Skip to content

Usage

Jump to bottom
Rizwan Syed edited this page Oct 13, 2023 · 1 revision

Usage

To use CHOMTE.SH, run the script with the following flags:

└─# ./chomte.sh


 ██████╗██╗  ██╗ ██████╗ ███╗   ███╗████████╗███████╗   ███████╗██╗  ██╗
██╔════╝██║  ██║██╔═══██╗████╗ ████║╚══██╔══╝██╔════╝   ██╔════╝██║  ██║
██║     ███████║██║   ██║██╔████╔██║   ██║   █████╗     ███████╗███████║
██║     ██╔══██║██║   ██║██║╚██╔╝██║   ██║   ██╔══╝     ╚════██║██╔══██║
╚██████╗██║  ██║╚██████╔╝██║ ╚═╝ ██║   ██║   ███████╗██╗███████║██║  ██║
 ╚═════╝╚═╝  ╚═╝ ╚═════╝ ╚═╝     ╚═╝   ╚═╝   ╚══════╝╚═╝╚══════╝╚═╝  ╚═╝

 U S A G E
Usage: ./chomte.sh -p <ProjectName> -d <domain.com> [option]
Usage: ./chomte.sh -p <ProjectName> -i <127.0.0.1> [option]
Usage: ./chomte.sh -p projectname -d example.com -brt -jsd -sto -n -cd -e -js -ex
Usage: ./chomte.sh -p projectname -d Domains-list.txt
Usage: ./chomte.sh -p projectname -i 127.0.0.1
Usage: ./chomte.sh -p projectname -i IPs-list.txt -n -cd -e -js -ex

Mandatory Flags:
    -p   | --project <string>       : Specify Project Name here
    -d   | --domain <string>        : Specify Root Domain here / Domain List here
      OR
    -i   | --ip <string>            : Specify IP / IPlist here - Starts with Naabu
    -c   | --cidr | --asn <string>  : CIDR / ASN - Starts with Nmap Host Discovery
      OR
    -hpl | --hostportlist <filename>: HTTP Probing on Host:Port List

╔════════════════════════════════════════════════════════════════════════════════╗
        Optional Flags - Only applicable with domain -d flag
╚════════════════════════════════════════════════════════════════════════════════╝


    -sd | --singledomain            : Single Domain for In-Scope Engagement
    -pp   | --portprobe             : Probe HTTP web services in ports other than 80 & 443
    -a   | --all                    : Run all required scans
    -rr   | --rerun                 : ReRun the scan again
    -brt | --dnsbrute               : DNS Recon Bruteforce
        -ax | --alterx              : Subdomain Bruteforcing using DNSx on Alterx Generated Domains
    -sto | --takeover               : Subdomain Takeover Scan


╔════════════════════════════════════════════════════════════════════════════════╗
        Global Flags - Applicable with both -d / -i
╚════════════════════════════════════════════════════════════════════════════════╝
    -s   | --shodan                    : Shodan Deep Recon - API Key Required
    -n   | --nmap                      : Nmap Scan against open ports
    -e   | --enum                      : Active Recon
       -cd  | --content                : Content Discovery Scan
       -cd  | --content subdomains.txt : Content Discovery Scan
       -ru  | --reconurl               : URL Recon; applicable with enum -e flag
       -ex  | --enumxnl                : XNL JS Recon; applicable with enum -e flag
       -nf  | --nucleifuzz             : Nuclei Fuzz; applicable with enum -e flag
    -h   | --help                      : Show this help

Mandatory Flags

  • -p or --project: Specify the project name here.
  • -d or --domain: Specify the root domain here or a domain list.
  • -i or --ip: Specify the IP/CIDR/IP list here.

Optional Flags

-n or --nmap : Nmap scan against open ports.
-brt or --dnsbrute : DNS Recon Bruteforce.
-hpl or --hostportlist : HTTP Probing on Host:Port List
-cd or --content : Content Discovery - Path is optional
-e or --enum : Active Enum based on technologies
-h or --help : Show help.

Example

Here are some example commands:

Mode Commands
Gather Subdomains and perform HTTP Probing ./chomte.sh -p projectname -d example.com
Bruteforcing Subdomains with dmut ./chomte.sh -p projectname -d example.com -brt
Perform AlterX Bruteforcing using DNSx ./chomte.sh -p projectname -d example.com -brt -ax
Subdomain Takeover Scan using Subjack and Nuclei ./chomte.sh -p projectname -d example.com -brt -ax -sto
Port Scanning and then HTTP probing on open ports ./chomte.sh -p projectname -d example.com -pp
Nmap Scan on open ports + CSV,HTML Reporting ./chomte.sh -p projectname -d example.com -pp -n
EnumScan: Content Discovery scan on Potential URLs ./chomte.sh -p projectname -d example.com -e -cd
EnumScan: URL Recon Function ./chomte.sh -p projectname -d example.com -e -ru
EnumScan: Nuclei Fuzzer Template Scan on Potential Parameter URLs ./chomte.sh -p projectname -d example.com -e -ru -nf
EnumScan: Run all Enum modules ./chomte.sh -p projectname -d example.com -e -cd -ru -nf
EnumScan: XNL JS Recon and do Trufflehog Secret Scan ./chomte.sh -p projectname -d example.com -e -ex
Perform all applicable Scans ./chomte.sh -p projectname -d example.com -all
Input List of domains in scope ./chomte.sh -p projectname -d Domains-list.txt
Single Domain for in scope engagements ./chomte.sh -p projectname -d target.com -sd
Single IP Scan ./chomte.sh -p projectname -i 127.0.0.1
CIDR / Subnet Scan ./chomte.sh -p projectname -i 192.168.10.0/24
Perform Nmap scan on open ports ./chomte.sh -p projectname -i IPs-list.txt -n
Perform host:port http probing & enum ./chomte.sh -p projectname -hpl hostportlist.txt -e -cd
Clone this wiki locally