loading
loading
Recon
A Golang client for querying SecurityTrails API data from the command line.
overview
haktrails wraps the SecurityTrails API in a fast command-line client, so recon that would take many manual queries collapses into one piped command. Give it a list of domains and a mode, and it returns the matching intelligence: subdomains, associated domains and IPs, historical DNS records, WHOIS, company details, or tags. Every mode reads its targets from stdin or a file, which makes haktrails easy to drop between other recon tools.
Because the data comes from SecurityTrails rather than live probing, haktrails is passive: it never touches the target. That makes it a quiet first pass for mapping an organization's footprint, surfacing subdomains and historical records that active enumeration would miss. The threads flag controls request concurrency, but the API enforces its own rate limits, so the practical ceiling is your plan, not your hardware.
On Trickest, haktrails is a Recon node that takes a domains file and an API key and writes a file and a folder of results. Run it early to seed an attack-surface workflow, then hand its subdomains to httpx to find which are live.
source github.com/hakluke/haktrails
use cases
Run subdomains mode against a domains list to pull SecurityTrails' known subdomains without sending a single request to the target.
Use historicaldns and historicalwhois modes to recover past records and registration data that reveal infrastructure changes and ownership over time. Set -type to pick the DNS record type.
Use associateddomains and associatedips modes to find related assets, broadening an engagement's scope from a single seed domain.
Feed haktrails subdomains straight into httpx so the rest of the workflow runs against the full discovered surface.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domains | FILE | · | List of target domains to query, one per line. |
| api-key | STRING | · | SecurityTrails API key used to authenticate every request. |
| subdomains | BOOLEAN | subdomains | Subdomains mode: pull known subdomains for each domain. |
| associateddomains | BOOLEAN | associateddomains | Associated domains mode: find domains related to each target to widen scope. |
| associatedips | BOOLEAN | associatedips | Associated IPs mode: return IP addresses linked to each domain. |
| historicaldns | BOOLEAN | historicaldns | Historical DNS mode: return past DNS records (set -type for the record type). |
| whois | BOOLEAN | whois | WHOIS mode: return current registration data. |
| type | STRING | -type | DNS record type for historical DNS queries: a, aaaa, mx, ns, soa, txt (default a). |
Showing key inputs. haktrails exposes 14 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| tags | BOOLEAN | tags | Tags mode: return SecurityTrails tags for each domain. |
| type | STRING | -type | DNS record type for historical DNS queries: a, aaaa, mx, ns, soa, txt (default a). |
| whois | BOOLEAN | whois | Whois mode: return current WHOIS registration data. |
| api-key | STRING | · | SecurityTrails API key used to authenticate every request. |
| company | BOOLEAN | company | Company mode: return company details for each domain. |
| details | BOOLEAN | details | Details mode: return SecurityTrails record details for each domain. |
| domains | FILE | · | Target domains to query, one per line. |
| threads | STRING | -t | Number of threads to use; the API enforces its own rate limits (default 2). |
| subdomains | BOOLEAN | subdomains | Subdomains mode: return known subdomains for each domain. |
| associatedips | BOOLEAN | associatedips | Associated IPs mode: return IP addresses linked to each domain. |
| historicaldns | BOOLEAN | historicaldns | Historical DNS mode: return past DNS records for each domain. |
| subs-per-host | STRING | -b | Number of subdomains to send per request for the submission endpoint (default 100). |
| historicalwhois | BOOLEAN | historicalwhois | Historical WHOIS mode: return past WHOIS registration data for each domain. |
| associateddomains | BOOLEAN | associateddomains | Associated domains mode: return domains related to each target. |
example
# pull SecurityTrails subdomains for a domainecho example.com | haktrails subdomainsapi.example.comwww.example.commail.example.comdev.example.comstaging.example.comvpn.example.comblog.example.comcdn.example.com… (one subdomain per line, ready to pipe into httpx)guidance
Use haktrails when you have a SecurityTrails key and want passive subdomain, DNS, and WHOIS data without touching the target. For passive subdomains from many sources at once, subfinder is broader. For live verification of what it finds, follow with httpx.
Aggregates passive subdomains from many sources, not just SecurityTrails. Broader coverage, no single-vendor key.
Deeper OSINT and active enumeration. Heavier to run, wider asset graph than a single API client.
Lightweight passive subdomain finder. Simpler, fewer modes than haktrails.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domains list feeds haktrails, which queries SecurityTrails for subdomains and passes them to httpx for live probing before they land as a queryable output.
Facts on this page come from the live Trickest tool library.