A comprehensive Rust-based tool to:
-
🕵️♂️ Enumerate subdomains with haktrails
-
🔐 Augment with TLS certificate SANs via tlsx
-
🌐 Resolve to IPs using dnsx
-
⚡ Perform fast port scanning with masscan and validate via httpx
-
🕸️ Crawl live hosts to extract:
- 🪣 S3 bucket URLs
- 🔗 In-scope links (including HTML comments)
- 🔒 Hidden form parameters
- 🔍 Additional parameters via hakrawler
-
🚀 Subdomain Enumeration:
haktrails+anewfor deduplication -
🧾 Certificate SAN Extraction:
tlsx -json -silent+jq -
🌐 DNS Resolution:
dnsx -a -resp-only -silent -
🔎 Port Scanning:
masscan(1–65535, 10kpps) -
🔍 Port Validation:
httpx -silent -
🕸️ Web Crawling:
- 🔍 Extract S3 buckets via regex
- 🔗 Grab
<a>links & HTML comments - 🔒 Find hidden form inputs
- 🏹 Use
hakrawlerfor parameter enumeration
Ensure the following tools are in your $PATH:
Rust, haktrails, tlsx, jq, dnsx, masscan, httpx, hakrawler
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Clone repository
git clone https://github.com/KingOfBugbounty/enumrust.git
cd enumrust
# Build binary
cargo build --releaseBelow are commands to install dependencies on macOS 🍎 (Homebrew) and Debian/Ubuntu 🐧:
# 🛠️ haktrails (ProjectDiscovery)
# macOS 🍎
brew install projectdiscovery/tap/haktrails
# Debian/Ubuntu 🐧
sudo apt-get update && sudo apt-get install -y haktrails
# 🔒 tlsx (ProjectDiscovery)
go install github.com/projectdiscovery/tlsx/cmd/tlsx@latest
# 🛠️ jq (JSON processor)
# macOS 🍎
brew install jq
# Debian/Ubuntu 🐧
sudo apt-get install -y jq
# 🌐 dnsx (ProjectDiscovery)
go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
# ⚡ masscan (fast port scanner)
# macOS 🍎
brew install masscan
# Debian/Ubuntu 🐧
sudo apt-get install -y masscan
# 🔍 httpx (ProjectDiscovery)
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
# 🕵️ hakrawler (Hakluke)
go install github.com/hakluke/hakrawler@latest./target/release/enumrust --domain example.comThis generates a folder example.com with:
| File | Description |
|---|---|
subdomains.txt |
Enumerated and SAN-derived subdomains |
ips.txt |
Resolved A records |
masscan.txt |
Raw masscan output |
ports.txt |
Validated open HTTP(S) ports |
http200.txt |
Alive hosts via httpx |
s3.txt |
Discovered S3 buckets |
urls.txt |
Extracted URLs |
hiddenparams.txt |
Generated hidden-input test URLs |
params.txt |
Additional parameterized URLs via hakrawler |
- haktrails by ProjectDiscovery
- tlsx by ProjectDiscovery
- dnsx by ProjectDiscovery
- masscan by Robert David Graham
- httpx by ProjectDiscovery
- hakrawler by hakluke
- Clap for CLI parsing
- Reqwest
- Scraper
MIT License. See LICENSE for details.