httprobe
Probe HTTP endpoints from a list of domains
TLDR
Probe a list of domains from a text file
Only check for HTTP if HTTPS is not working
Probe additional ports with a given protocol
Display help
SYNOPSIS
httprobe [OPTIONS]
Example Usage:
subfinder -d example.com | httprobe -c 100 -p http:80,https:443,http:8080
PARAMETERS
-c <concurrency>, --concurrency <concurrency>
Sets the number of concurrent probes. Default is 50.
-t <timeout>, --timeout <timeout>
Specifies the connection timeout in milliseconds. Default is 10000 (10 seconds).
-p <ports>, --ports <ports>
Defines custom ports to probe. Format is protocol:port, separated by commas (e.g., http:80,https:443,http:8080). By default, it probes common HTTP/S ports.
-s, --ssl
Always attempt HTTPS. (Note: This flag is deprecated; it's recommended to use -p https:443 instead for explicit control.)
-l, --list-ips
Displays the IP addresses of discovered hosts instead of their hostnames.
-prefer-https
If both HTTP and HTTPS are found for a host, prefer and output the HTTPS URL.
-v, --verbose
Enables verbose output, showing more details about the probing process.
-r, --resolve
Resolves hostnames to their corresponding IP addresses during probing.
-no-redirects
Prevents httprobe from following HTTP redirects.
-tls-grab
Attempts to grab TLS certificate information. (Experimental feature).
-stable
Ensures the output is stable (sorted) for consistent results.
-sfdc, --skip-ssl-cert-verification
Skips SSL certificate verification, useful in environments with self-signed certificates or for avoiding errors on invalid ones.
-vhost, --vhost
Adds a Host header for virtual hosts during probing.
-h, --help
Displays the help message and exits.
DESCRIPTION
httprobe is a fast, robust, and highly concurrent tool written in Go, designed to quickly identify active HTTP and HTTPS servers on a given list of domains or IP addresses. It reads a list of targets from stdin (standard input) and outputs the corresponding live URLs to stdout (standard output). This makes it incredibly useful for chaining with other command-line tools in reconnaissance workflows, such as after subdomain enumeration.
The tool attempts to connect to common HTTP/S ports (e.g., 80, 443, 8080, 8443) by default, and can be configured to probe custom ports. Its primary advantage lies in its speed, achieved through high concurrency, allowing users to efficiently process large lists of hosts to find operational web services. It's an essential utility for penetration testers, bug bounty hunters, and system administrators looking to discover web assets rapidly.
CAVEATS
While highly efficient, httprobe can generate a significant amount of network traffic due to its high concurrency. This might be considered noisy on some networks and could potentially trigger intrusion detection systems (IDS) or rate limits. It relies on open ports and standard HTTP/S responses to identify live services, so complex web application firewalls or non-standard server behaviors might lead to false negatives.
INPUT AND OUTPUT
httprobe is designed for seamless integration into command-line pipelines. It expects a newline-separated list of hostnames or IP addresses to be provided via standard input (stdin) and prints the identified live HTTP/S URLs to standard output (stdout). This 'Unix philosophy' approach makes it highly versatile for chaining with other tools, such as subdomain enumerators (e.g., subfinder, assetfinder) or port scanners (e.g., naabu).
INSTALLATION
The most common way to install httprobe is via Go:
go install github.com/tomnomnom/httprobe@latest
Alternatively, pre-compiled binaries are often available for various operating systems on its GitHub repository, making it easy to download and run without a Go environment.
HISTORY
httprobe was developed by Tom Hudson, better known as tomnomnom in the cybersecurity community. Written in the Go programming language, it quickly gained popularity within the bug bounty and penetration testing communities due to its unparalleled speed and simplicity for identifying live web servers. It has become a staple tool in reconnaissance workflows, often used in conjunction with other open-source intelligence (OSINT) tools for asset discovery. Its design emphasizes performance and ease of integration with command-line pipelines.
SEE ALSO
curl(1), nmap(1), subfinder(1), assetfinder(1), naabu(1)