tool is coming in pen-testing Linux distreputions by default and if you cant find it on your system, you can download it by typing sudo apt-get install gobuster and it will starting the download.And you can see the official github repo of this tool from here! Keep enumerating. change to the directory where Downloads normally arrive and do the following; A local environment variable called $GOPATH needs to be set up. This is a great attack vector for malicious actors. GoBuster is a Go-based tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support) - essentially a directory/file & DNS busting tool. Written in the Go language, Gobuster is an aggressive scanner that helps you find hidden Directories, URLs, Sub-Domains, and S3 Buckets seamlessly. Want to back us? Gobuster also can scale using multiple threads and perform parallel scans to speed up results. The only valid value for this header is true (case . If you're stupid enough to trust binaries that I've put together, you can download them from the releases page. Gobuster is fast, with hundreds of requests being sent using the default 10 threads. gobuster has external dependencies, and so they need to be pulled in first: This will create a gobuster binary for you. DNS subdomains (with wildcard support). After entering the specific mode as per requirement, you have to specify the options. If the user wants to force processing of a domain that has wildcard entries, use --wildcard: Default options with status codes disabled looks like this: Quiet output, with status disabled and expanded mode looks like this ("grep mode"): Wordlists can be piped into gobuster via stdin by providing a - to the -w option: Note: If the -w option is specified at the same time as piping from STDIN, an error will be shown and the program will terminate. Virtual Host names on target web servers. Run gobuster again with the results found and see what else appears. The results above show status codes. Gobuster can be downloaded through the apt- repository and thus execute the following command for installing it. This is a warning rather than a failure in case the user fat-fingers while typing the domain. This will help us to remove/secure hidden files and sensitive data. For version 2 its as simple as: gobuster dir -u geeksforgeeks.org -w /usr/share/wordlists/dirb/common.txt -x .php wildcard, Enumerating Directory with Specific Extension List. -r --resolver string : Use custom DNS server (format server.com or server.com:port) In this command, we are specifically searching for files that have php,htm or html extensions. gobuster dir .. Really bad help. You need at least go 1.19 to compile gobuster. The one defeat of Gobuster, though, is the lack of recursive directory exploration. Yes, youre probably correct. Just place the string {GOBUSTER} in it and this will be replaced with the word. 4. to your account, Hello, i got this error for a long time Only use against systems you have permissions to scan against Gobuster Installation Written in the Go language, this tool enumerates hidden files along with the remote directories. The value in the content field is defined as one of the four values below. gobuster dir http://10.10.103.219 -w /usr/share/wordlists/dirb/common.txt Installing Additional Seclists for brute-forcing Directories and Files. In this case, dir mode will be helpful for you. If you're not, that's cool too! A full log of charity donations will be available in this repository as they are processed. Virtual Host names on target web servers. -d --domain string This parameter allows the file extension name and then explores the given extension files over the victim server or computer. To force processing of Wildcard DNS, specify the wildcard switch. Create a pattern file to use for common bucket names. Cannot retrieve contributors at this time 180 lines (155 sloc) 5.62 KB Raw Blame Edit this file E Open in GitHub Desktop Create a pattern file to use for common bucket names. Check if the Go environment was properly installed with the following command: 5. Gobuster also helps in securing sub-domains and virtual hosts from being exposed to the internet. Something that didnt have a fat Java GUI (console FTW). Results depend on the wordlist selected. By using our site, you Loves building useful software and teaching people how to do it. Here is the command to execute an S3 enumeration using Gobuster: Gobuster is a remarkable tool that you can use to find hidden directories, URLs, sub-domains, and S3 Buckets. After entering the gobuster command in a terminal, you compulsory need to provide the mode or need to specify the purpose of the tool you are running for. Then you need to use the new syntax. If you're backing us already, you rock. The CLI Interface changed a lot with v3 so there is a new syntax. Timeout exceeded while waiting for headers) Scan is running very slow 1 req / sec. From the above screenshot, we are enumerating for directories on https://testphp.vulnweb.com. You can use the following steps to prevent and stop brute-force attacks on your web application. Something that did not do recursive brute force. Using -n Option no status mode prints the results output without presenting the status code. feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. At first you should know that, any tool used to brute-force or fuzzing should takes a wordlist, and you should know the wanted wordlist based on your target, for example i wont use a wordlist like rockyou in brute-forcing the web directories! Some of the examples show how to use this option. This option is compulsory, as there is a target specified for getting results. Installation The tool can be easily installed by downloading the compatible binary in the form of a tar.gz file from the Releases page of ffuf on Github. kali@kali:~$ gobuster dir -u testphp.vulnweb.com -w /usr/share/wordlists/dirb/common.txt. Sign in Kali Linux - Web Penetration Testing Tools, Hacking Tools for Penetration Testing - Fsociety in Kali Linux, Yuki Chan - Automated Penetration Testing and Auditing Tool in Kali Linux, Skipfish - Penetration Testing tool in Kali Linux, Unicornscan - Penetration Testing Tool in Kali Linux, XERXES Penetration Testing Tool using Kali Linux, linkedin2username - Penetration Testing Tools, D-TECT - Web Applications Penetration Testing Tool, Uniscan Web Application Penetration Testing Tool, Nettacker - Automated Penetration Testing Framework. The first step an attacker uses when attacking a website is to find the list of URLs and sub-domains. Since this tool is written in Go you need to install the Go language/compiler/etc. Done document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); Enter your email address to follow this blog and receive notifications of new posts by email. You will need at least version 1.16.0 to compile Gobuster. It is worth noting that, the success of this task depends highly on the dictionaries used. This is for the times when a search for specific file extension or extensions is specified. Open Amazon S3 buckets Open Google Cloud buckets TFTP servers Tags, Statuses, etc Love this tool? S3 mode was recently added to Gobuster and is a great tool to discover public S3 buckets. It is even possible to brute force virtual hosts to find hidden vhosts such as development sites or admin portals. Base domain validation warning when the base domain fails to resolve. Description. We can use a wordlist file that is already present in the system. Gobuster Tool can enumerate hidden files along with the remote directories. This includes usernames, passwords, URLs, etc. Access-Control-Allow-Credentials. flag "url" is required but not mentioned anywhere in help. freeCodeCamp's open source curriculum has helped more than 40,000 people get jobs as developers. Create a working directory to keep things neat, then change into it. HTTP 1.1. Always get permission from the owner before scanning / brute-forcing / exploiting a system. . Request Header: This type of headers contains information about the fetched request by the client. To see the options and flags available specifically for the DNS command use: gobuster dns --help, dns mode Therefore, it uses the wildcard option to allow parameters to continue the attack even if there is any Wildcard Domain. Tweet a thanks, Learn to code for free. Finally, Thank you and i hope you learned something new! If you look at the help command, we can see that Gobuster has a few modes. The way to use Set is: func yourHandler (w http.ResponseWriter, r *http.Request) { w.Header ().Set ("header_name", "header_value") } Share Improve this answer Follow edited Dec 5, 2017 at 6:06 answered Jun 19, 2016 at 19:14 Salvador Dali -q : (--quiet) Don't print banner and other noise. -c : (--cookies [string]) Cookies to use for the requests. 1. This speeds can create problems with the system it is running on. By using the -q option, we can disable the flag to hide extra data. -x, extensions string -> File extension(s) to search for, and this is an important flag used to brute-force files with specific extensions, for example i want to search for php files so ill use this -x php, and if you want to search for many extensions you can pass them as a list like that php, bak, bac, txt, zip, jpg, etc. Quiet output, with status disabled and expanded mode looks like this (grep mode): gobuster dir -u https://buffered.io -w ~/wordlists/shortlist.txt -q -n -ehttps://buffered.io/indexhttps://buffered.io/contacthttps://buffered.io/posts https://buffered.io/categories, gobuster dns -d mysite.com -t 50 -w common-names.txt, gobuster dns -d google.com -w ~/wordlists/subdomains.txt**********************************************************Gobuster v3.0.1by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)********************************************************** [+] Mode : dns[+] Url/Domain : google.com[+] Threads : 10[+] Wordlist : /home/oj/wordlists/subdomains.txt********************************************************** 2019/06/21 11:54:20 Starting gobusterFound: chrome.google.comFound: ns1.google.comFound: admin.google.comFound: www.google.comFound: m.google.comFound: support.google.comFound: translate.google.comFound: cse.google.comFound: news.google.comFound: music.google.comFound: mail.google.comFound: store.google.comFound: mobile.google.comFound: search.google.comFound: wap.google.comFound: directory.google.comFound: local.google.comFound: