Chomp Scan - A Scripted Pipeline Of Tools To Streamline The Põrnikas Bounty/Penetration Exam Reconnaissance Phase
H5N1 scripted pipeline of tools to simplify the põrnikas bounty/penetration seek reconnaissance phase, as well as so you lot tin focus on chomping bugs.
Scope
Chomp Scan is a Bash script that chains together the fastest as well as close effective tools (in my opinion/experience) for doing the long as well as sometimes slowly procedure of recon. No to a greater extent than looking for discussion lists as well as trying to think when you lot started a scan as well as where the output is. Chomp Scan creates a timestamped output directory based on the search domain, e.g. example.com-21:38:15, as well as puts all tool output there, separate into private sub-directories equally appropriate. Custom output directories are also supported via the
-o
flag.New: Chomp Scan immediately integrates Notica, which allows you lot to have a notification when the script finishes. Simply take in Notica as well as larn a unique URL parameter. Simply run past times the parameter to Chomp Scan via the
-n
flag, hold the Notica page opened upward inwards a browser tab on your reckoner or phone, as well as you lot volition have a message when Chomp Scan has finished running. No to a greater extent than constantly checking/forgetting to banking concern agree those long running scans.Chomp Scan runs inwards multiple modes. The primary ane is using command-line arguments to choose which scanning phases to use, which wordlists, etc. H5N1 guided interactive means is available, equally good equally a non-interactive mode, useful if you lot create non desire to bargain amongst setting multiple arguments.
H5N1 listing of interesting words is included, such equally dev, test, uat, staging, etc., as well as domains containing those damage are flagged. This means you lot tin focus on the interesting domains source if you lot wish. This listing tin endure customized to accommodate your ain needs, or replaced amongst a unlike file via the
-X
flag.H5N1 blacklist file is included, to exclude for sure domains from the results. However it does non foreclose those domains from existence resolved, exclusively from existence used for port scanning as well as content discovery. It tin endure passed via the
-b
flag.Chomp Scan supports express canceling/skipping of tools past times pressing Ctrl-c. This tin sometimes stimulate got unintended side effects, as well as so role amongst care.
Note: Chomp Scan is inwards active development, as well as new/different tools volition endure added equally I come upward across them. Pull requests as well as comments welcome!
Scanning Phases
Subdomain Discovery (3 unlike sized wordlists)
- dnscan
- subfinder
- sublist3r
- massdns + altdns
Screenshots (optional)
- aquatone
Port Scanning (optional)
- masscan and/or nmap
- nmap output styled amongst nmap-bootstrap-xsl
Information Gathering (optional) (4 unlike sized wordlists)
- subjack
- bfac
- whatweb
- wafw00f
- nikto
Content Discovery (optional) (4 unlike sized wordlists)
- ffuf
- gobuster
- dirsearch
Wordlists
H5N1 multifariousness of wordlists are used, both for subdomain bruteforcing as well as content discovery. Daniel Miessler's Seclists are used heavily, equally good equally Jason Haddix's lists. Different wordlists tin endure used past times passing inwards a custom wordlist or using ane of the built-in named declaration lists below.
Subdomain Bruteforcing
Argument Name | Filename | Word Count | Description |
---|---|---|---|
short | subdomains-top1mil-20000.txt | 22k | From Seclists |
long | sortedcombined-knock-dnsrecon-fierce-reconng.txt | 102k | From Seclists |
huge | huge-200k.txt | 199k | Combination I made of diverse wordlists, including Seclists |
Content Discovery
Argument Name | Filename | Word Count | Description |
---|---|---|---|
small | big.txt | 20k | From Seclists |
medium | raft-large-combined.txt | 167k | Combination of the raft wordlists inwards Seclists |
large | seclists-combined.txt | 215k | Larger combination of all the Discovery/DNS lists inwards Seclists |
xl | haddix_content_discovery_all.txt | 373k | Jason Haddix's all content uncovering list |
xxl | haddix-seclists-combined.txt | 486k | Combination of the 2 previous lists |
Misc.
- altdns-words.txt - 240 words - Used for creating domain permutations for masscan to resolve. Borrowed from altdns.
- interesting.txt - 43 words - H5N1 listing I created of potentially interesting words appearing inwards domain names. Provide your ain interesting words listing amongst the
-X
flag.
Installation
Clone this repo as well as run the installer.sh script. Make for sure to
source /.profile
afterwards running the installer inwards lodge to add together the Go binary path to your $PATH variable. Then run Chomp Scan.Usage
Chomp Scan ever runs subdomain enumeration, therefore a domain is required via the
-u
flag. The domain should non incorporate a scheme, e.g. http:// or https://. By default, HTTPS is ever used. This tin endure changed to HTTP past times passing the -H
flag. H5N1 wordlist is optional, as well as if ane is non provided the built-in brusk listing (20k words) is used.Other scan phases are optional. Content uncovering tin accept an optional wordlist, otherwise it defaults to the built-in brusk (22k words) list.
The terminal results of the scan are stored inwards 2 text files inwards the output directory. All unique domains that are establish are stored inwards
all_discovered_domains.txt
, as well as all unique IPs that are discovered are stored inwards all_discovered_ips.txt
.chomp-scan.sh -u example.com -a d brusk -cC large -p -o path/to/directory Usage of Chomp Scan: -u domain (required) Domain refer to scan. This should non include a scheme, e.g. https:// or http://. -d wordlist (optional) The wordlist to role for subdomain enumeration. Three built-in lists, short, long, as well as huge tin endure used, equally good equally the path to a custom wordlist. The default is short. -c (optional) Enable content uncovering phase. The wordlist for this selection defaults to brusk if non provided. -C wordlist (optional) The wordlist to role for content discovery. Five built-in lists, small, medium, large, xl, as well as xxl tin endure used, equally good equally the path to a custom wordlist. The default is small. -s (optional) Enable screenshots using Aquatone. -i (optional) Enable information gathering phase, using subjack, bfac, whatweb, wafw00f, as well as nikto. -p (optional) Enable portscanning phase, using masscan (run equally root) as well as nmap. -I (optional) Enable interactive mode. This allows you lot to choose for sure tool options as well as inputs interactively. This cannot endure run amongst -D. -D (optional) Enable default non-interactive mode. This means uses pre-selected defaults as well as requires no user interaction or options. This cannot endure run amongst -I. Options: Subdomain enumeration wordlist: short. Content uncovering wordlist: small. Aquatone screenshots: yes. Portscanning: yes. Information gathering: yes. Domains to scan: all unique discovered. -b wordlist (optional) Set custom domain blacklist file. -X wordlist (optional) Set custom interesting discussion list. -o directory (optional) Set custom output directory. It must be as well as endure writable. -a (optional) Use all unique discovered domains for scans, rather than interesting domains. This cannot endure used amongst -A. -A (optional, default) Use exclusively interesting discovered domains for scans, rather than all discovered domains. This cannot endure used amongst -a. -H (optional) Use HTTP for connecting to sites instead of HTTPS. -h (optional) Display this assistance page.
In The Future
Chomp Scan is nonetheless inwards active development, equally I role it myself for põrnikas hunting, as well as so I think to conk on adding novel features as well as tools equally I come upward across them. New tool suggestions, feedback, as well as push clit requests are all welcomed. Here is a brusk listing of potential additions I'm considering:
- Adding a config file, for to a greater extent than granular customization of tools as well as parameters
- Adding testing/support for Ubuntu/Debian
- A possible Python re-write (and peradventure a Go re-write afterwards that!)
- The generation of an HTML report, like to what aquatone provides
Examples