Recon — Assets

The Recon view is Hugin’s unified asset inventory. It ingests results from external recon tools — SubFlow (subdomain enumeration), XMass (mass scanner), vmap (vulnerability mapper) — and builds a single queryable database of hosts, IPs, ports, services, certificates, and HTTP fingerprints.

Use it as the starting point for an engagement: ingest your recon, scan the asset list for interesting targets, then drive the proxy at the high-value picks.

🔗Asset Model

Each asset record contains:

  • Host — domain or IP
  • IPs — resolved A/AAAA records
  • Ports — observed open ports with service detection
  • HTTP fingerprint — title, server header, JARM hash, favicon MMH3 hash
  • Source — which tool surfaced this asset (subflow / xmass / vmap / manual)
  • Status — auto-classified by ingest results (e.g., live / dead / unknown depending on which pipeline produced the asset)
  • Scope — in-scope / out-of-scope flag for the active project
  • Tags — free-form labels
  • Discovered at + Last verified

🔗Ingest

🔗From SubFlow

hugin-mcp: assets action:"ingest_subflow" data:'{"subdomains":[{"subdomain":"api.example.com","source":"crt.sh","ips":["1.2.3.4"]}]}'

Or pipe SubFlow JSON output directly via the Ingest button → SubFlow.

🔗From XMass

XMass (mass port + service scanner) output ingests with rich port + service data:

assets action:"ingest_xmass" data:'{"assets":[{"ip":"1.2.3.4","port":443,"jarm_hash":"...","title":"Login"}]}'

🔗From vmap

Vulnerability map results — port + service granularity, used for follow-up scanning:

assets action:"ingest_vmap" data:'{"results":[{"host":"api.example.com","ports":[{"port":443,"protocol":"tcp","state":"open","service":"https"}]}]}'

🔗Manual

Click + Asset in the toolbar for one-off entries.

🔗Filters

The asset table supports:

  • Host / IP substring search
  • Source — multi-select
  • Status — by classification (live, dead, etc.)
  • Tag — multi-select
  • Port — exact match
  • In-scope only — toggle
  • HTTP only — show only assets with port 80/443/8080/8443/etc. detected

🔗Cluster Pivots

Two cluster views surface assets that share infrastructure:

  • Cluster by JARM — assets sharing a TLS JARM fingerprint. Reveals shared infrastructure, fronted services, common reverse proxies.
  • Cluster by favicon — assets sharing a favicon MMH3 hash. Catches CMS instances, framework defaults, shared admin panels.

Click any cluster row to see all members.

🔗Crawl Seeds

The Crawl Seeds action takes a selection of asset IDs and generates seed URLs for the Crawler. Hugin builds URLs from each asset’s host:port combinations across HTTP/HTTPS, prepends / and (where detected) common framework paths, then enqueues them.

assets action:"crawl_seeds" asset_ids:"id1,id2,id3"

Useful workflow: ingest 500 subdomains → filter to live HTTP assets → select all → Crawl Seeds → start crawler.

🔗Coverage Tracker

The Coverage stat shows how far each asset has progressed through Hugin’s pipeline:

  • Discovered (asset exists)
  • Verified live (HTTP probe succeeded)
  • Crawled (in crawler)
  • Tested (sent to scanner)
  • Has findings

A coverage chart visualises bottlenecks — e.g., 80% live but only 20% crawled.

🔗Stats

The toolbar badges show: total hosts, total open ports, hosts with HTTP, in-scope count, hosts with findings.

🔗Right-Click on Asset

  • Add to Scope
  • Crawl — submit to Crawler with sensible defaults
  • Scan — submit to Scanner
  • View on shodan.io / censys.io / wayback / urlscan — opens external recon tools
  • Tag
  • Mark dead / Re-verify
  • Delete

🔗MCP

The assets MCP tool covers everything:

  • CRUD: list (with host/ip/source/status/tag/port filters), get, create, update, delete
  • Ports & events: ports, events
  • Stats: stats, coverage
  • Pivots: cluster_jarm, cluster_favicon
  • Ingest: ingest_subflow, ingest_xmass, ingest_vmap
  • Pipeline: crawl_seeds

🔗Pro vs Community

The Recon view is Pro. Community edition can use the Discover content scanner instead.