A powerful Go tool for finding origin IPs of domains by querying multiple security APIs and validating results with built-in HTTP client.
| Engine | Status | Methods |
|---|---|---|
| Shodan | ✅ Active | Favicon hash, Title, SSL certificate |
| Hunter | ✅ Active | Favicon hash, Title, Certificate |
| SecurityTrails | ✅ Active | DNS history |
| ViewDNS | ✅ Active | IP history |
| Censys | 🚧 Coming Soon | - |
| FOFA | 🚧 Coming Soon | - |
go install github.com/rix4uni/originiphunter@latest
wget https://github.com/rix4uni/originiphunter/releases/download/v0.0.5/originiphunter-linux-amd64-0.0.5.tgz
tar -xvzf originiphunter-linux-amd64-0.0.5.tgz
rm -rf originiphunter-linux-amd64-0.0.5.tgz
mv originiphunter ~/go/bin/originiphunter
Or download the latest release for your platform.
git clone --depth 1 https://github.com/rix4uni/originiphunter.git
cd originiphunter; go install
Note: You can add multiple Free API keys per service for load balancing and rate limit management.
- SecurityTrails: https://securitytrails.com/
- Shodan: https://www.shodan.io/
- ViewDNS: https://viewdns.info/
- Hunter: https://hunter.how/
The tool uses ~/.config/originiphunter/config.yaml by default.
- Create config directory:
mkdir -p ~/.config/originiphunter- Create
config.yaml:
securitytrails:
- YOUR_SECURITYTRAILS_API_KEY_1
- YOUR_SECURITYTRAILS_API_KEY_2
shodan:
- YOUR_SHODAN_API_KEY_1
- YOUR_SHODAN_API_KEY_2
viewdns:
- YOUR_VIEWDNS_API_KEY_1
- YOUR_VIEWDNS_API_KEY_2
hunter:
- YOUR_HUNTER_API_KEY_1
- YOUR_HUNTER_API_KEY_2
censys: []
fofa: []Usage of originiphunter:
--config string Custom config file path (default: ~/.config/originiphunter/config.yaml)
--concurrent int Number of concurrent IP validations (default: 50)
-C, --content-length Match content length in Origin IPs Found section
--engine strings Specific search engines to use (comma-separated). Available: shodan,securitytrails,viewdns,hunter,censys,fofa
-H, --useragent string HTTP User-Agent header (default: Mozilla/5.0 Chrome/141.0.0.0)
--json Output results in JSON format
-p, --parallel Run search engines in parallel for faster execution
--silent Silent mode.
-S, --status-code Match status code in Origin IPs Found section
--verbose Show detailed information about the scanning process
--version Print the version of the tool and exit.Process a single domain:
echo "example.com" | originiphunterProcess multiple domains:
cat domains.txt | originiphunter| Flag | Shorthand | Description |
|---|---|---|
--engine |
- | Specify which search engines to use (comma-separated: shodan,securitytrails,viewdns,hunter,censys,fofa) |
--config |
- | Use a custom config file path |
--verbose |
- | Show detailed information about the scanning process |
--useragent |
-H |
HTTP User-Agent header (default: Mozilla/5.0 Chrome/141.0.0.0) |
--silent |
- | Silent mode (no banner) |
--version |
- | Print version and exit |
--json |
- | Output results in JSON format |
--parallel |
-p |
Run search engines in parallel for faster execution |
--concurrent |
- | Number of concurrent IP validations (default: 50) |
--content-length |
-C |
Match content length in Origin IPs Found section |
--status-code |
-S |
Match status code in Origin IPs Found section |
# Use all configured engines (default)
echo "example.com" | originiphunter
# Use specific engines only
echo "example.com" | originiphunter --engine shodan,hunter
# Enable verbose mode for detailed output
echo "example.com" | originiphunter --verbose
# Use custom config file
echo "example.com" | originiphunter --config /path/to/config.yaml
# Custom User-Agent
echo "example.com" | originiphunter -H "MyBot/1.0"
# Process multiple domains silently
cat domains.txt | originiphunter --silent
# Output results in JSON format
echo "example.com" | originiphunter --json
# Run search engines in parallel for faster execution
echo "example.com" | originiphunter --parallel
# Adjust concurrent IP validation limit
echo "example.com" | originiphunter --concurrent 100
