Listen to this Post
Introduction:
A new open-source intelligence (OSINT) tool, haktrailsfree, is enabling security researchers and bug bounty hunters to enumerate thousands of subdomains from SecurityTrails without a paid API key. By leveraging a simple session cookie extracted from a logged-in browser, this Python-based utility bypasses traditional access barriers, democratizing a powerful data source for attack surface mapping.
Learning Objectives:
- Understand the mechanics of session cookie authentication for web-based APIs.
- Learn how to use the haktrailsfree tool for subdomain enumeration.
- Identify potential pitfalls and troubleshooting steps for cross-environment tool execution.
You Should Know:
1. Extracting Your SecurityTrails Session Cookie
The core of haktrailsfree’s functionality relies on obtaining a valid `sessionid` cookie from an active SecurityTrails web session.
Step-by-step guide:
Step 1: Log in to your SecurityTrails account using a web browser.
Step 2: Open the Developer Tools (F12 in most browsers).
Step 3: Navigate to the “Application” or “Storage” tab.
Step 4: In the left-hand sidebar, under “Cookies,” select `https://securitytrails.com`.
Step 5: Locate the cookie named `sessionid` and copy its entire value.
This lengthy string is your authenticator. The tool uses this cookie to impersonate your browser session and make authorized requests to SecurityTrails’ internal endpoints.
2. Installing haktrailsfree and Dependencies
The tool is hosted on GitHub and requires Python 3 and `pip` to manage its dependencies.
Verified Commands:
Clone the repository from the provided link git clone https://github.com/bhagirath93/haktrailsfree cd haktrailsfree Install the required Python libraries pip3 install -r requirements.txt
Step-by-step guide:
This setup ensures you have all necessary libraries, such as `requests` for HTTP communication and `colorama` for colored terminal output. Always review the `requirements.txt` file in a new project to understand what is being installed on your system.
3. Basic Subdomain Enumeration
The primary function of the tool is to query subdomains for a given root domain.
Verified Command:
python3 haktrailsfree.py -d example.com -c "your_extracted_sessionid_cookie"
Step-by-step guide:
Step 1: Replace `example.com` with your target domain.
Step 2: Replace `your_extracted_sessionid_cookie` with the long string you copied from your browser.
Step 3: Execute the command. The tool will make sequential API calls, parsing the JSON responses to extract and display subdomain lists directly in your terminal.
4. Saving Results to a File
For later analysis or use with other tools, it’s crucial to save the output.
Verified Command:
python3 haktrailsfree.py -d example.com -c "your_cookie" -o results.txt
Step-by-step guide:
The `-o` or `–output` flag directs the tool’s results into a specified text file. This creates a clean list of subdomains, one per line, which can be fed into other reconnaissance tools like masscan, nmap, or `httpx` for further probing.
5. Troubleshooting VPS Environment Issues
The developer noted a critical issue where the tool fails on a DigitalOcean VPS despite working locally, highlighting the impact of environment on tool execution.
Step-by-step guide & Commands:
Check Public IP Reputation: SecurityTrails may block traffic from known datacenter IP ranges.
curl -s https://ipinfo.io/$(curl -s https://api.ipify.org) | grep country
Verify Cookie Freshness: Session cookies expire. Re-extract a fresh cookie directly from a browser session on the VPS if possible, using a graphical desktop environment.
Compare User-Agents: The tool might be sending a default Python `User-Agent` string. Modify the source code’s headers in the `requests` calls to match your local browser’s User-Agent.
Install Required System Libraries: Ensure all low-level dependencies for Python packages are present on the VPS.
On Ubuntu/Debian VPS sudo apt update && sudo apt install -y python3-pip
6. Integrating with Other Recon Tools
The true power of haktrailsfree is realized when its output is used as input for a broader reconnaissance pipeline.
Verified Commands & Snippet:
1. Run haktrailsfree and save output python3 haktrailsfree.py -d example.com -c "your_cookie" -o subs.txt <ol> <li>Check which subdomains are live (HTTP/HTTPS) cat subs.txt | httpx -silent > live_subs.txt</p></li> <li><p>Take screenshots of live subdomains cat live_subs.txt | aquatone -out ./screenshots</p></li> <li><p>Perform a port scan on live hosts cat live_subs.txt | naabu -silent -o naabu_results.txt
Step-by-step guide:
This workflow transforms a simple list of subdomains into a actionable intelligence, identifying active web services, their appearance, and additional exposed network ports.
7. Understanding the API Endpoint and Rate Limiting
Reverse-engineering the tool reveals how it interacts with SecurityTrails.
Code Snippet Analysis (Conceptual):
The tool constructs a URL like this:
base_url = f"https://securitytrails.com/app/api/v1/domain/{domain}/subdomains"
headers = {
'Cookie': f'sessionid={session_cookie}',
'User-Agent': 'Mozilla/5.0...'
}
response = requests.get(base_url, headers=headers)
Step-by-step guide:
The tool targets an internal API endpoint (/app/api/v1/). While it doesn’t require the official API key, it is still subject to SecurityTrails’ server-side rate limiting and anti-abuse measures. Sending requests too quickly may result in temporary blocks, so introducing delays between requests in the code may be necessary for stability.
What Undercode Say:
- The barrier to entry for high-quality OSINT data is lowering, but this comes with increased legal and ethical risks.
- Tool reliability is highly environment-dependent; what works on a developer’s local machine can fail in a cloud VPS due to IP reputation, headers, or missing system libraries.
The release of haktrailsfree represents a significant moment in the OSINT tooling landscape. It demonstrates a continued trend of circumventing paid API models by leveraging the underlying web session mechanics, a technique applicable to many other platforms. This empowers individual researchers and smaller teams but also blurs the lines of authorized access. The core legal question remains: does using a session cookie in an automated script violate the service’s terms of use, even with a valid account? Furthermore, the encountered VPS issue is a classic reminder that offensive security tools are fragile. Success depends not just on the code but on the execution context—IP address, user-agent, and network environment—making testing across multiple platforms a non-negotiable step for any serious operator.
Prediction:
This method of API access via session cookies will likely be patched by SecurityTrails, potentially by strengthening cookie validation to tie it to the original request’s IP or user-agent string. In response, the tooling community will adapt, leading to a cyclical cat-and-mouse game. In the longer term, we predict a rise in platforms moving towards stricter, cryptographic API key mandates and more sophisticated bot detection, forcing OSINT tools to become even more sophisticated in mimicking human browser behavior, potentially integrating full browser automation frameworks like Playwright or Selenium to generate valid sessions.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Rix4uni Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
