httprobe
Overview
섹션 제목: “Overview”httprobe is a lightweight Go utility that takes a list of domains and tests each one to see if it’s responding to HTTP or HTTPS requests. It’s particularly useful during the reconnaissance phase of penetration testing to identify which domains have active web servers. The tool is part of the ProjectDiscovery toolkit and is commonly found in Kali Linux.
httprobe efficiently handles large lists of domains and provides multiple options for customization, including support for custom ports, timeout configuration, and header injection.
Installation
섹션 제목: “Installation”# Using Go
go install -v github.com/tomnomnom/httprobe@latest
# On Kali Linux (pre-installed)
httprobe --version
# Or compile from source
git clone https://github.com/tomnomnom/httprobe
cd httprobe
go build -o httprobe
sudo mv httprobe /usr/local/bin/Basic Usage
섹션 제목: “Basic Usage”Simple Domain Probing
섹션 제목: “Simple Domain Probing”| Command | Description |
|---|---|
httprobe < domains.txt | Probe domains from file (stdin) |
echo "example.com" | httprobe | Probe a single domain via pipe |
httprobe -h | Display help information |
httprobe -v | Show verbose output |
Input Format
섹션 제목: “Input Format”httprobe expects one domain per line:
example.com
google.com
github.com
stackoverflow.comBasic Examples
섹션 제목: “Basic Examples”# Probe domains from a file
cat domains.txt | httprobe
# Probe with verbose output
cat domains.txt | httprobe -v
# Probe single domain
echo "example.com" | httprobe
# Combine with other tools
subfinder -d example.com -silent | httprobeCommon Options
섹션 제목: “Common Options”Port Configuration
섹션 제목: “Port Configuration”| Option | Description | Example |
|---|---|---|
-p | Specify custom ports | httprobe -p 8080,8443 |
-c | Concurrency (threads) | httprobe -c 50 |
--prefer-https | Prioritize HTTPS results | httprobe --prefer-https |
Timeout and Protocol Settings
섹션 제목: “Timeout and Protocol Settings”| Option | Description | Example |
|---|---|---|
-t | Timeout in milliseconds | httprobe -t 5000 |
--skip-save | Don’t save results | httprobe --skip-save |
-s | Stdin mode (default) | httprobe -s |
Examples with Options
섹션 제목: “Examples with Options”# Probe with custom timeout (10 seconds)
cat domains.txt | httprobe -t 10000
# Probe with increased concurrency (100 threads)
cat domains.txt | httprobe -c 100
# Probe custom ports
cat domains.txt | httprobe -p 8080,8443,9000
# Probe with HTTPS preference and custom timeout
cat domains.txt | httprobe --prefer-https -t 5000
# Combine verbose and concurrency
cat domains.txt | httprobe -v -c 50Advanced Usage
섹션 제목: “Advanced Usage”Integration with Reconnaissance Workflows
섹션 제목: “Integration with Reconnaissance Workflows”# Get subdomains and probe for HTTP/HTTPS
subfinder -d example.com -silent | httprobe
# Use with assetfinder
assetfinder example.com | httprobe
# Combine with amass for comprehensive discovery
amass enum -d example.com -silent | httprobe
# Multi-domain enumeration with httprobe
for domain in example.com test.com sample.com; do
subfinder -d $domain -silent | httprobe
doneOutput Processing
섹션 제목: “Output Processing”# Save results to file
cat domains.txt | httprobe > live_hosts.txt
# Count results
cat domains.txt | httprobe | wc -l
# Filter for HTTPS only
cat domains.txt | httprobe | grep "^https://"
# Filter for HTTP only
cat domains.txt | httprobe | grep "^http://" | grep -v "^https://"
# Check specific status codes with curl
cat live_hosts.txt | xargs -I {} curl -o /dev/null -s -w "{} -> %{http_code}\n" {}Large-Scale Scanning
섹션 제목: “Large-Scale Scanning”# High concurrency for large lists
cat large_domain_list.txt | httprobe -c 200 -t 3000
# Store output with timestamp
cat domains.txt | httprobe > results_$(date +%Y%m%d_%H%M%S).txt
# Parallel processing with GNU parallel
cat domains.txt | parallel --pipe --block 10M httprobe -c 50
