Unlock 10,000 Subdomains Instantly: The SecurityTrails Tampermonkey Hack Every Pentester Needs

Listen to this Post

Featured Image

Introduction:

Subdomain enumeration is a critical reconnaissance phase in bug bounty hunting and penetration testing, identifying potential attack surfaces. SecurityTrails offers a free API tier with a 2,000 subdomain limit, but a clever Tampermonkey script can bypass this, extracting 10,000 subdomains directly from the web interface. This technique automates data collection, significantly expanding the scope of security assessments without financial cost.

Learning Objectives:

  • Understand the mechanics of how the Tampermonkey script interacts with the SecurityTrails web interface to extract data.
  • Learn how to safely install, configure, and execute the script using the Tampermonkey browser extension.
  • Integrate the harvested subdomain data into a broader reconnaissance workflow for vulnerability discovery.

You Should Know:

1. Installing the Tampermonkey Script

https://lnkd.in/g-cBkP75`
Step‑by‑step guide explaining what this does and how to use it.
The provided link directs you to the raw Tampermonkey script. To install it, you must first have the Tampermonkey browser extension added to Chrome, Firefox, or Edge. Once Tampermonkey is installed, clicking the script link will open Tampermonkey's installation interface. Review the code to understand its permissions and actions—it will typically request access to the SecurityTrails domain (
.securitytrails.com`). Click “Install” to add the script to your Tampermonkey dashboard. This script is designed to run automatically when you visit a target’s domain page on the SecurityTrails website, injecting a button to trigger the mass data extraction.

2. Executing the 10K Subdomain Extraction

Verified JavaScript code snippet (core function of the script):

// Example function that simulates clicking pagination and aggregating data
function extractSubdomains() {
let allSubdomains = [];
const extractFromPage = () => {
let subdomains = [...document.querySelectorAll('.table-subdomains a')].map(el => el.textContent.trim());
allSubdomains = [...allSubdomains, ...subdomains];
console.log(<code>Subdomains extracted so far: ${allSubdomains.length}</code>);
};
// Logic to navigate pagination would be here
return allSubdomains;
}

Step‑by‑step guide explaining what this does and how to use it.
After installation, navigate to SecurityTrails.com and search for your target domain (e.g., example.com). The script will activate on the subdomains page. It works by programmatically interacting with the web interface, likely mimicking a user clicking through pagination links or triggering a data export function that is not rate-limited like the official API. A new button, often labeled “Get 10K Subdomains,” will appear. Clicking this button initiates the automated process. The script will fetch and compile subdomains from multiple pages of results, bypassing the single-page limit, and then present you with a consolidated list or a downloadable file containing up to 10,000 entries.

  1. Validating and Parsing Extracted Data with Linux Command Line

Verified Linux commands:

 Sort and find unique subdomains, removing potential duplicates
cat subdomains.txt | sort | uniq > unique_subdomains.txt

Count the total number of unique subdomains retrieved
wc -l unique_subdomains.txt

Use 'grep' to filter for interesting subdomains (e.g., API, admin, test)
grep -E "(api|admin|test|staging)" unique_subdomains.txt > interesting_subs.txt

Step‑by‑step guide explaining what this does and how to use it.
Once you have your raw list of subdomains from the script, save it to a file like subdomains.txt. The first command pipeline takes this file, sorts the entries alphabetically (sort), and then uses `uniq` to remove any duplicate entries, outputting the clean list to unique_subdomains.txt. The `wc -l` command provides a quick line count to verify the total number of unique subdomains. Finally, use `grep` with extended regular expressions (-E) to filter for subdomains containing keywords that often point to sensitive or high-value targets, such as administrative panels or API gateways. This pre-processing is essential for prioritizing targets.

  1. Probing for Active Hosts with Masscan and Nmap

Verified Linux commands:

 Fast initial port scan with Masscan (replace 10.0.0.0/8 with your target range)
sudo masscan -p80,443,22,3389 10.0.0.0/8 --rate=10000 -oG masscan_output.txt

Follow-up detailed service scan with Nmap on discovered hosts
nmap -sV -sC -O -p- -iL live_hosts.txt -oA detailed_scan

Step‑by‑step guide explaining what this does and how to use it.
With a list of unique subdomains, you must resolve them to IP addresses and find active hosts. While tools like `massdns` are common for resolution, this step focuses on active probing. `Masscan` is used for incredibly fast port scanning across large IP ranges. The command scans ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) on the `10.0.0.0/8` network at a rate of 10,000 packets per second, outputting in greppable format. The results are then fed to `Nmap` using the `-iL` option to read a list of live hosts (live_hosts.txt). The `Nmap` command performs a version detection (-sV), default script scan (-sC), OS detection (-O), and a full port scan (-p-), providing a deep technical profile of each active host.

5. Automating Reconnaissance with a Bash Script

Verified Bash script snippet:

!/bin/bash
DOMAIN=$1
echo "[+] Running reconnaissance for: $DOMAIN"
 Step 1: Subdomain enumeration (assuming you have a list from the Tampermonkey script)
echo "$DOMAIN" | subfinder > subfinder.txt
 Step 2: Resolve all found subdomains to IPs
cat subfinder.txt | sort -u | dnsx -a -resp-only > resolved_ips.txt
 Step 3: Check for live HTTP/HTTPS servers
cat subfinder.txt | httpx -silent > live_webservers.txt
echo "[+] Reconnaissance complete. Check live_webservers.txt and resolved_ips.txt."

Step‑by‑step guide explaining what this does and how to use it.
This bash script automates the initial phases of reconnaissance. Save it as `recon.sh` and make it executable with chmod +x recon.sh. It requires tools like subfinder, dnsx, and `httpx` (from the ProjectDiscovery suite). When run with a target domain as an argument (./recon.sh example.com), it first uses `subfinder` for passive subdomain discovery, supplementing your Tampermonkey data. It then uses `dnsx` to resolve all subdomains to their corresponding IP addresses. Finally, `httpx` probes these subdomains to determine which are hosting live web services, outputting a clean list of URLs for further manual testing or vulnerability scanning.

  1. Windows PowerShell for Subdomain Analysis and HTTP Checks

Verified Windows PowerShell commands:

 Read a subdomain list and filter for those with 'admin'
Get-Content .\subdomains.txt | Where-Object { $_ -like "admin" }

Use Invoke-WebRequest to check the HTTP status of a list of subdomains
Get-Content .\live_webservers.txt | ForEach-Object { try { $status = (Invoke-WebRequest -Uri "https://$_" -TimeoutSec 5).StatusCode; "$_ : $status" } catch { "$_ : Failed" } }

Step‑by‑step guide explaining what this does and how to use it.
For security professionals operating in a Windows environment, PowerShell provides powerful scripting capabilities. The first command uses `Get-Content` to read the subdomains file and pipes it to `Where-Object` to filter for entries containing the string “admin”. The second, more advanced command, reads from a list of web servers (live_webservers.txt). It uses `ForEach-Object` to iterate through each URL, attempting an `Invoke-WebRequest` with a 5-second timeout. The `try/catch` block captures the HTTP status code (like 200 for success) for live hosts or marks it as “Failed” if the request times out or encounters an error. This quickly separates functional web applications from dead ends.

7. Mitigating Abusive Scanning: Ethical and Legal Commands

Verified Linux commands for responsible testing:

 Slow down your scans to avoid overloading target servers using Nmap's timing template
nmap -T2 --max-parallelism 10 --min-rate 1 -p80,443 -iL targets.txt

Use a custom user-agent with curl for specific application testing
curl -A "Mozilla/5.0 (compatible; Security-Assessment-Bot/1.0)" https://target.com/admin

Step‑by‑step guide explaining what this does and how to use it.
While the Tampermonkey script provides powerful data, its use must be ethical and legal. The first `nmap` command uses the `-T2` (polite) timing template, drastically reducing the scan speed by limiting parallel probes (--max-parallelism 10) and setting a minimum packet rate (--min-rate 1) to minimize network impact. The second command uses `curl` with the `-A` flag to set a custom User-Agent string. This is crucial when testing web applications that may block default script user-agents or when you need to mimic legitimate browser traffic to avoid triggering Web Application Firewall (WAF) rules. Always operate within the scope of a authorized engagement or a public bug bounty program’s rules.

What Undercode Say:

  • The primary value of this technique is economic, democratizing access to expensive data for independent researchers and bug bounty hunters.
  • This method highlights a persistent security theme: the data available through a web UI often differs from that accessible via a controlled API, creating potential for unintended data exposure.

The Tampermonkey script for SecurityTrails is a classic example of a “UI-level” workaround that exists in a legal grey area. It doesn’t directly exploit a backend vulnerability but automates interaction with the frontend to access data the provider may not intend to be freely available at that volume. For security teams, this underscores the importance of treating the user interface as a potential data leakage point and ensuring that UI-based data access is governed by the same rate-limiting and permission checks as the official API. For researchers, it’s a powerful tool but carries inherent risks; using it against targets without explicit permission could be interpreted as unauthorized access. The long-term viability of such scripts is always uncertain, as the service provider can patch the underlying web interface at any time, breaking the automation.

Prediction:

This specific script will likely be patched by SecurityTrails as they detect anomalous traffic patterns, leading to a cat-and-mouse game where script developers release updated versions. The broader trend, however, points towards an increasing automation of the reconnaissance phase. We will see a rise in AI-powered tools that not only gather subdomains but also automatically classify them by risk, test for common vulnerabilities, and prioritize targets, forcing defenders to adopt equally automated continuous surface monitoring and asset management solutions to keep pace.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Rix4uni Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky