Enumerate Subdomains and Perform Recon with Haktrails, TLSx, DNSx, Masscan, and httpx

By /

Listen to this Post

Featured Image
This post outlines a powerful reconnaissance workflow using multiple open-source tools to enumerate subdomains, resolve IPs, scan ports, and extract valuable data from live hosts.

Tools Used:

  • Haktrails – Subdomain enumeration
  • TLSx – Extract TLS certificate SANs (Subject Alternative Names)
  • DNSx – Resolve subdomains to IPs
  • Masscan – Fast port scanning
  • httpx – Validate live hosts
  • hakrawler – Crawl for hidden parameters, S3 buckets, and more

🔗 Reference: Haktrails GitHub

You Should Know:

1. Enumerate Subdomains with Haktrails

Haktrails fetches subdomains from various sources, including certificate transparency logs.

haktrails subdomains -t example.com -o subs.txt
  1. Extract Additional Subdomains via TLS Certificates (TLSx)

TLSx helps find more subdomains from TLS certificates.

tlsx -u example.com -san -o tls_subs.txt

3. Resolve Subdomains to IPs (DNSx)

Use DNSx to resolve discovered subdomains.

cat subs.txt | dnsx -a -resp -o resolved_ips.txt

4. Fast Port Scanning with Masscan

Scan top ports quickly:

masscan -p1-10000 -iL resolved_ips.txt --rate 10000 -oG masscan_results.txt

5. Validate Live Hosts with httpx

Filter active HTTP/HTTPS services:

cat masscan_results.txt | httpx -title -status-code -o live_hosts.txt

6. Crawl for Hidden Data

Use hakrawler to find hidden endpoints, S3 buckets, and parameters:

cat live_hosts.txt | hakrawler -depth 2 -scope exact -out crawl_results.txt

7. Search for Vulnerabilities

Run nuclei for common vulnerabilities:

nuclei -l live_hosts.txt -t ~/nuclei-templates/ -o vuln_scan.txt

What Undercode Say:

This recon methodology is essential for bug bounty hunters and penetration testers. Automating subdomain discovery, port scanning, and crawling helps uncover hidden attack surfaces.

Additional Useful Commands:

  • Extract JavaScript files for analysis: 
    grep -Eo 'src="[^"].js"' crawl_results.txt | sort -u
  • Find exposed AWS S3 buckets: 
    grep -E 's3.amazonaws.com' crawl_results.txt
  • Check for open directories: 
    ffuf -u "https://FUZZ/" -w live_hosts.txt -mc 200 -mr "Index of"
  • Extract hidden comments from HTML: 
    grep -r "<!--" crawl_results.txt

Prediction:

As organizations move to cloud-based infrastructures, automated recon tools will become even more critical for security assessments. Expect more integrations between tools like Haktrails, TLSx, and hakrawler for faster attack surface mapping.

Expected Output:

A structured recon report containing subdomains, live hosts, open ports, hidden endpoints, and potential vulnerabilities.

References:

Reported By: Atjunior Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: