Open In App

HakTrails – Subdomain Recon Tool for bug bounty

Last Updated : 09 Aug, 2021
Improve
Improve
Like Article
Like
Save
Share
Report

Haktrails tool is a Golang language-based tool used for querying SecurityTrails API data. Security Trails sponsor the Haktrails tool. Haktrails is an excellent tool for reconnaissance. The primary purpose of this tool is for subdomain enumeration, but you can work beyond this enumeration. Haktrails is designed in such a way that it can be chain easily with other tools. Being a Security Researcher, you can add this tool to your Bug Bounty Recon Bucket.

Note: As Haktrails is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to install Golang in your system – How to Install Go Programming Language in Linux

Features of Haktrails tool

  • Stdin input for easy tool chaining
  • Subdomain discovery
  • Associated root domain discovery
  • Associated IP discovery
  • Historical DNS data
  • Historical whois data
  • DSL queries (currently a prototype)
  • Company discovery (discover owner of any domain)
  • Whois (returns JSON whois data for any given domain)
  • Ping (check that whether your current SecurityTrail’s configuration/key is working)
  • Usage (check your current SecurityTrails usage)
  • “JSON” or “list” output options for easy tool chaining
  • “ZSH & Bash autocompletion”

Installation of Haktrails in Kali Linux

Step 1: If you have downloaded Golang in your system, verify the installation by checking the version of Golang, use the following command.

go version

Step 2: Get the Haktrails repository or clone the Haktrails tool from Github, use the following command.

sudo go get github.com/hakluke/haktrails

Step 3: Copy the Haktrails tool in the bin directory so we can easily use the tool without running the tool manually by golang, use the following command.

sudo cp /root/go/bin/haktrails /usr/local/go/bin/

Step 4: To get your API key, go to https://securitytrails.com/app/signup?plan=api-0 website and register your account. You will get your unique API key;

https://securitytrails.com/app/signup?plan=api-0

Step 5: Make mkdir ~/.config/haktools/ directory to insert API key required for running the tool, use the following command.

sudo mkdir ~/.config/haktools/

Step 6: (Setting Up the Config File) Create a haktrails-config.yml file in which the API key will be inserted, use the following command.

sudo mousepad ~/.config/haktools/haktrails-config.yml

Step 7: Verify whether haktrails is successfully configured or not, use the following command.

haktrails

Step 8: Verify if your API key is properly inserted or not, use the following command.

haktrails ping

If you  get this {“success”:true} response then your key is configured properly.

Understanding Flags 

  • -o json or -o list: Hakrails tool can specify the output in the JSON or list format. The list format is the default format for output. Subdomains, associated domains, and associated IPs are compatible with a list format. All the remaining endpoints are compatible with JSON format.
  • -t <int number>: Haktrails tool allows to set the number of threads manually. This will specify how many domains can be processed at the same instance of time.
  • -c <file path>: Haktrails tool allows to set the config file in any file location using -c <file path> flag.
  • -type <type> : Haktrails tool has the feature of historical DNS lookups, so tot set that -type <type> flag is used. Other available types are a,aaaa,mx,ns,soa,txt.

Note: With this tool, it’s straightforward to utilize through a lot of API credits. For example, if you have more than 10,000 domains in target_domains.txt, running cat target_domains.txt | haktrails subdomains will use 10,000 credits. It’s also worth noting that some functions (such as associated domains) will use multiple API requests. For example, echo “geeksforgeeks.org” | haktrails associated domains would use about 20 API requests because the data is paginated, and geeksforgeeks.org has many associated domains.

Working with Haktrails Tool 

The contents or the target domains are listed in the domains.txt file. In the below screenshot, the contents of domains.txt are shown.

Example 1: Gathering associated domains

“Gathering Associated Domains” is the term of getting just domains that are acquired or owned by the same company. We will gather all the associated domains for every specified domain in our domains.txt file.

cat domains.txt | haktrails associateddomains

Example 2: Gathering associated IPs

In this example, we will gather the IP addresses or IP ranges that are owned by the company. We will specify the domains list and find the IP addresses.

cat domains.txt | haktrails associatedips

Example 3: Ping

Ping attributes check whether our API key is working properly or not. If it’s having any problem then ping will return an error.

haktrails ping

Example 4: Getting historical DNS data

In this example, we will try to gather the important historical or past DNS (Domain Name System) data for the target domain or company. 

cat domains.txt | haktrails historicaldns

Example 5: Getting company details

Getting detailed information about the company is very important. So in this example, we will try to get company details and explore the company more briefly.

cat domains.txt | haktrails company

Example 6: Getting domain detail

In this example, we will gather the details about the specified domain, which includes DNS records, Alexa ranking of the domain, and last seen time.

cat domains.txt | haktrails details

Example 7: Getting whois data

WHOIS data or records are very important while penetrating the domain. So to gather the whois data is also crucial work. So in this example, we will gather the Whois data of the domain. The output is shown in JSON format.

cat domains.txt | haktrails whois

Example 8: Getting domain tags

In this example, we will return the tags of a specific target domain.

cat domains.txt | haktrails tags

Example 9: Getting API Usage Data

In this example, we will return the information or usage data of API on our SecurityTrails Account.

haktrails usage

Example 10: Checking Your API Key

The following command will Ping SecurityTrails to check if your API key is working properly.

haktrails ping

Example 11: Showing Some Average ASCII Art

Banner is the creative art of showing the design of Tool. So in this example, we will use the banner to just show a fancy banner or ASCII Art

haktrails banner

Example 12: Getting Subdomains

Haktrails has the feature to gather the subdomains related to the target domain. So in this example, we will gather the subdomains for our domains.txt file

cat domains.txt | haktrails subdomains



Like Article
Suggest improvement
Previous
Detecting and Checking Rootkits with Chkrootkit and rkhunter Tool in Kali Linux
Next
3klCon - Automation Recon Tool for Small & Medium Scopes
Share your thoughts in the comments

Similar Reads

Recon-ng Information gathering tool in Kali Linux
Ashok - Osint Recon Tool in Kali Linux
3klector - Automation Recon tool
3klCon - Automation Recon Tool for Small & Medium Scopes
Nuubi – Tool for Information Gathering, Scanning And Recon
HostHunter - Hostnames Recon Tool Using OSINT
Geo-Recon - OSINT Tool To Fast Track IP Reputation And Geolocation Look Up For Security Analysts
BlackDragon - Advanced Automation Tool For Web-Recon
Hydrarecon - All In One, Fast, Easy Recon Tool
Knock - Subdomain Scanner Tool in Kali Linux

G
gauravgandal
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox