chomp-scan – A scripted pipeline of instruments to streamline the bug bounty/penetration check reconnaissance section, so you possibly can deal with chomping bugs.
Chomp Scan is a Bash script that chains collectively the quickest and best instruments (for my part/expertise) for doing the lengthy and generally tedious means of recon. No extra in search of phrase lists and making an attempt to recollect if you began a scan and the place the output is.
Chomp Scan can deal with an inventory of probably fascinating subdomains, letting you save time and deal with high-value targets. It may well even notify you through Notica when it is completed operating!
Chomp Scan now integrates Notica, which lets you obtain a notification when the script finishes. Merely go to Notica and get a novel URL parameter, e.g. notica.us/?xxxxxxxx. Move the parameter to Chomp Scan through the -n flag, hold the Notica web page open in a browser tab in your laptop or telephone, and you’ll obtain a message when Chomp Scan has completed operating. No extra consistently checking/forgetting to examine these lengthy operating scans.
A listing of fascinating phrases is included, corresponding to dev, check, uat, staging, and many others., and domains containing these phrases are flagged. This fashion you possibly can deal with the fascinating domains first if you want. This checklist will be personalized to fit your personal wants, or changed with a unique file through the -X flag.
Chomp Scan runs in a number of modes. A brand new Configuration File is the beneficial approach to run scans, because it permits essentially the most granular management of instruments and settings. A typical CLI mode is included, which features the identical as some other CLI instrument. A guided interactive mode is offered, in addition to a non-interactive mode, helpful if you do not need to lookup parameters or fear about setting a number of arguments.
New Chomp Scan now consists of rescope. Rescope will parse all resolved domains found by Chomp Scan and generate a JSON scope file that may be imported into Burp Suite. This selection will be enabled by setting the ENABLE_RESCOPE variable within the configuration file or by passing the -r flag through the command line.
Please see the Wiki for detailed documentation.
Word: Chomp Scan is in energetic improvement, and new/totally different instruments might be added as I come throughout them. Pull requests and feedback welcome!
Subdomain Discovery (three totally different sized wordlists)
- massdns + goaltdns
Port Scanning (non-compulsory)
- masscan and/or nmap
- nmap output styled with nmap-bootstrap-xsl
Data Gathering (non-compulsory) (four totally different sized wordlists)
Content material Discovery (non-compulsory) (four totally different sized wordlists)
Chomp Scan now incorporates a configuration file choice that gives extra granular management over which instruments are run and is much less cumbersome than passing numerous CLI arguments. It may be utilized by passing the -L flag. An instance config file is included on this repo as a template, and full config file particulars can be found on the Configuration File wiki web page.
A wide range of wordlists are used, each for subdomain bruteforcing and content material discovery. Daniel Miessler’s Seclists are used closely, in addition to Jason Haddix’s lists. Totally different wordlists can be utilized by passing in a customized wordlist or utilizing one of many built-in named argument lists. See the Wordlist wiki web page for extra particulars.
Clone this repo and run the included installer.sh script, optionally together with a customized file path to put in mandatory instruments to. Be certain to run supply ~/.profile in your terminal after operating the installer with a purpose to add the Go binary path to your $PATH variable. Then run Chomp Scan. If you’re utilizing zsh, fish, or another shell, make it possible for ~/go/bin is in your path. For extra particulars, see the Set up wiki web page.
TLDR: [email protected]:~/chomp-scan# ./installer.sh [/some/optional/install/path]
For full utilization data, see the Utilization web page of the wiki.
Chomp Scan at all times runs subdomain enumeration, thus a site is required through the -u flag. The area mustn’t comprise a scheme, e.g. http:// or https://. By default, HTTPS is at all times used. This may be modified to HTTP by passing the -H flag. A wordlist is non-compulsory, and if one isn’t supplied the built-in quick checklist (20ok phrases) is used.
Different scan phases are non-compulsory. Content material discovery can take an non-compulsory wordlist, in any other case it defaults to the built-in quick (22ok phrases) checklist.
The ultimate outcomes of the scan are saved in three textual content recordsdata within the output listing. All distinctive domains which can be discovered, whether or not they resolve or not, are saved in all_discovered_domains.txt, and all distinctive IPs which can be found are saved in all_discovered_ips.txt. All domains that resolve to an IP are saved in all_resolved_domains.txt. As of v4.1 these domains are used to generate the fascinating area checklist and the all domains checklist, which might then be used for content material discovery and data gathering.
chomp-scan.sh -u instance.com -a d quick -cC giant -p -o path/to/listing
Utilization of Chomp Scan:
(required) Area title to scan. This could not embrace a scheme, e.g. https:// or http://.
(non-compulsory) The trail to a config file. This can be utilized to offer extra granular management over what instruments are run.
(non-compulsory) The wordlist to make use of for subdomain enumeration. Three built-in lists, quick, lengthy, and big can be utilized, in addition to the trail to a customized wordlist. The default is brief.
(non-compulsory) Allow content material discovery section. The wordlist for this feature defaults to quick if not supplied.
(non-compulsory) The wordlist to make use of for content material discovery. 5 built-in lists, small, medium, giant, xl, and xxl can be utilized, in addition to the trail to a customized wordlist. The default is small.
(non-compulsory) Set a customized listing for the placement of instruments. The trail should exist and the listing should comprise all wanted instruments.
(non-compulsory) Allow screenshots utilizing Aquatone.
(non-compulsory) Allow data gathering section, utilizing subjack, CORStest, S3Scanner, bfac, whatweb, wafw00f, and nikto.
(non-compulsory) Allow portscanning section, utilizing masscan (run as root) and nmap.
(non-compulsory) Allow interactive mode. This lets you choose sure instrument choices and inputs interactively. This can’t be run with -D.
(non-compulsory) Allow default non-interactive mode. This mode makes use of pre-selected defaults and requires no person interplay or choices. This can’t be run with -I.
Choices: Subdomain enumeration wordlist: quick.
Content material discovery wordlist: small.
Aquatone screenshots: sure.
Data gathering: sure.
Domains to scan: all distinctive found.
(non-compulsory) Set customized area blacklist file.
(non-compulsory) Set customized fascinating glossary.
(non-compulsory) Set customized output listing. It should exist and be writable.
(non-compulsory) Use all distinctive found domains for scans, somewhat than fascinating domains. This can’t be used with -A.
(non-compulsory, default) Use solely fascinating found domains for scans, somewhat than all found domains. This can’t be used with -a.
(non-compulsory) Use HTTP for connecting to websites as an alternative of HTTPS.
(non-compulsory) Allow creation of Burp scope JSON file with rescope.
(non-compulsory) Show this assist web page.
In The Future
Chomp Scan remains to be in energetic improvement, as I take advantage of it myself for bug looking, so I intend to proceed including new options and instruments as I come throughout them. New instrument recommendations, suggestions, and pull requests are all welcomed. Attainable additions:
- The era of an HTML report, just like what aquatone supplies