ip-thc

Fast CLI for DNS intelligence using the ip.thc.org public dataset

ip-thc is an open-source, operator-oriented command-line tool maintained by a member of Haltman.io. It provides direct access to the public intelligence API of ip.thc.org, a dataset advertised as indexing ~5.14 billion domains.

The tool is designed for practical reconnaissance and investigation, enabling fast pivots commonly required during:

  • Red Team operations

  • Penetration testing

  • Bug bounty reconnaissance

  • Infrastructure and hosting analysis

ip-thc supports three core lookup modes:

  • Reverse DNS — IP → hosted domains

  • Subdomain enumeration — domain → subdomains

  • CNAME discovery — target domain → domains pointing to it

The focus is speed, explicit control, and safe operation. There is no API key, no authentication layer, and no local state beyond execution.

Note This project is developed independently. Haltman.io has no affiliation with The Hacker’s Choice (THC).

Basic run

Installation

Requirements

  • Go 1.22+

  • Network access to ip.thc.org

  • Optional: proxy access (HTTP / HTTPS / SOCKS5)

Option A) Install to $GOBIN

go install github.com/haltman-io/ip-thc/cmd/ip-thc@latest

Option B) Build from source

git clone https://github.com/haltman-io/ip-thc.git
cd ip-thc

go mod download
go build -o ip-thc ./cmd/ip-thc

Run:

./ip-thc --help

Configuration

No configuration is required.

  • No API keys

  • No environment variables

  • No config files

All behavior is controlled via CLI flags.

Optional runtime controls include:

  • Rate limiting

  • Concurrency

  • Proxy usage

  • TLS verification behavior

These are supplied per execution.

Usage

Help

$ ./ip-thc --help

 /$$    www.thc.org      /$$     /$$
|__/                    | $$    | $$
 /$$  /$$$$$$          /$$$$$$  | $$$$$$$   /$$$$$$$
| $$ /$$__  $$ /$$$$$$|_  $$_/  | $$__  $$ /$$_____/
| $$| $$  \ $$|______/  | $$    | $$  \ $$| $$      
| $$| $$  | $$          | $$ /$$| $$  | $$| $$      
| $$| $$$$$$$/          |  $$$$/| $$  | $$|  $$$$$$$
|__/| $$____/            \___/  |__/  |__/ \_______/
    | $$
    | $$   github.com/haltman-io/ip-thc (Golang version)
    |__/   [release: v1.0.0-stable]

 [!] This tool was developed independently. The author has no affiliation with The Hacker's Choice. 

ip-thc (v1.0.0-stable) - ip.thc.org API client (ReverseDNS / Subdomain / CNAME)

USAGE:
  ip-thc [mode] [targets] [options]

TARGET INPUT:
  --target <target>           Define a target (repeatable, comma-separated supported)
  -t <target>

  --target-list <file>        File with targets (one per line; repeatable, comma-separated supported)
  -tL <file>

  --stdin                     Enable reading targets from STDIN (pipe) as additional targets

MODES (select exactly one):
  --reverse-dns               Reverse DNS lookup (API: POST /api/v1/lookup)
  -rdns

  --subdomain                 Subdomain lookup (API: POST /api/v1/lookup/subdomains)
  -sub

  --cname                     CNAME lookup (API: POST /api/v1/lookup/cnames)
  -cn

OPTIONS:
  --results <n>               Max results per API request (default: 10)
  --limit <n>                 Alias for --results
  -r <n>

  --all                       Auto-pagination until next_page_state is empty

  --threads <n>               Concurrent targets (default: 1)
  --rate-limit <rps>          Max requests per second (default: 5)
  -rl <rps>

  --proxy <url>               Proxy URL: http://host:port, https://host:port, socks5://host:port
  --proxy-auth <user:pass>    Proxy auth: HTTP Basic or SOCKS5 user/pass
  --no-proxy                  Ignore proxy environment variables

  --insecure                  Disable TLS verification (curl-style)
  -k

  --output <file>             Save sorted + deduped results to file
  -o <file>

  --silent                    Print results only (also suppress banner)
  -s

  --debug                     Verbose debug logs to STDERR

  --timeout <duration>        HTTP timeout (default: 30s). Examples: 30s, 2m
  --user-agent <ua>           Override User-Agent

NOTES:
  - Multiple targets are supported:
      ip-thc -t google.com,twitter.com -sub
      ip-thc -t google.com -t twitter.com -sub
      ip-thc -tL targets1.txt,targets2.txt -sub
  - STDIN is ignored unless --stdin is explicitly provided.

Basic run

Reverse DNS (IP → domains)

ip-thc -rdns -t 1.1.1.1

Fetch all available pages:

ip-thc -rdns -t 1.1.1.1 --all

.

Subdomain enumeration (domain → subdomains)

ip-thc -sub -t example.com

Multiple targets:

ip-thc -sub -t google.com,twitter.com

From file:

ip-thc -sub -tL targets.txt

From STDIN (explicit):

cat targets.txt | ip-thc --stdin -sub

CNAME lookup (target → pointing domains)

ip-thc -cn -t github.io

Use case examples:

  • SaaS discovery

  • Hosting relationship analysis

  • Subdomain takeover surface mapping

Output to file (sorted & deduplicated)

ip-thc -sub -t example.com --all -o subdomains.txt

Behavior:

  • One result per line

  • Automatically sorted

  • Duplicates removed

Possible Problems / Important Notes

Rate limiting

  • Default client limit: 5 requests/second

  • If the server responds with:

    X-Ratelimit-Remaining < 5

    the tool pauses automatically for 15 seconds.

You should still use conservative limits when running at scale:

ip-thc -sub -t example.com --rate-limit 2

Proxy environments

Supported proxy schemes:

Example:

ip-thc -sub -t example.com --proxy socks5://127.0.0.1:9050

To ignore system proxy variables:

ip-thc --no-proxy ...

TLS verification

ip-thc -sub -t example.com -k

  • Disables TLS verification

  • Use only if you understand the risk (MITM visibility)

Legal & ethical use

This tool is intended for:

  • Authorized security testing

  • Defensive research

  • Lawful investigations

You are responsible for complying with:

  • Applicable laws

  • Engagement scope

  • Upstream service usage policies

External References

Updated on
Get started
search-leaks