HostHunter
HostHunter is an advanced OSINT (Open Source Intelligence) tool designed for hostname and subdomain discovery using passive reconnaissance techniques. It leverages multiple public data sources including certificate databases, DNS records, web archives, and search engines to identify associated hostnames without direct probing of target systems.
Installation
Section titled “Installation”# Kali Linux (pre-installed)
hosthunter --version
# Manual installation
sudo apt-get update
sudo apt-get install hosthunter
# From GitHub
git clone https://github.com/kalilinux/hosthunter.git
cd hosthunter
pip3 install -r requirements.txt
sudo python3 setup.py install
# Verify installation
which hosthunter
hosthunter --helpBasic Usage
Section titled “Basic Usage”| Command | Description |
|---|---|
hosthunter <domain> | Basic hostname enumeration |
hosthunter -t <target> | Target domain or IP |
hosthunter -d <domain> | Specify domain |
hosthunter -i <ip> | Query by IP address |
hosthunter --help | Display help information |
hosthunter -o <file> | Save output to file |
hosthunter -f <format> | Specify output format |
Hostname Discovery
Section titled “Hostname Discovery”Domain-Based Discovery
Section titled “Domain-Based Discovery”# Enumerate hostnames for domain
hosthunter example.com
# Discover subdomains
hosthunter -d example.com
# Extended enumeration
hosthunter -d example.com --extended
# Show sources of discovered hostnames
hosthunter -d example.com -v
# Deep search across multiple sources
hosthunter -d example.com --deepIP-Based Reverse Discovery
Section titled “IP-Based Reverse Discovery”# Find hostnames for IP address
hosthunter 192.168.1.1
# Reverse IP lookup
hosthunter -i 10.0.0.1
# IP range discovery
hosthunter 192.168.0.0/24
# Query multiple IPs
hosthunter 8.8.8.8 1.1.1.1 9.9.9.9Bulk Enumeration
Section titled “Bulk Enumeration”# Enumerate from file list
hosthunter -f domain_list.txt
# Process multiple domains
cat domains.txt | while read domain; do
hosthunter "$domain"
done
# Batch enumeration with output
for domain in example.com test.com sample.com; do
hosthunter -d "$domain" -o "${domain}_hosts.txt"
doneOutput Formats and Saving
Section titled “Output Formats and Saving”Text Output
Section titled “Text Output”# Standard text output
hosthunter example.com
# Verbose output with details
hosthunter -v example.com
# Quiet mode (hosts only)
hosthunter -q example.com
# Save to file
hosthunter example.com -o results.txt
# Append to existing file
hosthunter example.com -o results.txt --appendStructured Output
Section titled “Structured Output”# JSON output format
hosthunter example.com -f json -o results.json
# CSV format
hosthunter example.com -f csv -o results.csv
# XML output
hosthunter example.com -f xml -o results.xml
# Parse JSON results
hosthunter example.com -f json | jq '.hostnames[]'
# Parse CSV with headers
hosthunter example.com -f csv | head -5OSINT Sources and Techniques
Section titled “OSINT Sources and Techniques”Certificate Transparency Logs
Section titled “Certificate Transparency Logs”# Search CT logs for domain
hosthunter example.com --ct
# CT log enumeration only
hosthunter example.com --source ct
# Extract from certificates
hosthunter example.com --cert-search
# Analyze certificate SANs
hosthunter example.com --cert-detailDNS-Based Enumeration
Section titled “DNS-Based Enumeration”# DNS record enumeration
hosthunter example.com --dns
# AXFR zone transfer attempt
hosthunter example.com --zone-transfer
# DNS history lookup
hosthunter example.com --dns-history
# Nameserver discovery
hosthunter example.com --nameserversSearch Engine Results
Section titled “Search Engine Results”# Google search enumeration
hosthunter example.com --google
# Bing search results
hosthunter example.com --bing
# Search operator queries
hosthunter example.com --search-operators
# Cache search results
hosthunter example.com --cacheWeb Archive Methods
Section titled “Web Archive Methods”# Wayback Machine enumeration
hosthunter example.com --wayback
# Internet Archive discovery
hosthunter example.com --archive
# Historical DNS records
hosthunter example.com --historical
# Archived version analysis
hosthunter example.com --archive-allPassive DNS Data
Section titled “Passive DNS Data”# Passive DNS lookup
hosthunter example.com --passive-dns
# Historical DNS records
hosthunter example.com --dns-history
# PDNS enumeration
hosthunter example.com --pdns
# Threat intelligence feeds
hosthunter example.com --threat-intelAdvanced Enumeration Techniques
Section titled “Advanced Enumeration Techniques”Multi-Source Discovery
