The Web Local





The hostmap host name discovery tool is an utility designed to discover the host names related to a given IP address, generally speaking, all application level host names related to a server (example: DNS names, HTTP virtual hosts).


In the real world an IP address can be registered in a DNS server with multiple host names, because it can have some aliases or it is hosting a bunch of websites.


A user, or a penetration tester, that needs to test the security of a machine needs to know all the host names (importantly to know which ones are in the agreed scope!!). These are needed to achieve a complete test on the system, because several applications, for example the web server, exposes different attack points, in that case virtual hosts, for each different host name requested so each one must be fully tested.


A number of resources are checked to help with discovery:


  • Microsoft Bing (with and without search API)
  • MIT GPG key server:
  • DNS/ WHOIS databases:


  • DNShistory:
  • Domainsdb:
  • Gigablast:
  • Netcraft:
  • Robtex:
  • Tomdns:
  • Web-max:


It is available from here








Down and extract then execute




hostmap.rb [options] -t [target]

Target options:

-t, --target [STRING]               Set target domain

Discovery options:

--with-zonetransfer                 Enable DNS zone transfer check
--without-bruteforce                Disable DNS bruteforcing
--without-dnsexpansion         Disable DNS TLD expansion
--bruteforce-level [STRING]   Bruteforce aggressivity, lite, custom or full (default is lite)
--without-be-paranoid            Don't check the results consistency
--http-ports [STRING]             Comma separated list of custom HTTP ports to check
--only-passive                         Passive discovery, NO network activity on target network
--timeout [STRING]                Plugin timeout

Networking options:

-d, --dns [STRING]                 Comma separated list of DNS servers/IP addresses to use instead of system defaults

Output options:

--print-maltego                       Set output formatted for Maltego
-v, --verbose                           Set verbose mode
-h, --help                                 Show this help message


Expected Output:


C:\hostmap-0.2.1>ruby hostmap.rb -t
hostmap 0.2.1 codename fissatina
Coded by Alessandro `jekil` Tanasi <>

[2010-01-10 18:16] Found new domain
[2010-01-10 18:16] Found new hostname
[2010-01-10 18:16] Found new hostname
[2010-01-10 18:17] Detected a wildcard entry in X.509 certificate for: *
[2010-01-10 18:17] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[2010-01-10 18:17] Found new mail server
[2010-01-10 18:17] Found new nameserver
[2010-01-10 18:17] Found new mail server
[2010-01-10 18:17] Found new nameserver
[2010-01-10 18:17] Found new nameserver
[2010-01-10 18:18] Found new nameserver
Results for
Served by name server (probably)
Served by mail exchange (probably)


IT Security News:



Pen Testing Framework: