A scripted pipeline of instruments to simplify the bug bounty/penetration check reconnaissance part, so you possibly can deal with chomping bugs.
Chomp Scan is a Bash script that chains collectively the quickest and handiest instruments (for my part/expertise) for doing the lengthy and typically tedious technique of recon. No extra on the lookout for phrase lists and making an attempt to recollect while you began a scan and the place the output is. Chomp Scan creates a timestamped output listing primarily based on the search area, e.g. instance.com-21:38:15, and places all device output there, break up into particular person sub-directories as applicable. Custom output directories are additionally supported through the
New: Chomp Scan now integrates Notica, which lets you obtain a notification when the script finishes. Simply go to Notica and get a singular URL parameter. Simply move the parameter to Chomp Scan through the
-n flag, hold the Notica web page open in a browser tab in your pc or telephone, and you’ll obtain a message when Chomp Scan has completed working. No extra always checking/forgetting to examine these lengthy working scans.
Chomp Scan runs in a number of modes. The main one is utilizing command-line arguments to pick which scanning phases to make use of, which wordlists, and so forth. A guided interactive mode is accessible, in addition to a non-interactive mode, helpful if you don’t want to take care of setting a number of arguments.
A listing of fascinating phrases is included, akin to dev, check, uat, staging, and so forth., and domains containing these phrases are flagged. This means you possibly can deal with the fascinating domains first if you want. This listing will be custom-made to fit your personal wants, or changed with a distinct file through the
A blacklist file is included, to exclude sure domains from the outcomes. However it doesn’t stop these domains from being resolved, solely from getting used for port scanning and content material discovery. It will be handed through the
Chomp Scan helps restricted canceling/skipping of instruments by urgent Ctrl-c. This can typically have unintended unwanted side effects, so use with care.
Note: Chomp Scan is in energetic growth, and new/completely different instruments might be added as I come throughout them. Pull requests and feedback welcome!
Subdomain Discovery (three completely different sized wordlists)
- massdns + altdns
Port Scanning (elective)
Information Gathering (elective) (four completely different sized wordlists)
Content Discovery (elective) (four completely different sized wordlists)
A number of wordlists are used, each for subdomain bruteforcing and content material discovery. Daniel Miessler’s Seclists are used closely, in addition to Jason Haddix’s lists. Different wordlists can be utilized by passing in a customized wordlist or utilizing one of many constructed-in named argument lists under.
|Argument Name||Filename||Word Count||Description|
|big||huge-200okay.txt||199okay||Combination I made of assorted wordlists, together with Seclists|
|Argument Name||Filename||Word Count||Description|
|medium||raft-massive-mixed.txt||167okay||Combination of the raft wordlists in Seclists|
|massive||seclists-mixed.txt||215okay||Larger mixture of all of the Discovery/DNS lists in Seclists|
|xl||haddix_content_discovery_all.txt||373okay||Jason Haddix’s all content material discovery listing|
|xxl||haddix-seclists-mixed.txt||486okay||Combination of the 2 earlier lists|
- altdns-phrases.txt – 240 phrases – Used for creating area permutations for masscan to resolve. Borrowed from altdns.
- fascinating.txt – 43 phrases – A listing I created of doubtless fascinating phrases showing in domains. Provide your individual fascinating phrases listing with the
Clone this repo and run the installer.sh script. Make positive to
supply ~/.profile after working the installer so as to add the Go binary path to your $PATH variable. Then run Chomp Scan.
Chomp Scan all the time runs subdomain enumeration, thus a website is required through the
-u flag. The area shouldn’t include a scheme, e.g. http:// or https://. By default, HTTPS is all the time used. This will be modified to HTTP by passing the
-H flag. A wordlist is elective, and if one shouldn’t be offered the constructed-briefly listing (20okay phrases) is used.
Other scan phases are elective. Content discovery can take an elective wordlist, in any other case it defaults to the constructed-briefly (22okay phrases) listing.
The ultimate outcomes of the scan are saved in two textual content recordsdata within the output listing. All distinctive domains which can be discovered are saved in
all_discovered_domains.txt, and all distinctive IPs which can be found are saved in
chomp-scan.sh -u instance.com -a d quick -cC massive -p -o path/to/listing Usage of Chomp Scan: -u area (required) Domain identify to scan. This shouldn't embrace a scheme, e.g. https:// or http://. -d wordlist (elective) The wordlist to make use of for subdomain enumeration. Three constructed-in lists, quick, lengthy, and large can be utilized, in addition to the trail to a customized wordlist. The default is brief. -c (elective) Enable content material discovery part. The wordlist for this feature defaults to quick if not offered. -C wordlist (elective) The wordlist to make use of for content material discovery. Five constructed-in lists, small, medium, massive, xl, and xxl can be utilized, in addition to the trail to a customized wordlist. The default is small. -s (elective) Enable screenshots utilizing Aquatone. -i (elective) Enable data gathering part, utilizing subjack, bfac, whatweb, wafw00f, and nikto. -p (elective) Enable portscanning part, utilizing masscan (run as root) and nmap. -I (elective) Enable interactive mode. This means that you can choose sure device choices and inputs interactively. This can't be run with -D. -D (elective) Enable default non-interactive mode. This mode makes use of pre-chosen defaults and requires no consumer interplay or choices. This can't be run with -I. Options: Subdomain enumeration wordlist: quick. Content discovery wordlist: small. Aquatone screenshots: sure. Portscanning: sure. Information gathering: sure. Domains to scan: all distinctive found. -b wordlist (elective) Set customized area blacklist file. -X wordlist (elective) Set customized fascinating thesaurus. -o listing (elective) Set customized output listing. It should exist and be writable. -a (elective) Use all distinctive found domains for scans, slightly than fascinating domains. This can't be used with -A. -A (elective, default) Use solely fascinating found domains for scans, slightly than all found domains. This can't be used with -a. -H (elective) Use HTTP for connecting to websites as an alternative of HTTPS. -h (elective) Display this assist web page.
In The Future
Chomp Scan continues to be in energetic growth, as I exploit it myself for bug looking, so I intend to proceed including new options and instruments as I come throughout them. New device options, suggestions, and pull requests are all welcomed. Here is a brief listing of potential additions I’m contemplating:
- Adding a config file, for extra granular customization of instruments and parameters
- Adding testing/assist for Ubuntu/Debian
- A potential Python re-write (and perhaps a Go re-write after that!)
- The technology of an HTML report, just like what aquatone gives