Section titled “Multi-Source Discovery”# Combine all data sources
hosthunter example.com --all-sources
# Specific source selection
hosthunter example.com --sources ct,dns,archive
# Source comparison
hosthunter example.com --compare-sources
# Validate across sources
hosthunter example.com --cross-validateSubdomain Filtering
Section titled “Subdomain Filtering”# Filter results by pattern
hosthunter example.com | grep -E "^[a-z0-9-]+\.example\.com$"
# Exclude wildcard domains
hosthunter example.com --exclude-wildcard
# Include/exclude patterns
hosthunter example.com --include "test" --exclude "staging"
# Filter by TLD
hosthunter example.com --tld-filter ".com"Deep and Extended Scanning
Section titled “Deep and Extended Scanning”# Extended enumeration
hosthunter example.com --extended
# Deep scanning (more time-consuming)
hosthunter example.com --deep
# Aggressive enumeration
hosthunter example.com --aggressive
# Comprehensive analysis
hosthunter example.com --full-scanBatch Processing and Automation
Section titled “Batch Processing and Automation”Process Domain Lists
Section titled “Process Domain Lists”#!/bin/bash
# Enumerate multiple domains with output organization
mkdir -p hosthunter_results
while IFS= read -r domain; do
echo "Enumerating: $domain"
hosthunter "$domain" -o "hosthunter_results/${domain}_hosts.txt"
done < domain_list.txt
# Generate summary
echo "=== Enumeration Summary ===" > summary.txt
for file in hosthunter_results/*; do
count=$(wc -l < "$file")
echo "$file: $count hosts" >> summary.txt
doneJSON Processing
Section titled “JSON Processing”#!/bin/bash
# Enumerate and parse JSON results
hosthunter example.com -f json -o results.json
# Extract unique hostnames
jq -r '.hostnames[]' results.json | sort -u > unique_hosts.txt
# Count results by source
jq -r '.sources[]' results.json | sort | uniq -c
# Filter by confidence score
jq '.results[] | select(.confidence > 0.8)' results.json
# Generate report
jq '.hostnames | length' results.jsonCSV Analysis
Section titled “CSV Analysis”#!/bin/bash
# Process CSV output
hosthunter example.com -f csv -o results.csv
# Sort and deduplicate
tail -n +2 results.csv | cut -d',' -f1 | sort -u > hosts.txt
# Count results per source
cut -d',' -f2 results.csv | sort | uniq -c
# Filter by column
awk -F',' '$3 > 0.8' results.csv # High confidence onlyReconnaissance Workflows
Section titled “Reconnaissance Workflows”Initial Target Reconnaissance
Section titled “Initial Target Reconnaissance”# 1. Discover primary domain hostnames
hosthunter target.com -v -o target_hosts.txt
# 2. Discover associated IPs
hosthunter target.com --dns -o target_ips.txt
# 3. Find subdomains
cat target_hosts.txt | grep -v "^target\.com$" > subdomains.txt
# 4. Reverse IP lookup for discovered IPs
while read ip; do
hosthunter "$ip" -o "target_ip_${ip}.txt"
done < target_ips.txt
# 5. Generate summary report
cat target_hosts.txt subdomains.txt | sort -u > all_hosts.txt
echo "Total unique hosts: $(wc -l < all_hosts.txt)"Comprehensive Target Mapping
Section titled “Comprehensive Target Mapping”# 1. Start with main domain
hosthunter example.com -f json -o example.json
# 2. Extract all discovered hostnames
jq -r '.hostnames[]' example.json > all_hosts.txt
# 3. For each hostname, discover associated IPs
while read host; do
echo "Looking up: $host"
nslookup "$host" | grep "Address:" >> ip_mapping.txt
done < all_hosts.txt
# 4. Reverse lookup each IP
sort -u ip_mapping.txt | cut -d: -f2 | while read ip; do
hosthunter "$ip" --quiet >> reverse_hosts.txt 2>/dev/null
done
# 5. Compile complete inventory
cat all_hosts.txt reverse_hosts.txt | sort -u > complete_inventory.txtThreat Intelligence Gathering
Section titled “Threat Intelligence Gathering”# 1. Enumerate target
hosthunter target.com -f json -o target_intel.json
# 2. Extract hostnames
jq -r '.hostnames[]' target_intel.json > hostnames.txt
# 3. Cross-reference with threat feeds
while read host; do
echo "Checking: $host"
# Cross-check with local threat database
grep -i "$host" threat_database.txt >> matches.txt 2>/dev/null
done < hostnames.txt
# 4. Generate intelligence report
echo "=== Target Intelligence Report ===" > report.txt
echo "Enumerated Hosts: $(wc -l < hostnames.txt)" >> report.txt
echo "Threat Matches: $(wc -l < matches.txt)" >> report.txt
cat matches.txt >> report.txtOutput Analysis
Section titled “Output Analysis”Data Extraction
Section titled “Data Extraction”# Extract unique hostnames
hosthunter example.com | sort -u > unique_hosts.txt
# Count total results
hosthunter example.com | wc -l
# Filter by pattern
hosthunter example.com | grep -E "api|dev|staging|test"
