loading
loading
Recon
An OSINT tool that maps IP addresses to virtual hostnames at scale.
overview
HostHunter solves the reverse of normal recon: you have IP addresses, but you need the hostnames behind them. Given a set of target IPs, it applies OSINT techniques to recover the virtual hostnames each IP serves, which matters because one IP often hosts many sites and the interesting application rarely answers on the bare address. The result is a clean mapping from IP to hostname you can act on.
It writes its findings as a CSV or TXT file, so the output drops straight into a spreadsheet or the next stage of a pipeline. Run it against a file of target IPs for bulk mapping, or against a single IP for a quick lookup. Under the hood it combines reverse DNS, TLS certificate inspection, and public OSINT sources to recover names a bare IP never reveals.
On Trickest, HostHunter is a Recon node that reads a targets file and writes a file and a folder of results. Run it when an upstream step hands you IP ranges, then feed the recovered hostnames into httpx to find which are live web hosts.
use cases
Hand HostHunter a file of target IPs to recover the virtual hostnames each one serves, turning a netblock into named assets.
After mapping an organization's IP ranges, use HostHunter to find the hostnames on them, broadening the in-scope surface.
Choose CSV output to drop the IP-to-hostname mapping straight into a spreadsheet or asset inventory.
Pass discovered hostnames to httpx so the workflow continues against named web hosts instead of bare IPs.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| targets | FILE | · | File of target IP addresses to map to hostnames. |
| single-ip-target | STRING | -t | Scan a single IP instead of a file. |
| format | STRING | --format | Output file format, CSV or TXT. |
Showing key inputs. hosthunter exposes 3 inputs in total.
example
# map a file of target IPs to hostnames, export as CSVpython3 hosthunter.py targets.txt --format csv[*] Loaded 6 target IP addresses[+] 203.0.113.10 vpn.example.com[+] 203.0.113.11 mail.example.com[+] 198.51.100.24 www.example.com[+] 198.51.100.25 api.example.com[+] 198.51.100.26 staging.example.com[!] 203.0.113.12 no hostname found[*] 5 hostnames written to hosts.csvguidance
Use HostHunter when you start from IP addresses and need the hostnames behind them. For forward discovery from a domain, use subfinder. For live web verification of the hostnames it finds, follow with httpx.
Also derives hostnames from IPs via TLS and reverse DNS. Different sources, narrower output.
Forward discovery from a domain to subdomains. The opposite direction to HostHunter.
Probes which recovered hostnames are live web hosts. Run it after HostHunter.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
An IP list feeds HostHunter, which recovers the hostnames behind each address and passes them to httpx for live probing before they land as a queryable output.
Facts on this page come from the live Trickest tool library.