Jump to content
YOUR-AD-HERE
HOSTING
TOOLS
SERVICE

Locked Chomp Scan


itsMe

Recommended Posts

This is the hidden content, please

Chomp Scan - A Scripted Pipeline Of Tools To Streamline The Bug Bounty/Penetration Test Reconnaissance Phase

A scripted pipeline of tools to simplify the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs.

faraday

Scope

Chomp Scan is a Bash script that chains together the fastest and most effective tools (in my opinion/experience) for doing the long and sometimes tedious process of recon. No more looking for word lists and trying to remember when you started a scan and where the output is. Chomp Scan creates a timestamped output directory based on the search domain, e.g. example.com-21:38:15, and puts all tool output there, split into individual sub-directories as appropriate. Custom output directories are also supported via the -o flag.
New: Chomp Scan now integrates Notica, which allows you to receive a notification when the script finishes. Simply visit Notica and get a unique URL parameter. Simply pass the parameter to Chomp Scan via the -n flag, keep the Notica page open in a browser tab on your computer or phone, and you will receive a message when Chomp Scan has finished running. No more constantly checking/forgetting to check those long running scans.
Chomp Scan runs in multiple modes. The primary one is using command-line arguments to select which scanning phases to use, which wordlists, etc. A guided interactive mode is available, as well as a non-interactive mode, useful if you do not want to deal with setting multiple arguments.


A list of interesting words is included, such as dev, test, uat, staging, etc., and domains containing those terms are flagged. This way you can focus on the interesting domains first if you wish. This list can be customized to suit your own needs, or replaced with a different file via the -X flag.


A blacklist file is included, to exclude certain domains from the results. However it does not prevent those domains from being resolved, only from being used for port scanning and content discovery. It can be passed via the -b flag.
Chomp Scan supports limited canceling/skipping of tools by pressing Ctrl-c. This can sometimes have unintended side effects, so use with care.


Note: Chomp Scan is in active development, and new/different tools will be added as I come across them. Pull requests and comments welcome!

Scanning Phases

Subdomain Discovery (3 different sized wordlists)

    dnscan
    subfinder
    sublist3r
    massdns + altdns


Screenshots (optional)

    aquatone


Port Scanning (optional)

    masscan and/or nmap
    nmap output styled with nmap-bootstrap-xsl


Information Gathering (optional) (4 different sized wordlists)

    subjack
    bfac
    whatweb
    wafw00f
    nikto


Content Discovery (optional) (4 different sized wordlists)

    ffuf
    gobuster
    dirsearch

This is the hidden content, please

 

This is the hidden content, please

 

This is the hidden content, please

 

This is the hidden content, please

 

This is the hidden content, please

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.