HostHunter
HostHunter is an advanced OSINT (Open Source Intelligence) tool designed for hostname and subdomain discovery using passive reconnaissance techniques. It leverages multiple public data sources including certificate databases, DNS records, web archives, and search engines to identify associated hostnames without direct probing of target systems.
Installation
섹션 제목: “Installation”# Kali Linux (pre-installed)
hosthunter --version
# Manual installation
sudo apt-get update
sudo apt-get install hosthunter
# From GitHub
git clone https://github.com/kalilinux/hosthunter.git
cd hosthunter
pip3 install -r requirements.txt
sudo python3 setup.py install
# Verify installation
which hosthunter
hosthunter --helpBasic Usage
섹션 제목: “Basic Usage”| Command | Description |
|---|---|
hosthunter <domain> | Basic hostname enumeration |
hosthunter -t <target> | Target domain or IP |
hosthunter -d <domain> | Specify domain |
hosthunter -i <ip> | Query by IP address |
hosthunter --help | Display help information |
hosthunter -o <file> | Save output to file |
hosthunter -f <format> | Specify output format |
Hostname Discovery
섹션 제목: “Hostname Discovery”Domain-Based Discovery
섹션 제목: “Domain-Based Discovery”# Enumerate hostnames for domain
hosthunter example.com
# Discover subdomains
hosthunter -d example.com
# Extended enumeration
hosthunter -d example.com --extended
# Show sources of discovered hostnames
hosthunter -d example.com -v
# Deep search across multiple sources
hosthunter -d example.com --deepIP-Based Reverse Discovery
섹션 제목: “IP-Based Reverse Discovery”# Find hostnames for IP address
hosthunter 192.168.1.1
# Reverse IP lookup
hosthunter -i 10.0.0.1
# IP range discovery
hosthunter 192.168.0.0/24
# Query multiple IPs
hosthunter 8.8.8.8 1.1.1.1 9.9.9.9Bulk Enumeration
섹션 제목: “Bulk Enumeration”# Enumerate from file list
hosthunter -f domain_list.txt
# Process multiple domains
cat domains.txt | while read domain; do
hosthunter "$domain"
done
# Batch enumeration with output
for domain in example.com test.com sample.com; do
hosthunter -d "$domain" -o "${domain}_hosts.txt"
doneOutput Formats and Saving
섹션 제목: “Output Formats and Saving”Text Output
섹션 제목: “Text Output”# Standard text output
hosthunter example.com
# Verbose output with details
hosthunter -v example.com
# Quiet mode (hosts only)
hosthunter -q example.com
# Save to file
hosthunter example.com -o results.txt
# Append to existing file
hosthunter example.com -o results.txt --appendStructured Output
섹션 제목: “Structured Output”# JSON output format
hosthunter example.com -f json -o results.json
# CSV format
hosthunter example.com -f csv -o results.csv
# XML output
hosthunter example.com -f xml -o results.xml
# Parse JSON results
hosthunter example.com -f json | jq '.hostnames[]'
# Parse CSV with headers
hosthunter example.com -f csv | head -5OSINT Sources and Techniques
섹션 제목: “OSINT Sources and Techniques”Certificate Transparency Logs
섹션 제목: “Certificate Transparency Logs”# Search CT logs for domain
hosthunter example.com --ct
# CT log enumeration only
hosthunter example.com --source ct
# Extract from certificates
hosthunter example.com --cert-search
# Analyze certificate SANs
hosthunter example.com --cert-detailDNS-Based Enumeration
섹션 제목: “DNS-Based Enumeration”# DNS record enumeration
hosthunter example.com --dns
# AXFR zone transfer attempt
hosthunter example.com --zone-transfer
# DNS history lookup
hosthunter example.com --dns-history
# Nameserver discovery
hosthunter example.com --nameserversSearch Engine Results
섹션 제목: “Search Engine Results”# Google search enumeration
hosthunter example.com --google
# Bing search results
hosthunter example.com --bing
# Search operator queries
hosthunter example.com --search-operators
# Cache search results
hosthunter example.com --cacheWeb Archive Methods
섹션 제목: “Web Archive Methods”# Wayback Machine enumeration
hosthunter example.com --wayback
# Internet Archive discovery
hosthunter example.com --archive
# Historical DNS records
hosthunter example.com --historical
# Archived version analysis
hosthunter example.com --archive-allPassive DNS Data
섹션 제목: “Passive DNS Data”# Passive DNS lookup
hosthunter example.com --passive-dns
# Historical DNS records
hosthunter example.com --dns-history
# PDNS enumeration
hosthunter example.com --pdns
# Threat intelligence feeds
hosthunter example.com --threat-intelAdvanced Enumeration Techniques
섹션 제목: “Advanced Enumeration Techniques”Multi-Source Discovery
섹션 제목: “Multi-Source Discovery”# Combine all data sources