blog.google.com********************************************************** 2019/06/21 11:54:20 Finished**********************************************************, gobuster dns -d google.com -w ~/wordlists/subdomains.txt -i ***************************************************************** Gobuster v3.0.1by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)***************************************************************** [+] Mode : dns[+] Url/Domain : google.com[+] Threads : 10[+] Wordlist : /home/oj/wordlists/subdomains.txt***************************************************************** 2019/06/21 11:54:54 Starting gobuster ***************************************************************** Found: www.google.com [172.217.25.36, 2404:6800:4006:802::2004]Found: admin.google.com [172.217.25.46, 2404:6800:4006:806::200e]Found: store.google.com [172.217.167.78, 2404:6800:4006:802::200e]Found: mobile.google.com [172.217.25.43, 2404:6800:4006:802::200b]Found: ns1.google.com [216.239.32.10, 2001:4860:4802:32::a]Found: m.google.com [172.217.25.43, 2404:6800:4006:802::200b]Found: cse.google.com [172.217.25.46, 2404:6800:4006:80a::200e]Found: chrome.google.com [172.217.25.46, 2404:6800:4006:802::200e]Found: search.google.com [172.217.25.46, 2404:6800:4006:802::200e]Found: local.google.com [172.217.25.46, 2404:6800:4006:80a::200e]Found: news.google.com [172.217.25.46, 2404:6800:4006:802::200e]Found: blog.google.com [216.58.199.73, 2404:6800:4006:806::2009]Found: support.google.com [172.217.25.46, 2404:6800:4006:802::200e]Found: wap.google.com [172.217.25.46, 2404:6800:4006:802::200e]Found: directory.google.com [172.217.25.46, 2404:6800:4006:802::200e]Found: translate.google.com [172.217.25.46, 2404:6800:4006:802::200e]Found: music.google.com [172.217.25.46, 2404:6800:4006:802::200e]Found: mail.google.com [172.217.25.37, 2404:6800:4006:802::2005] ****************************************************************2019/06/21 11:54:55 Finished*****************************************************************. gobuster dns -d geeksforgeeks.org -t 100 -w /usr/share/wordlists/dirb/common.txt -i wildcard. Gobuster is a tool used to brute-force on URLs (directories and files) in websites and DNS subdomains. If you have aGoenvironment ready to go, its as easy as: Since this tool is written inGoyou need to install the Go language/compiler/etc. To do so, you have to run the command using the following syntax. Here is a sample command to filter images: You can use DNS mode to find hidden subdomains in a target domain. apt-get install gobuster Reading package lists. ), Create a custom wordlist for the target containing company names and so on. You can supply pattern files that will be applied to every word from the wordlist. You can also connect with me on LinkedIn. gobuster dir -u https://mysite.com/path/to/folder -c session=123456 -t 50 -w common-files.txt -x .php,.html, gobuster dir -u https://buffered.io -w ~/wordlists/shortlist.txt======================================================Gobuster v3.0.1by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart) ====================================================== [+] Mode : dir [+] Url/Domain : https://buffered.io/ [+] Threads : 10 [+] Wordlist : /home/oj/wordlists/shortlist.txt [+] Status codes : 200,204,301,302,307,401,403 [+] User Agent : gobuster/3.0.1 [+] Timeout : 10s ====================================================== 2019/06/21 11:49:43 Starting gobuster ====================================================== /categories (Status: 301) /contact (Status: 301) /posts (Status: 301) /index (Status: 200) ======================================================2019/06/21 11:49:44 Finished ======================================================. Every occurrence of the term, New CLI options so modes are strictly separated (, Performance Optimizations and better connection handling, dir - the classic directory brute-forcing mode, s3 - Enumerate open S3 buckets and look for existence and bucket listings, gcs - Enumerate open google cloud buckets, vhost - virtual host brute-forcing mode (not the same as DNS! Run gobuster with the custom input. Keep digging to locate those hidden directories. This can include images, script files, and almost any file that is exposed to the internet. Want to back us? Took a while, but by filtering the results to an output file its easy to see and retain for future enumerating, what was located. So, while using the tool, we need to specify the -u followed by a target URL, IP address, or a hostname. No-Cache - may not be cached. If nothing happens, download GitHub Desktop and try again. I would recommend downloading Seclists. -c : (--showcname) Show CNAME records (cannot be used with '-i' option). Gobuster tool has a long list of options; to explore them, you can simply read the help page by typing gobuster -h. Error: unknown shorthand flag: 'u' in -u. So, Gobuster performs a brute attack. HTTP Client hints are a set of request headers that provide useful information about the client such as device type and network conditions, and allow servers to optimize what is served for those conditions.. Servers proactively requests the client hint headers they are interested in from the client using Accept-CH.The client may then