-
Notifications
You must be signed in to change notification settings - Fork 76
Usage
Chomp Scan allows you to use multiple tools in a chain, feeding the results of one into the next. Depending on the usage mode, you can pick which tools to use. You can also select a range of other options, like whether to use HTTP or HTTPS to access URLs, what output directory to use, what wordlists to use, etc.
Chomp Scan begins with the domain name you would like to scan. During every run, subdomain enumeration will be performed. This generates the input for all other tools. This can be done with one of the built-in named wordlists, or with a custom wordlist you provide. A blacklist file can be supplied, which will prevent certain domain names from being scanned. Note that this will not prevent them from being resolved, but only from being used in later tools. HTTPS is the default for all URLs, but this can be changed via the -H flag or in the Configuration File.
Chomp Scan uses the concept of "interesting domains" to determine which domains to target. These interesting domains are based on the interesting.txt text file in the root of the chomp-scan directory. This a custom list of potentially interesting/valuable subdomain prefixes that allows Chomp Scan to focus on only the most promising targets and save you time. By default, Chomp Scan uses these domains as they are found in the subdomain enumeration phase to feed the tools of the remaining phases. This behavior can be changed to scan all discovered resolvable domains by passing the -a flag on the command line or setting the appropriate field in the Configuration File.
A notification can be sent when Chomp Scan has finished running via its Notica integration. Visit the Notica site and you will receive a unique URL parameter similar to notica.us/?abcdEFGH. Pass this URL parameter value to Chomp Scan via the command line flag -n abcdEFGH or through the Configuration File. (Make sure not to include the question mark.) Then keep the Notica page open in a browser tab on your phone or computer and you will be notified when Chomp Scan is finished running.
Chomp Scan supports limited canceling/skipping of tools by pressing Ctrl-c. This can sometimes have unintended side effects, so use with care.
Scanning is performed in up to five different phases:
- Subdomain enumeration (always performed)
- Screenshots (optional)
- Port scanning
- Information gathering (optional)
- Content discovery (optional)
Subdomain enumeration is always performed, using one or more of dnscan, subfinder, sublist3r, knock, and amass, plus massdns. Massdns is always run, in order to find valid domains that resolve to an IP address.
All discovered domains, whether they resolve or not, are stored in all_discovered_domains.txt. All resolved domains are stored in all_resolved_domains.txt and all discovered IP address are stored in all_discovered_ips.txt. Only unique subdomains and IPs are saved, as Chomp Scan automatically filters out duplicates. See Output for more information on how and where output is stored.
Goaltdns can optionally be run in conjunction with massdns, in order to generate and resolve additional domains based on patterns and frequently used subdomain names.
Screenshots can optionally be taken of discovered resolvable domains using aquatone. The resulting screenshots and HTML report is located in the aquatone subdirectory beneath the main output directory.
Chomp scan uses two tools for port scanning: masscan and nmap.
Masscan is required to be run as root, and therefore a prompt will appear when using masscan asking whether you want to re-run the scan as root, skip masscan altogether, or to be prompted to enter the sudo password when masscan runs. The last option will make the scan hang until the password is entered, so make sure this is what you want to do before selecting it. The alternatives are to re-run the scan as root, or to simply skip masscan. Nmap will still run if this option is selected. However, if you are using Notica, a notification will be sent when the sudo password is needed for masscan. This way you can let the scan run until masscan needs your password and not worry that it will hang without you knowing about it.
Nmap is run with all output options set, e.g. -oA, resulting in three output files. The XML output file, nmap-output.xml, uses the fantastic nmap-bootstrap-xsl style sheet to format the output.
Information gathering can optionally be performed with subjack, CORStest, S3Scanner, bfac, whatweb, wafw00f, and nikto.
These tools are only run against resolvable domains to reduce false positives and speed up scan times. However some false positives are unavoidable, as some domains may resolve but only have ports open such as SSH and thus cannot be effectively assessed by web scanning tools.
Content discovery can optionally be performed with inception, waybackurls, ffuf, gobuster, and dirsearch.
The output of ffuf and gobuster is parsed to remove empty results and to make indentifying promising targets easier. See Output for more details.
There are 4 primary modes or ways of Chomp Scan. They are:
- The configuration file
- The CLI
- Interactive mode
- Non-interactive mode
Chomp Scan supports the use of a configuration file to pick tools, set wordlists, and select other settings. This provides the most granular control over all of possible options and is the recommended way of running Chomp Scan. See the Configuration File wiki page for details.
CLI mode is similar to any other command lined-based tool. The -h help command is self-explanatory and describes each flag and its arguments.
The complete list of flags is below:
chomp-scan.sh -u example.com -a d short -cC large -p -o path/to/directory
Usage of Chomp Scan:
-u domain
(required) Domain name to scan. This should not include a scheme, e.g. https:// or http://.
-L config-file
(optional) The path to a config file. This can be used to provide more granular control over what tools are run.
-d wordlist
(optional) The wordlist to use for subdomain enumeration. Three built-in lists, short, long, and huge can be used, as well as the path to a custom wordlist. The default is short.
-c
(optional) Enable content discovery phase. The wordlist for this option defaults to short if not provided.
-C wordlist
(optional) The wordlist to use for content discovery. Five built-in lists, small, medium, large, xl, and xxl can be used, as well as the path to a custom wordlist. The default is small.
-P file-path
(optional) Set a custom directory for the location of tools. The path must exist and the directory must contain all needed tools.
-s
(optional) Enable screenshots using Aquatone.
-i
(optional) Enable information gathering phase, using subjack, CORStest, S3Scanner, bfac, whatweb, wafw00f, and nikto.
-p
(optional) Enable portscanning phase, using masscan (run as root) and nmap.
-I
(optional) Enable interactive mode. This allows you to select certain tool options and inputs interactively. This cannot be run with -D.
-D
(optional) Enable default non-interactive mode. This mode uses pre-selected defaults and requires no user interaction or options. This cannot be run with -I.
Options: Subdomain enumeration wordlist: short.
Content discovery wordlist: small.
Aquatone screenshots: yes.
Portscanning: yes.
Information gathering: yes.
Domains to scan: all unique discovered.
-b wordlist
(optional) Set custom domain blacklist file.
-X wordlist
(optional) Set custom interesting word list.
-o directory
(optional) Set custom output directory. It must exist and be writable.
-a
(optional) Use all unique discovered domains for scans, rather than interesting domains. This cannot be used with -A.
-A
(optional, default) Use only interesting discovered domains for scans, rather than all discovered domains. This cannot be used with -a.
-H
(optional) Use HTTP for connecting to sites instead of HTTPS.
-r
(optional) Enable creation of Burp scope JSON file with rescope.
-h
(optional) Display this help page.
Interactive mode is a special mode that allows you to select each scanning phase and wordlist as the scan runs. Prompts will appear at each phase asking what tools and lists to use. It can be started by using the -I flag by itself from the command line. This mode cannot be combined with non-interactive mode (-D).
Non-interactive mode allows you to start running Chomp Scan quickly without needing to look through and decide on each possible option and wordlist. It uses the following defaults:
- Subdomain enumeration wordlist: short.
- Content discovery wordlist: small.
- Aquatone screenshots: yes.
- Portscanning: yes.
- Information gathering: yes.
- Domains to scan: all unique discovered.
By default, Chomp Scan assumes that all tools are located at ~/bounty/tools. It checks this location for all needed tools, and will not run if some are missing. This location can be changed to a custom location by passing the -P command line flag, or by setting the TOOL_PATH variable in the Configuration File. When installing Chomp Scan via the installer.sh script, you can pass a file path to install all tools to, and then reference that path via the above options when running Chomp Scan.
For each run of Chomp Scan, a timestamped output directory is created, based on the domain name provided. This allows multiple runs against the same domain without overwriting older data, and makes for easy grepping. Optionally, the -o flag or the Configuration File can be used, passing it a valid writable directory to use for storing output.
The output of each tool is stored in the output directory, with certain tools using a subdirectory if they create a large number of output files.
Three primary output files are generated after each scan.
all_resolved_domains.txt contains all domains discovered that resolve to an IP address. This is one of the first places you'll want to look after a scan completes.
all_discovered_domains.txt contains all of the domains Chomp Scan found, whether they resolve to an IP address or not. Some domains may be old and no longer in use, and some may be used intermittently or for testing and thus worth keeping an eye on.
all_discovered_ips.txt contains all the IP addresses that were found as a result of DNS lookups performed during the subdomain enumeration phase. This is also the input to masscan and nmap.
Below is a breakdown of the output of each different tool, and the parsing, if any, that is done. The parsing is currently a work in progress, and more will be added in the future.
| Tool | File Output | Parsing |
|---|---|---|
| dnscan |
dnscan-ips.txt, dnscan-domains.txt
|
None |
| subfinder | subfinder-domains.txt |
None |
| sublist3r | sublist3r-output.txt |
None |
| knock | knock-output.txt |
None |
| amass | amass-output.txt |
None |
| goaltdns | goaltdns-output.txt |
None |
| massdns |
massdns-appended.txt, massdns-CNAMEs.txt, massdns-result.txt
|
None |
| aquatone |
aquatone/ directory, aquatone_report.html, aquatone_urls.txt, headers/, html/, screenshots/
|
None |
| masscan | masscan-output.txt |
None |
| nmap |
nmap-output.gnmap, nmap-output.nmap, nmap-output.xml
|
None |
| gobuster |
gobuster/ directory, gobuster/DOMAIN
|
Each domain output file is parsed for the total number of each HTTP response code found. Each one can be easily seen by running head -15 gobuster/*-parsed. |
| ffuf |
ffuf/ directory, ffuf/DOMAIN
|
Each domain output file is parsed for the total number of each HTTP response code found. Each one can be easily seen by running head ffuf/*-parsed. |
| dirsearch |
dirsearch/ directory, dirsearch/DOMAIN.txt
|
None |
| inception | inception-output.txt |
None |
| waybackurls | waybackurls-output.txt |
None |
| bfac |
bfac/ directory, bfac/DOMAIN
|
None |
| nikto |
nikto/ directory, nikto/DOMAIN.txt
|
None |
| whatweb |
whatweb/ directory, whatweb/DOMAIN
|
None |
| wafw00f |
wafw00f/ directory, wafw00f/DOMAIN
|
None |
| subjack |
subjack-https-output.txt, subjack-http-output.txt
|
None |
| corstest | CORStest-output.txt |
None |
| s3scanner | s3scanner-output.txt |
None |
| rescope | burp-scope.json |
None |