hosthunter example.com --all-sources
# Specific source selection
hosthunter example.com --sources ct,dns,archive
# Source comparison
hosthunter example.com --compare-sources
# Validate across sources
hosthunter example.com --cross-validateSubdomain Filtering
섹션 제목: “Subdomain Filtering”# Filter results by pattern
hosthunter example.com | grep -E "^[a-z0-9-]+\.example\.com$"
# Exclude wildcard domains
hosthunter example.com --exclude-wildcard
# Include/exclude patterns
hosthunter example.com --include "test" --exclude "staging"
# Filter by TLD
hosthunter example.com --tld-filter ".com"Deep and Extended Scanning
섹션 제목: “Deep and Extended Scanning”# Extended enumeration
hosthunter example.com --extended
# Deep scanning (more time-consuming)
hosthunter example.com --deep
# Aggressive enumeration
hosthunter example.com --aggressive
# Comprehensive analysis
hosthunter example.com --full-scanBatch Processing and Automation
섹션 제목: “Batch Processing and Automation”Process Domain Lists
섹션 제목: “Process Domain Lists”#!/bin/bash
# Enumerate multiple domains with output organization
mkdir -p hosthunter_results
while IFS= read -r domain; do
echo "Enumerating: $domain"
hosthunter "$domain" -o "hosthunter_results/${domain}_hosts.txt"
done < domain_list.txt
# Generate summary
echo "=== Enumeration Summary ===" > summary.txt
for file in hosthunter_results/*; do
count=$(wc -l < "$file")
echo "$file: $count hosts" >> summary.txt
doneJSON Processing
섹션 제목: “JSON Processing”#!/bin/bash
# Enumerate and parse JSON results
hosthunter example.com -f json -o results.json
# Extract unique hostnames
jq -r '.hostnames[]' results.json | sort -u > unique_hosts.txt
# Count results by source
jq -r '.sources[]' results.json | sort | uniq -c
# Filter by confidence score
jq '.results[] | select(.confidence > 0.8)' results.json
# Generate report
jq '.hostnames | length' results.jsonCSV Analysis
섹션 제목: “CSV Analysis”#!/bin/bash
# Process CSV output
hosthunter example.com -f csv -o results.csv
# Sort and deduplicate
tail -n +2 results.csv | cut -d',' -f1 | sort -u > hosts.txt
# Count results per source
cut -d',' -f2 results.csv | sort | uniq -c
# Filter by column
awk -F',' '$3 > 0.8' results.csv # High confidence onlyReconnaissance Workflows
섹션 제목: “Reconnaissance Workflows”Initial Target Reconnaissance
섹션 제목: “Initial Target Reconnaissance”# 1. Discover primary domain hostnames
hosthunter target.com -v -o target_hosts.txt
# 2. Discover associated IPs
hosthunter target.com --dns -o target_ips.txt
# 3. Find subdomains
cat target_hosts.txt | grep -v "^target\.com$" > subdomains.txt
# 4. Reverse IP lookup for discovered IPs
while read ip; do
hosthunter "$ip" -o "target_ip_${ip}.txt"
done < target_ips.txt
# 5. Generate summary report
cat target_hosts.txt subdomains.txt | sort -u > all_hosts.txt
echo "Total unique hosts: $(wc -l < all_hosts.txt)"Comprehensive Target Mapping
섹션 제목: “Comprehensive Target Mapping”# 1. Start with main domain
hosthunter example.com -f json -o example.json
# 2. Extract all discovered hostnames
jq -r '.hostnames[]' example.json > all_hosts.txt
# 3. For each hostname, discover associated IPs
while read host; do
echo "Looking up: $host"
nslookup "$host" | grep "Address:" >> ip_mapping.txt
done < all_hosts.txt
# 4. Reverse lookup each IP
sort -u ip_mapping.txt | cut -d: -f2 | while read ip; do
hosthunter "$ip" --quiet >> reverse_hosts.txt 2>/dev/null
done
# 5. Compile complete inventory
cat all_hosts.txt reverse_hosts.txt | sort -u > complete_inventory.txtThreat Intelligence Gathering
섹션 제목: “Threat Intelligence Gathering”# 1. Enumerate target
hosthunter target.com -f json -o target_intel.json
# 2. Extract hostnames
jq -r '.hostnames[]' target_intel.json > hostnames.txt
# 3. Cross-reference with threat feeds
while read host; do
echo "Checking: $host"
# Cross-check with local threat database
grep -i "$host" threat_database.txt >> matches.txt 2>/dev/null
done < hostnames.txt
# 4. Generate intelligence report
echo "=== Target Intelligence Report ===" > report.txt
echo "Enumerated Hosts: $(wc -l < hostnames.txt)" >> report.txt
echo "Threat Matches: $(wc -l < matches.txt)" >> report.txt
cat matches.txt >> report.txtOutput Analysis
섹션 제목: “Output Analysis”Data Extraction
섹션 제목: “Data Extraction”# Extract unique hostnames
hosthunter example.com | sort -u > unique_hosts.txt
# Count total results
hosthunter example.com | wc -l
# Filter by pattern
hosthunter example.com | grep -E "api|dev|staging|test"