choose to include the requested headers in subsequent requests. or i cant use a wordlist used to brute force the wordpress in onther CMS like umbraco.So, you should choose the suitable word-list first, and there are many wordlists, and you can create your own too!There are many ready-wordlists such as these on seclist or these on dirb and dirbuster, gobuster tools. Gobuster is a tool that helps you perform active scanning on web sites and applications. If nothing happens, download Xcode and try again. The same search without the flag -q obviously gives the same results - and includes the banner information. Open Amazon S3 buckets Open Google Cloud buckets TFTP servers Tags, Statuses, etc Love this tool? Full details of installation and set up can be found on the Go language website. Continue to enumerate results to find as much information as possible. 2. Directories & Files brute-forcing using Gobustertool. The Linux package may not be the latest version of Gobuster. Allow Ranges in status code and status code blacklist. We are now shipping binaries for each of the releases so that you dont even have to build them yourself! Note: All my articles are for educational purposes. Now that everything is set up and installed, were ready to go and use Gobuster. -t : (--threads [number]) Number of concurrent threads (default 10). So to provide this wordlist, you need to type the -w option, followed by the path of the wordlist where it is located. -o --output string : Output file to write results to (defaults to stdout). -o, output string -> that option to copy the result to a file and if you didnt use this flag, the output will be in the screen. Add the following to the .bash_profile Locate in home directory with ls -la . Gobuster is a tool used to brute force URLs (directories and files) from websites, DNS subdomains, Virtual Host names and open Amazon S3 buckets. Once installed you have two options. GoBuster is not on Kali by default. Gobuster is a fast brute-force tool to discover hidden URLs, files, and directories within websites. Gobuster is a fast and powerful directory scanner that should be an essential part of any hackers collection, and now you know how to use it. If the user wants to force processing of a domain that has wildcard entries, use --wildcard: Default options with status codes disabled looks like this: Quiet output, with status disabled and expanded mode looks like this ("grep mode"): Wordlists can be piped into gobuster via stdin by providing a - to the -w option: Note: If the -w option is specified at the same time as piping from STDIN, an error will be shown and the program will terminate. Noseyparker : Find Secrets And Sensitive Information In Textual Data And MSI Dump : A Tool That Analyzes Malicious MSI Installation. The client sends the user name and password un-encrypted base64 encoded data. It could be beneficial to drop this down to 4. Once installed you have two options. To check its all worked and the Go environment is set up: Now with the Go environment confirmed. Request Header. we will show the help of the Dir command by typing gobuster dir -h and we get another flags to be used with the dir command beside the general flags of the tool. You would be surprised at what people leave, Gobuster is an aggressive scan. Lets run it against our victim with the default parameters. A browser redirects to the new URL and search engines update their links to the resource. One of the primary steps in attacking an internet application is enumerating hidden directories and files. If you are using Kali Linux, you can find seclists under /usr/share/wordlists. modified, and redistributed. The 2 flags required to run a basic scan are -u -w. This example uses common.txt from the SecList wordlists. I am using the -f option here for appending the forward-slash while making a brute-force attack on the target URL. Gobuster is a tool used to brute-force like URIs (directories and files) in web sites, DNS subdomains (with wildcard support) and Virtual Host names on target web servers. privacy statement. How Should I Start Learning Ethical Hacking on My Own? Note: If the-woption is specified at the same time as piping from STDIN, an error will be shown and the program will terminate. -v : (--verbose) Verbose output (errors). First, we learned how to install the tool and some valuable wordlists not found on Kali by default. The text was updated successfully, but these errors were encountered: Which version of gobuster are you using? Caution: Using a big pattern file can cause a lot of request as every pattern is applied to every word in the wordlist. sign in Such as, -x .php or other only is required. For directories, quite one level deep, another scan is going to be needed, unfortunately. -p : (--proxy [string]) Proxy to use for requests [http(s)://host:port]. Nessus, OpenVAS and NexPose vs Metasploitable, https://github.com/danielmiessler/SecLists. It can also be worth creating a wordlist specific to the job at hand using a variety of resources. -k, insecuressl -> this will Skip SSL certificate verification.

Bentley And Sons Funeral Home Obituaries Woodbury, Ga, Ponchatoula Police Department, Recovery House Medellin, Colombia, Articles G