// THECYBERARYAN — Research

HTTPX — Zero to Hero (Alive Checking & Fingerprinting Guide)

Author: Aryan Pareek • Date: 2025-11-17 • Category: Recon / Fingerprinting

HTTPX is one of the most powerful tools for alive checking, service fingerprinting, response analysis, metadata extraction, TLS inspection, and technology detection. It's a must-have during recon and bug bounty hunting. This guide takes you from zero to expert with real commands, workflows, and automation.

🔥 What is HTTPX?

HTTPX is a fast and flexible HTTP probing tool by ProjectDiscovery. It takes a list of domains and identifies:

Which hosts are alive
Status codes
Page titles
Technologies (Wappalyzer-like)
TLS details
Redirect chains
IP & CDN info

Input:   1000 subdomains
Output:  Alive hosts + tech stack + metadata

⚙️ Installation

sudo apt install httpx
# or
curl -s https://api.projectdiscovery.io/tools/install | sh

🔰 Basic Usage

Check if a domain is alive

echo "example.com" | httpx

Alive check for a list

httpx -l subs.txt -o alive.txt

Silent mode (only alive hosts)

httpx -l subs.txt -silent

🟣 Intermediate Usage

Show status codes

httpx -l subs.txt -sc

Show page titles

httpx -l subs.txt -title

Show IP addresses

httpx -l subs.txt -ip

Technology detection

httpx -l subs.txt -tech-detect

Follow redirects

httpx -l subs.txt -follow-redirects

🚀 Advanced Usage

Full fingerprinting

httpx -l subs.txt -sc -title -tech-detect -ip -cdn -status-code

Output to JSON

httpx -l subs.txt -json -o httpx.json

Probe specific ports

httpx -l hosts.txt -ports 80,443,8080

Skip TLS verification

httpx -l subs.txt -tls-probe -no-color -insecure

Extract response headers

httpx -l subs.txt -header

Extract favicon hash (for Shodan clustering)

httpx -l subs.txt -favicon

🧪 Real Recon Workflow

1. Enumerate subdomains

subfinder -d example.com -o subs.txt

2. Identify alive hosts

httpx -l subs.txt -o alive.txt

3. Fingerprint everything

httpx -l alive.txt -sc -title -tech-detect -ip -cdn -o fingerprint.txt

4. Send only alive hosts to Dirsearch

while read url; do
  python3 dirsearch.py -u $url -e php,js,txt -r -t 50 -o results/$url.txt
done < alive.txt

5. Nmap deep scan

nmap -p- -sV -iL alive.txt -oN nmap_services.txt

Pro tip: HTTPX + Subfinder is the fastest way to map a target's entire attack surface.

📚 Quick Cheat Sheet

Basic scan:                 httpx -l subs.txt
Show status codes:          -sc
Show titles:                -title
Show technologies:          -tech-detect
Follow redirects:           -follow-redirects
IP address:                 -ip
Save output:                -o out.txt
JSON output:                -json -o out.json
Silent mode:                -silent

Conclusion

HTTPX is the backbone of recon. It filters subdomains, identifies alive hosts, fingerprints technologies, detects redirects, extracts metadata and prepares perfect input for Dirsearch, Nmap, Naabu, and Nuclei. Mastering HTTPX means mastering fast, accurate reconnaissance.

Contact securely (email) View tools & scripts