# Resume scanning if interrupted
comm -23 <(sort domains.txt) <(sort results.txt | cut -d: -f1 | sort) | httprobe >> results.txtCommon Workflows
섹션 제목: “Common Workflows”Web Application Reconnaissance
섹션 제목: “Web Application Reconnaissance”# Discover live web servers across target domain
subfinder -d target.com -silent | httprobe -c 100 -t 5000
# Identify web server versions
cat live_hosts.txt | while read url; do
curl -I -s $url | grep -i "server:"
done
# Extract title tags
cat live_hosts.txt | while read url; do
curl -s $url | grep -oP '<title>\K[^<]+' || echo "No title: $url"
doneBug Bounty Reconnaissance
섹션 제목: “Bug Bounty Reconnaissance”# Enumerate all subdomains and probe
assetfinder -subs-only example.com | httprobe | tee -a scope.txt
# Verify live targets before testing
cat scope.txt | httprobe --prefer-https > verified_targets.txt
# Quick HTTP status check
while read url; do
status=$(curl -o /dev/null -s -w "%{http_code}" $url)
echo "$url -> $status"
done < scope.txtCorporate Network Assessment
섹션 제목: “Corporate Network Assessment”# Probe internal domain list
cat internal_domains.txt | httprobe -c 50
# Identify web services on custom ports
cat hosts.txt | httprobe -p 8080,8443,9000,3000
# Log detailed discovery results
cat hosts.txt | httprobe -v > discovery_$(date +%s).log 2>&1Output Format
섹션 제목: “Output Format”httprobe returns the full URL (including protocol) for accessible services:
http://example.com
https://example.com
http://subdomain.example.com
https://api.example.comPractical Examples
섹션 제목: “Practical Examples”Example 1: Basic Domain Enumeration
섹션 제목: “Example 1: Basic Domain Enumeration”# Create domain list
echo -e "google.com\ngithub.com\nstackoverflow.com" > targets.txt
# Probe domains
httprobe < targets.txt
# Expected output:
# http://google.com
# https://google.com
# http://github.com
# https://github.comExample 2: Integration with Subfinder
섹션 제목: “Example 2: Integration with Subfinder”# Full reconnaissance pipeline
subfinder -d target.com -silent | \
httprobe -c 100 -t 5000 --prefer-https | \
tee target_hosts.txt
# Count results
wc -l target_hosts.txtExample 3: Custom Port Scanning
섹션 제목: “Example 3: Custom Port Scanning”# Test common development ports
cat hosts.txt | httprobe -p 8000,8080,8443,3000,5000,9000
# Results will include:
# http://host1:8080
# https://host1:8443Example 4: Performance Testing
섹션 제목: “Example 4: Performance Testing”# Large-scale scanning with optimal settings
time cat 10000_domains.txt | \
httprobe -c 200 -t 3000 > results.txt
# Monitor progress
cat 10000_domains.txt | httprobe -v -c 100 | tee progress.logPerformance Tips
섹션 제목: “Performance Tips”- Concurrency: Increase with
-cflag; 50-100 is typical, 200+ for very large lists - Timeout: Reduce timeout with
-tfor faster scanning; 3000-5000ms is reasonable - Output Buffering: Redirect to file to see results as they complete
- Memory: httprobe is lightweight; suitable for resource-constrained environments
Troubleshooting
섹션 제목: “Troubleshooting”| Issue | Solution |
|---|---|
| No results | Increase timeout: httprobe -t 10000 |
| Slow scanning | Increase concurrency: httprobe -c 100 |
| Connection refused | Check network connectivity and firewall rules |
| Empty input | Verify domain list format (one per line) |
| Port conflicts | Try alternative ports with -p option |
Security Considerations
섹션 제목: “Security Considerations”- Authorization: Only probe domains/networks you own or have explicit permission to test
- Rate Limiting: Respect server limits; use appropriate concurrency settings
- Logging: Monitor and log all discovery activities for audit trails
- False Positives: Verify results with manual inspection before further testing
Related Tools
섹션 제목: “Related Tools”- subfinder: Subdomain enumeration
- assetfinder: Asset discovery
- amass: Advanced OSINT subdomain enumeration
- curl/wget: HTTP client utilities for detailed investigation
- nmap: Network scanning and port discovery