Giters

SolomonSklash / chomp-scan

A scripted pipeline of tools to streamline the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs.

Home Page:https://www.solomonsklash.io/chomp-scan-update.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

New Tool Requests

SolomonSklash opened this issue · comments

commented

Please leave a comment here with requests for new tools. Make sure to include a link to the tool and a description of what the tool does and how you see it fitting into Chomp Scan.

commented

Interlace
Haven't looked if all tools are multi threaded but in case they're not I recently discovered https://github.com/codingo/Interlace

Easily turn single threaded command line applications into a fast, multi-threaded application with CIDR and glob support.

VHostScan
https://github.com/codingo/VHostScan

A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.

commented

parameth must be included
Link https://github.com/maK-/parameth
i could suggest the future function would something like
mkdir "$WORKING_DIR"/parameth;
then
cat "$WORKING_DIR"/$ALL_RESOLVED | while read url; do python parameth.py -u https://"$url" -p lists/all.txt -o parameth/$url.txt -T 10 -t 40 -x 404,500,503; done
then if you want to filter GET request parameters
cat "$WORKING_DIR"/parameth/*.txt | grep -E -o "http.*s$" >parameth-get.txt

commented

Sublist3r is not being maintained for now by anybody and it started giving out some
"IndexError: list index out of range" errors on Ubuntu machine.
I noticed another project taking over forked sublist3r and is working on improving the tool.

https://github.com/fleetcaptain/Turbolist3r

I tried modifying line 95, leaving everything untouched, it works pretty much same.

Line95: SUBLIST3R=$TOOL_PATH/Turbolist3r/turbolist3r.py;

Let me know if we make this small change.

commented

Would you like to add crt.sh as well in order to find subdomains that are already out there as well along with brute-forcing? We'd missing out to gather existing available information otherwise.
Got this handy command from nahamsec that cleans up the result from crt.sh query and only gives out IP address

curl -s https://crt.sh/\?q\=\%.$i\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee -a all.txt

Maybe both files output can be compared and cleaned out after combining them if brute-force leave any subdomain for any possible reason!