Skip to content
Related Articles

Related Articles

Improve Article

HakTrails – Subdomain Recon Tool for bug bounty

  • Last Updated : 09 Aug, 2021
Geek Week

Haktrails tool is a Golang language-based tool used for querying SecurityTrails API data. Security Trails sponsor the Haktrails tool. Haktrails is an excellent tool for reconnaissance. The primary purpose of this tool is for subdomain enumeration, but you can work beyond this enumeration. Haktrails is designed in such a way that it can be chain easily with other tools. Being a Security Researcher, you can add this tool to your Bug Bounty Recon Bucket.

Note: As Haktrails is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to install Golang in your system – How to Install Go Programming Language in Linux

Features of Haktrails tool

  • Stdin input for easy tool chaining
  • Subdomain discovery
  • Associated root domain discovery
  • Associated IP discovery
  • Historical DNS data
  • Historical whois data
  • DSL queries (currently a prototype)
  • Company discovery (discover owner of any domain)
  • Whois (returns JSON whois data for any given domain)
  • Ping (check that whether your current SecurityTrail’s configuration/key is working)
  • Usage (check your current SecurityTrails usage)
  • “JSON” or “list” output options for easy tool chaining
  • “ZSH & Bash autocompletion”

Installation of Haktrails in Kali Linux

Step 1: If you have downloaded Golang in your system, verify the installation by checking the version of Golang, use the following command.

go version

Step 2: Get the Haktrails repository or clone the Haktrails tool from Github, use the following command.

sudo go get

Step 3: Copy the Haktrails tool in the bin directory so we can easily use the tool without running the tool manually by golang, use the following command.

sudo cp /root/go/bin/haktrails /usr/local/go/bin/

Step 4: To get your API key, go to website and register your account. You will get your unique API key;

Step 5: Make mkdir ~/.config/haktools/ directory to insert API key required for running the tool, use the following command.

sudo mkdir ~/.config/haktools/

Step 6: (Setting Up the Config File) Create a haktrails-config.yml file in which the API key will be inserted, use the following command.

sudo mousepad ~/.config/haktools/haktrails-config.yml

Step 7: Verify whether haktrails is successfully configured or not, use the following command.


Step 8: Verify if your API key is properly inserted or not, use the following command.

haktrails ping

If you  get this {“success”:true} response then your key is configured properly.

Understanding Flags 

  • -o json or -o list: Hakrails tool can specify the output in the JSON or list format. The list format is the default format for output. Subdomains, associated domains, and associated IPs are compatible with a list format. All the remaining endpoints are compatible with JSON format.
  • -t <int number>: Haktrails tool allows to set the number of threads manually. This will specify how many domains can be processed at the same instance of time.
  • -c <file path>: Haktrails tool allows to set the config file in any file location using -c <file path> flag.
  • -type <type> : Haktrails tool has the feature of historical DNS lookups, so tot set that -type <type> flag is used. Other available types are a,aaaa,mx,ns,soa,txt.

Note: With this tool, it’s straightforward to utilize through a lot of API credits. For example, if you have more than 10,000 domains in target_domains.txt, running cat target_domains.txt | haktrails subdomains will use 10,000 credits. It’s also worth noting that some functions (such as associated domains) will use multiple API requests. For example, echo “” | haktrails associated domains would use about 20 API requests because the data is paginated, and has many associated domains.

Working with Haktrails Tool 

The contents or the target domains are listed in the domains.txt file. In the below screenshot, the contents of domains.txt are shown.

Example 1: Gathering associated domains

“Gathering Associated Domains” is the term of getting just domains that are acquired or owned by the same company. We will gather all the associated domains for every specified domain in our domains.txt file.

cat domains.txt | haktrails associateddomains

Example 2: Gathering associated IPs

In this example, we will gather the IP addresses or IP ranges that are owned by the company. We will specify the domains list and find the IP addresses.

cat domains.txt | haktrails associatedips

Example 3: Ping

Ping attributes check whether our API key is working properly or not. If it’s having any problem then ping will return an error.

haktrails ping

Example 4: Getting historical DNS data

In this example, we will try to gather the important historical or past DNS (Domain Name System) data for the target domain or company. 

cat domains.txt | haktrails historicaldns

Example 5: Getting company details

Getting detailed information about the company is very important. So in this example, we will try to get company details and explore the company more briefly.

cat domains.txt | haktrails company

Example 6: Getting domain detail

In this example, we will gather the details about the specified domain, which includes DNS records, Alexa ranking of the domain, and last seen time.

cat domains.txt | haktrails details

Example 7: Getting whois data

WHOIS data or records are very important while penetrating the domain. So to gather the whois data is also crucial work. So in this example, we will gather the Whois data of the domain. The output is shown in JSON format.

cat domains.txt | haktrails whois

Example 8: Getting domain tags

In this example, we will return the tags of a specific target domain.

cat domains.txt | haktrails tags

Example 9: Getting API Usage Data

In this example, we will return the information or usage data of API on our SecurityTrails Account.

haktrails usage

Example 10: Checking Your API Key

The following command will Ping SecurityTrails to check if your API key is working properly.

haktrails ping

Example 11: Showing Some Average ASCII Art

Banner is the creative art of showing the design of Tool. So in this example, we will use the banner to just show a fancy banner or ASCII Art

haktrails banner

Example 12: Getting Subdomains

Haktrails has the feature to gather the subdomains related to the target domain. So in this example, we will gather the subdomains for our domains.txt file

cat domains.txt | haktrails subdomains

My Personal Notes arrow_drop_up
Recommended Articles
Page :