# Match content length and status code in Origin IPs
echo "example.com" | originiphunter --content-length --status-code
# Combine multiple flags
echo "example.com" | originiphunter --parallel --json --concurrent 100 --silent
# Show version
originiphunter --version- Parallel Engine Execution: Use
--parallelflag to run multiple search engines concurrently, significantly speeding up the discovery process - Concurrent IP Validation: By default, validates 50 IPs concurrently. Adjust with
--concurrentflag to balance speed and resource usage
- Content Length Matching: Use
--content-lengthflag to show only IPs that match the original domain's content length - Status Code Matching: Use
--status-codeflag to show only IPs that match the original domain's status code - Both flags work together with title matching (all criteria must match when both flags are set)
- Colored Text Output: Default human-readable format with color-coded status codes
- JSON Output: Use
--jsonflag for structured JSON output, perfect for automation and scripting
_ _ _ __ __
____ _____ (_)____ _ (_)____ (_)____ / /_ __ __ ____ / /_ ___ _____
/ __ \ / ___// // __ // // __ \ / // __ \ / __ \ / / / // __ \ / __// _ \ / ___/
/ /_/ // / / // /_/ // // / / // // /_/ // / / // /_/ // / / // /_ / __// /
\____//_/ /_/ \__, //_//_/ /_//_// .___//_/ /_/ \__,_//_/ /_/ \__/ \___//_/
/____/ /_/
Current originiphunter version v0.0.5
Processing: aiaqa.visa.com
https://aiaqa.visa.com [200] [12746] [Visa - Public Key Infrastructure]
Origin IPs Found:
http://198.241.171.81 [200] [12746] [Visa - Public Key Infrastructure]
http://198.241.169.249 [200] [12746] [Visa - Public Key Infrastructure]
Other IPs:
http://104.18.157.147 [403] [16]
http://104.18.158.147 [403] [16]
http://3.7.198.7 [301] [134] [301 Moved Permanently]
http://31.210.5.60 [Failed]Processing: aiaqa.visa.com
https://aiaqa.visa.com [200] [12746] [Visa - Public Key Infrastructure]
Shodan favicon hash: 708578229
Hunter favicon hash: f3418a443e7d841097c714d69ec4bcb8
Page title: Visa - Public Key Infrastructure
Searching Shodan favicon: https://api.shodan.io/shodan/host/search?key=YOUR_APIKEY&query=http.favicon.hash:"708578229"
Shodan favicon search found 2 IPs
Searching Shodan title: https://api.shodan.io/shodan/host/search?key=YOUR_APIKEY&query=http.title:"Visa - Public Key Infrastructure"
Shodan title search found 4 IPs
Searching Shodan SSL: https://api.shodan.io/shodan/host/search?key=YOUR_APIKEY&query=ssl:"aiaqa.visa.com"
Shodan SSL search found 32 IPs
Shodan total unique IPs: 17
For Browser - Hunter favicon: favicon_hash=="f3418a443e7d841097c714d69ec4bcb8"
Searching Hunter favicon: https://api.hunter.how/search?api-key=YOUR_APIKEY&query=ZmF2aWNvbl9oYXNoPT0iZjM0MThhNDQzZTdkODQxMDk3YzcxNGQ2OWVjNGJjYjgi...
Hunter favicon search found 10 IPs
Hunter total unique IPs: 4
Total unique IPs: 21
Origin IPs Found:
http://198.241.171.81 [200] [12746] [Visa - Public Key Infrastructure]
http://198.241.169.249 [200] [12746] [Visa - Public Key Infrastructure]
Other IPs:
http://104.18.157.147 [403] [16]
...{
"domain": "example.com",
"origin_domain": {
"URL": "https://example.com",
"StatusCode": 200,
"ContentLength": 12345,
"Title": "Example Domain"
},
"origin_ips": [
{
"URL": "http://1.2.3.4",
"StatusCode": 200,
"ContentLength": 12345,
"Title": "Example Domain"
}
],
"other_ips": [
{
"URL": "http://5.6.7.8",
"StatusCode": 200,
"ContentLength": 67890,
"Title": "Other Site"
}
]
}# Show only IPs matching both content length and status code
echo "example.com" | originiphunter --content-length --status-code
# Show only IPs matching content length (title matching still required)
echo "example.com" | originiphunter --content-length
# Show only IPs matching status code (title matching still required)
echo "example.com" | originiphunter --status-code
# Recommended
cat subs.subs | httpx -duc -silent -mc 200 -cdn -server -td | grep -iE "Akamai|Cloudflare" | awk '{print $1}' | originiphunter --silent --content-length --json | jq -r '.origin_ips[]?.URL // empty'