# Export for tool chain
hosthunter example.com | tee hosts.txt | wc -lIntegration with Other Tools
섹션 제목: “Integration with Other Tools”# Pass to port scanner (Nmap)
hosthunter target.com | while read host; do
nmap -p 80,443 "$host"
done
# Feed to DNS resolver
hosthunter target.com | while read host; do
dig "$host" +short
done
# Integration with subdomain tools
hosthunter example.com > discovered_hosts.txt
cat discovered_hosts.txt | cut -d. -f1,2,3 | sort -u > subdomains.txt
# Cross-check with certificate transparency
while read host; do
curl -s "https://crt.sh/?q=$host" | grep "$host"
done < discovered_hosts.txtConfiguration and Customization
섹션 제목: “Configuration and Customization”Source Selection
섹션 제목: “Source Selection”# List available sources
hosthunter --list-sources
# Use specific sources
hosthunter example.com --sources ct,dns,wayback
# Exclude certain sources
hosthunter example.com --exclude-sources passive-dns
# Custom source configuration
hosthunter example.com --config custom_sources.confPerformance Tuning
섹션 제목: “Performance Tuning”# Limit threads/concurrency
hosthunter example.com --threads 4
# Set timeout values
hosthunter example.com --timeout 30
# Rate limiting
hosthunter example.com --rate-limit 10
# Batch size control
hosthunter example.com --batch-size 100Verbose and Debug Output
섹션 제목: “Verbose and Debug Output”# Verbose enumeration with source details
hosthunter example.com -vv
# Debug mode with full logging
hosthunter example.com --debug
# Show source attribution
hosthunter example.com --show-sources
# Timing information
hosthunter example.com --timing
# Full trace logging
hosthunter example.com --tracePractical Attack Scenarios
섹션 제목: “Practical Attack Scenarios”Surface Enumeration
섹션 제목: “Surface Enumeration”# 1. Basic enumeration
hosthunter targetco.com
# 2. Identify exposed services
# Results may show: api.targetco.com, dev.targetco.com, staging.targetco.com
# 3. Further investigation of interesting hosts
nmap -sC -sV api.targetco.com
curl -I http://dev.targetco.comSupply Chain Discovery
섹션 제목: “Supply Chain Discovery”# 1. Enumerate primary target
hosthunter target.com -o target_hosts.txt
# 2. Identify third-party services
hosthunter target.com | grep -E "cdn|cdn|external|partner|vendor"
# 3. Enumerate partner/vendor domains
hosthunter partner-domain.com
# 4. Create relationship map
echo "=== Supply Chain Map ===" > supply_chain.txt
echo "Primary: target.com" >> supply_chain.txt
echo "Partners: $(grep -E 'partner|vendor' target_hosts.txt)" >> supply_chain.txtSubdomain Takeover Reconnaissance
섹션 제목: “Subdomain Takeover Reconnaissance”# 1. Discover all subdomains
hosthunter example.com -o all_subs.txt
# 2. Identify inactive/expired hosts
while read sub; do
status=$(curl -I -m 2 "http://$sub" 2>&1)
if echo "$status" | grep -q "refused\|timeout"; then
echo "$sub" >> inactive_hosts.txt
fi
done < all_subs.txt
# 3. Check CNAME records for takeover potential
while read sub; do
dig "$sub" CNAME +short
done < all_subs.txt >> cname_records.txtTips and Best Practices
섹션 제목: “Tips and Best Practices”- Use multiple data sources for comprehensive coverage
- Cross-validate results across different sources
- Document source attribution for each hostname
- Regularly update tool and data sources
- Use appropriate delays in batch processing
- Save results with timestamps for tracking
- Filter results appropriately for target scope
- Maintain detailed enumeration logs
- Validate findings before using in scans
- Respect legal and authorization boundaries
Troubleshooting
섹션 제목: “Troubleshooting”# Connection timeout
hosthunter example.com --timeout 60
# API rate limiting
hosthunter example.com --rate-limit 5
# Memory issues with large datasets
hosthunter large-domain.com --batch-size 50
# No results found
hosthunter example.com -vv # Verbose to see data sources
# Encoding issues
hosthunter example.com --encoding utf-8
# Source-specific failures
hosthunter example.com --exclude-sources problematic-sourceData Source Reliability
섹션 제목: “Data Source Reliability”| Source | Reliability | Coverage | Speed |
|---|---|---|---|
| Certificate Transparency | High | Excellent | Fast |
| DNS Records | High | Good | Varies |
| Wayback Machine | Medium | Good | Slow |
| Passive DNS | High | Excellent | Fast |
| Search Engines | Medium | Fair | Slow |
| Archive.org | Medium | Fair | Slow |
HostHunter is an essential tool for passive reconnaissance, threat intelligence gathering, and comprehensive target mapping during authorized security assessments.