Chomp Scan – A Scripted Pipeline Of Tools To Streamline The Bug Bounty/Penetration Test Reconnaissance Phase

Chomp Scan - A Scripted Pipeline Of Tools To Streamline The Bug Bounty/Penetration Test Reconnaissance Phase

A scripted pipeline of instruments to simplify the bug bounty/penetration check reconnaissance part, so you possibly can deal with chomping bugs.

Chomp Scan is a Bash script that chains collectively the quickest and handiest instruments (for my part/expertise) for doing the lengthy and typically tedious technique of recon. No extra on the lookout for phrase lists and making an attempt to recollect while you began a scan and the place the output is. Chomp Scan creates a timestamped output listing primarily based on the search area, e.g., and places all device output there, break up into particular person sub-directories as applicable. Custom output directories are additionally supported through the -o flag.
New: Chomp Scan now integrates
Notica, which lets you obtain a notification when the script finishes. Simply go to Notica and get a singular URL parameter. Simply move the parameter to Chomp Scan through the -n flag, hold the Notica web page open in a browser tab in your pc or telephone, and you’ll obtain a message when Chomp Scan has completed working. No extra always checking/forgetting to examine these lengthy working scans.
Chomp Scan runs in a number of modes. The main one is utilizing command-line arguments to pick which scanning phases to make use of, which wordlists, and so forth. A guided interactive mode is accessible, in addition to a non-interactive mode, helpful if you don’t want to take care of setting a number of arguments.
A listing of fascinating phrases is included, akin to dev, check, uat, staging, and so forth., and domains containing these phrases are flagged. This means you possibly can deal with the fascinating domains first if you want. This listing will be custom-made to fit your personal wants, or changed with a distinct file through the -X flag.
A blacklist file is included, to exclude sure domains from the outcomes. However it doesn’t stop these domains from being resolved, solely from getting used for port scanning and content material discovery. It will be handed through the -b flag.
Chomp Scan helps restricted canceling/skipping of instruments by urgent Ctrl-c. This can typically have unintended unwanted side effects, so use with care.
Note: Chomp Scan is in energetic growth, and new/completely different instruments might be added as I come throughout them. Pull requests and feedback welcome!

Scanning Phases

Subdomain Discovery (three completely different sized wordlists)

  • dnscan
  • subfinder
  • sublist3r
  • massdns + altdns

Screenshots (elective)

Port Scanning (elective)

Information Gathering (elective) (four completely different sized wordlists)

  • subjack
  • bfac
  • whatweb
  • wafw00f
  • nikto

Content Discovery (elective) (four completely different sized wordlists)

A number of wordlists are used, each for subdomain bruteforcing and content material discovery. Daniel Miessler’s Seclists are used closely, in addition to Jason Haddix’s lists. Different wordlists can be utilized by passing in a customized wordlist or utilizing one of many constructed-in named argument lists under.

Subdomain Bruteforcing

Argument Name Filename Word Count Description
quick subdomains-top1mil-20000.txt 22okay From Seclists
lengthy sortedcombined-knock-dnsrecon-fierce-reconng.txt 102okay From Seclists
big huge-200okay.txt 199okay Combination I made of assorted wordlists, together with Seclists

Content Discovery

Argument Name Filename Word Count Description
small massive.txt 20okay From Seclists
medium raft-massive-mixed.txt 167okay Combination of the raft wordlists in Seclists
massive seclists-mixed.txt 215okay Larger mixture of all of the Discovery/DNS lists in Seclists
xl haddix_content_discovery_all.txt 373okay Jason Haddix’s all content material discovery listing
xxl haddix-seclists-mixed.txt 486okay Combination of the 2 earlier lists


  • altdns-phrases.txt – 240 phrases – Used for creating area permutations for masscan to resolve. Borrowed from altdns.
  • fascinating.txt – 43 phrases – A listing I created of doubtless fascinating phrases showing in domains. Provide your individual fascinating phrases listing with the -X flag.

Clone this repo and run the script. Make positive to supply ~/.profile after working the installer so as to add the Go binary path to your $PATH variable. Then run Chomp Scan.

Chomp Scan all the time runs subdomain enumeration, thus a website is required through the -u flag. The area shouldn’t include a scheme, e.g. http:// or https://. By default, HTTPS is all the time used. This will be modified to HTTP by passing the -H flag. A wordlist is elective, and if one shouldn’t be offered the constructed-briefly listing (20okay phrases) is used.
Other scan phases are elective. Content discovery can take an elective wordlist, in any other case it defaults to the constructed-briefly (22okay phrases) listing.
The ultimate outcomes of the scan are saved in two textual content recordsdata within the output listing. All distinctive domains which can be discovered are saved in all_discovered_domains.txt, and all distinctive IPs which can be found are saved in all_discovered_ips.txt. -u -a d quick -cC massive -p -o path/to/listing

Usage of Chomp Scan:
        -u area
                 (required) Domain identify to scan. This shouldn't embrace a scheme, e.g. https:// or http://.
        -d wordlist
                 (elective) The wordlist to make use of for subdomain enumeration. Three constructed-in lists, quick, lengthy, and large can be utilized, in addition to the trail to a customized wordlist. The default is brief.
                 (elective) Enable content material discovery part. The wordlist for this feature defaults to quick if not offered.
        -C wordlist
                 (elective) The wordlist to make use of for content material discovery. Five constructed-in lists, small, medium, massive, xl, and xxl can be utilized, in addition to the trail to a customized wordlist. The default is small.
                 (elective) Enable screenshots utilizing Aquatone.
                 (elective) Enable data gathering part, utilizing subjack, bfac, whatweb, wafw00f, and nikto.
                 (elective) Enable portscanning part, utilizing masscan (run as root) and nmap.
                 (elective) Enable interactive mode. This means that you can choose sure device choices and inputs interactively. This can't be run with -D.
                 (elective) Enable default non-interactive mode. This mode makes use of pre-chosen defaults and requires no consumer interplay or choices. This can't be run with -I.
                            Options: Subdomain enumeration wordlist: quick.
                                     Content discovery wordlist: small.
                                     Aquatone screenshots: sure.
                                     Portscanning: sure.
                                     Information gathering: sure.
                                     Domains to scan: all distinctive found.
        -b wordlist
                 (elective) Set customized area blacklist file.
        -X wordlist
                 (elective) Set customized fascinating thesaurus.
        -o listing
                 (elective) Set customized output listing. It should exist and be writable.
                 (elective) Use all distinctive found domains for scans, slightly than fascinating domains. This can't be used with -A.
                 (elective, default) Use solely fascinating found domains for scans, slightly than all found domains. This can't be used with -a.
                 (elective) Use HTTP for connecting to websites as an alternative of HTTPS.
                 (elective) Display this assist web page.

In The Future
Chomp Scan continues to be in energetic growth, as I exploit it myself for bug looking, so I intend to proceed including new options and instruments as I come throughout them. New device options, suggestions, and pull requests are all welcomed. Here is a brief listing of potential additions I’m contemplating:

  • Adding a config file, for extra granular customization of instruments and parameters
  • Adding testing/assist for Ubuntu/Debian
  • A potential Python re-write (and perhaps a Go re-write after that!)
  • The technology of an HTML report, just like what aquatone gives



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.