LinuxCommandLibrary

httprobe

Probe HTTP endpoints from a list of domains

TLDR

Probe a list of domains from a text file

$ cat [input_file] | httprobe
copy

Only check for HTTP if HTTPS is not working
$ cat [input_file] | httprobe --prefer-https
copy

Probe additional ports with a given protocol
$ cat [input_file] | httprobe -p [https:2222]
copy

Display help
$ httprobe --help
copy

SYNOPSIS

httprobe [OPTIONS]

Example Usage:
subfinder -d example.com | httprobe -c 100 -p http:80,https:443,http:8080

PARAMETERS

-c <concurrency>, --concurrency <concurrency>
    Sets the number of concurrent probes. Default is 50.

-t <timeout>, --timeout <timeout>
    Specifies the connection timeout in milliseconds. Default is 10000 (10 seconds).

-p <ports>, --ports <ports>
    Defines custom ports to probe. Format is protocol:port, separated by commas (e.g., http:80,https:443,http:8080). By default, it probes common HTTP/S ports.

-s, --ssl
    Always attempt HTTPS. (Note: This flag is deprecated; it's recommended to use -p https:443 instead for explicit control.)

-l, --list-ips
    Displays the IP addresses of discovered hosts instead of their hostnames.

-prefer-https
    If both HTTP and HTTPS are found for a host, prefer and output the HTTPS URL.

-v, --verbose
    Enables verbose output, showing more details about the probing process.

-r, --resolve
    Resolves hostnames to their corresponding IP addresses during probing.

-no-redirects
    Prevents httprobe from following HTTP redirects.

-tls-grab
    Attempts to grab TLS certificate information. (Experimental feature).

-stable
    Ensures the output is stable (sorted) for consistent results.

-sfdc, --skip-ssl-cert-verification
    Skips SSL certificate verification, useful in environments with self-signed certificates or for avoiding errors on invalid ones.

-vhost, --vhost
    Adds a Host header for virtual hosts during probing.

-h, --help
    Displays the help message and exits.

DESCRIPTION

httprobe is a fast, robust, and highly concurrent tool written in Go, designed to quickly identify active HTTP and HTTPS servers on a given list of domains or IP addresses. It reads a list of targets from stdin (standard input) and outputs the corresponding live URLs to stdout (standard output). This makes it incredibly useful for chaining with other command-line tools in reconnaissance workflows, such as after subdomain enumeration.

The tool attempts to connect to common HTTP/S ports (e.g., 80, 443, 8080, 8443) by default, and can be configured to probe custom ports. Its primary advantage lies in its speed, achieved through high concurrency, allowing users to efficiently process large lists of hosts to find operational web services. It's an essential utility for penetration testers, bug bounty hunters, and system administrators looking to discover web assets rapidly.

CAVEATS

While highly efficient, httprobe can generate a significant amount of network traffic due to its high concurrency. This might be considered noisy on some networks and could potentially trigger intrusion detection systems (IDS) or rate limits. It relies on open ports and standard HTTP/S responses to identify live services, so complex web application firewalls or non-standard server behaviors might lead to false negatives.

INPUT AND OUTPUT

httprobe is designed for seamless integration into command-line pipelines. It expects a newline-separated list of hostnames or IP addresses to be provided via standard input (stdin) and prints the identified live HTTP/S URLs to standard output (stdout). This 'Unix philosophy' approach makes it highly versatile for chaining with other tools, such as subdomain enumerators (e.g., subfinder, assetfinder) or port scanners (e.g., naabu).

INSTALLATION

The most common way to install httprobe is via Go:
go install github.com/tomnomnom/httprobe@latest
Alternatively, pre-compiled binaries are often available for various operating systems on its GitHub repository, making it easy to download and run without a Go environment.

HISTORY

httprobe was developed by Tom Hudson, better known as tomnomnom in the cybersecurity community. Written in the Go programming language, it quickly gained popularity within the bug bounty and penetration testing communities due to its unparalleled speed and simplicity for identifying live web servers. It has become a staple tool in reconnaissance workflows, often used in conjunction with other open-source intelligence (OSINT) tools for asset discovery. Its design emphasizes performance and ease of integration with command-line pipelines.

SEE ALSO

curl(1), nmap(1), subfinder(1), assetfinder(1), naabu(1)

Copied to clipboard