# Export for tool chain
hosthunter example.com | tee hosts.txt | wc -lIntegration with Other Tools
Section titled “Integration with Other Tools”# Pass to port scanner (Nmap)
hosthunter target.com | while read host; do
nmap -p 80,443 "$host"
done
# Feed to DNS resolver
hosthunter target.com | while read host; do
dig "$host" +short
done
# Integration with subdomain tools
hosthunter example.com > discovered_hosts.txt
cat discovered_hosts.txt | cut -d. -f1,2,3 | sort -u > subdomains.txt
# Cross-check with certificate transparency
while read host; do
curl -s "https://crt.sh/?q=$host" | grep "$host"
done < discovered_hosts.txtConfiguration and Customization
Section titled “Configuration and Customization”Source Selection
Section titled “Source Selection”# List available sources
hosthunter --list-sources
# Use specific sources
hosthunter example.com --sources ct,dns,wayback
# Exclude certain sources
hosthunter example.com --exclude-sources passive-dns
# Custom source configuration
hosthunter example.com --config custom_sources.confPerformance Tuning
Section titled “Performance Tuning”# Limit threads/concurrency
hosthunter example.com --threads 4
# Set timeout values
hosthunter example.com --timeout 30
# Rate limiting
hosthunter example.com --rate-limit 10
# Batch size control
hosthunter example.com --batch-size 100Verbose and Debug Output
Section titled “Verbose and Debug Output”# Verbose enumeration with source details
hosthunter example.com -vv
# Debug mode with full logging
hosthunter example.com --debug
# Show source attribution
hosthunter example.com --show-sources
# Timing information
hosthunter example.com --timing
# Full trace logging
hosthunter example.com --tracePractical Attack Scenarios
Section titled “Practical Attack Scenarios”Surface Enumeration
Section titled “Surface Enumeration”# 1. Basic enumeration
hosthunter targetco.com
# 2. Identify exposed services
# Results may show: api.targetco.com, dev.targetco.com, staging.targetco.com
# 3. Further investigation of interesting hosts
nmap -sC -sV api.targetco.com
curl -I http://dev.targetco.comSupply Chain Discovery
Section titled “Supply Chain Discovery”# 1. Enumerate primary target
hosthunter target.com -o target_hosts.txt
# 2. Identify third-party services
hosthunter target.com | grep -E "cdn|cdn|external|partner|vendor"
# 3. Enumerate partner/vendor domains
hosthunter partner-domain.com
# 4. Create relationship map
echo "=== Supply Chain Map ===" > supply_chain.txt
echo "Primary: target.com" >> supply_chain.txt
echo "Partners: $(grep -E 'partner|vendor' target_hosts.txt)" >> supply_chain.txtSubdomain Takeover Reconnaissance
Section titled “Subdomain Takeover Reconnaissance”# 1. Discover all subdomains
hosthunter example.com -o all_subs.txt
# 2. Identify inactive/expired hosts
while read sub; do
status=$(curl -I -m 2 "http://$sub" 2>&1)
if echo "$status" | grep -q "refused\|timeout"; then
echo "$sub" >> inactive_hosts.txt
fi
done < all_subs.txt
# 3. Check CNAME records for takeover potential
while read sub; do
dig "$sub" CNAME +short
done < all_subs.txt >> cname_records.txtTips and Best Practices
Section titled “Tips and Best Practices”- Use multiple data sources for comprehensive coverage
- Cross-validate results across different sources
- Document source attribution for each hostname
- Regularly update tool and data sources
- Use appropriate delays in batch processing
- Save results with timestamps for tracking
- Filter results appropriately for target scope
- Maintain detailed enumeration logs
- Validate findings before using in scans
- Respect legal and authorization boundaries
Troubleshooting
Section titled “Troubleshooting”# Connection timeout
hosthunter example.com --timeout 60
# API rate limiting
hosthunter example.com --rate-limit 5
# Memory issues with large datasets
hosthunter large-domain.com --batch-size 50
# No results found
hosthunter example.com -vv # Verbose to see data sources
# Encoding issues
hosthunter example.com --encoding utf-8
# Source-specific failures
hosthunter example.com --exclude-sources problematic-sourceData Source Reliability
Section titled “Data Source Reliability”| Source | Reliability | Coverage | Speed |
|---|---|---|---|
| Certificate Transparency | High | Excellent | Fast |
| DNS Records | High | Good | Varies |
| Wayback Machine | Medium | Good | Slow |
| Passive DNS | High | Excellent | Fast |
| Search Engines | Medium | Fair | Slow |
| Archive.org | Medium | Fair | Slow |
HostHunter is an essential tool for passive reconnaissance, threat intelligence gathering, and comprehensive target mapping during authorized security assessments.