Skip to content
HostHunter a recon tool for discovering hostnames using OSINT techniques.
Branch: master
Clone or download
superhedgy Merge pull request #1 from infinityhacked/master
Nonetype issue fixed when cert_hostname is None on line 210
Latest commit c842375 Jul 30, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE MIT License May 1, 2019
requirements.txt Latest compatible python modules May 16, 2019

Python Version GitHub release License Vulnerabilities Twitter Follow

HostHunter v1.5

A tool to efficiently discover and extract hostnames providing a large set of target IP addresses. HostHunter utilises simple OSINT techniques to map IP addresses with virtual hostnames. It generates a CSV or TXT file containing the results of the reconnaissance.

Latest version of HostHunter also takes screenshots of the targets, it is currently a beta functionality.


  • Currently GitLab's markup language does not support HTML or CSS control over the images, thus the following link thumbnail is huge.



  • Tested with Python 3.7.2.

Linux / Mac OS

  • Install python dependencies.
$ pip3 install -r requirements.txt

The next few steps are only required if you would like to use the Screen Capture feature.

  • Download and install the latest version of Google Chrome.

Mac OS:

$ brew cask install google-chrome


$ wget

$ dpkg -i ./google-chrome-stable_current_amd64.deb

$ sudo apt-get install -f
  • Download and install the latest ChromeDriver.

Mac OS:

wget -O /tmp/ && sudo unzip /tmp/ chromedriver -d /usr/local/bin/;


wget -O /tmp/ && sudo unzip /tmp/ chromedriver -d /usr/local/bin/;

Simple Usage Example

$ python3 <targets.txt>
$ cat vhosts.csv

More Examples

HostHunter Help Page

$ python3 -h
usage: [-h] [-b] [-f FORMAT] [-o OUTPUT] [-sc] [-t TARGET] [-V]

|<--- HostHunter v1.5 - Help Page --->|

positional arguments:
  targets               Sets the path of the target IPs file.

optional arguments:
  -h, --help            show this help message and exit
  -b, --bing            Use search engine to discover more hostnames
                        associated with the target IP addreses.
  -f FORMAT, --format FORMAT
                        Choose between CSV and TXT output file formats.
  -o OUTPUT, --output OUTPUT
                        Sets the path of the output file.
  -sc, --screen-capture
                        Capture a screen shot of any associated Web
  -t TARGET, --target TARGET
                        Scan a Single IP.
  -V, --version         Displays the current version.

Run HostHunter with Bing and Screen Capture modules enabled

$ python3 <targets.txt> --bing -sc -f csv -o hosts.csv

Display Results

$ cat hosts.csv

View Screenshots

$ open ./screen_captures/


[X] Works with Python3
[X] Extracts and analyses hostnames from SSL certificates
[X] Utilises Hacker Target API
[X] Scraps results
[X] Takes Screenshots of the targets
[X] Validates target IPv4 addresses
[X] Supports .txt and .csv output file formats

Coming Next

[_] Support for HackerTarget API key
[_] Support for IPv6
[_] Gather information from additional APIs
[_] Actively pull SSL certificates from other TCP ports


  • Free APIs throttle the amount of requests per day per source IP address.


This project is licensed under the MIT License.



Thank you for all the support & feedback! Stargazers

You can’t perform that action at this time.