Skip to content

Commit

Permalink
Added S3Scanner.
Browse files Browse the repository at this point in the history
  • Loading branch information
bellma101 committed Mar 6, 2019
1 parent ed5800d commit 001b422
Show file tree
Hide file tree
Showing 6 changed files with 84 additions and 4 deletions.
3 changes: 2 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ Chomp Scan supports limited canceling/skipping of tools by pressing Ctrl-c. This
#### Information Gathering (optional) (4 different sized wordlists)
* [subjack](https://github.com/haccer/subjack)
* [CORStest](https://github.com/RUB-NDS/CORStest)
* [S3Scanner](https://github.com/sa7mon/S3Scanner)
* [bfac](https://github.com/mazen160/bfac)
* [whatweb](https://github.com/urbanadventurer/whatweb/)
* [wafw00f](https://github.com/EnableSecurity/wafw00f)
Expand Down Expand Up @@ -105,7 +106,7 @@ Usage of Chomp Scan:
-s
(optional) Enable screenshots using Aquatone.
-i
(optional) Enable information gathering phase, using subjack, CORStest, bfac, whatweb, wafw00f, and nikto.
(optional) Enable information gathering phase, using subjack, CORStest, S3Scanner, bfac, whatweb, wafw00f, and nikto.
-p
(optional) Enable portscanning phase, using masscan (run as root) and nmap.
-I
Expand Down
64 changes: 61 additions & 3 deletions chomp-scan.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ ENABLE_GOBUSTER=0;
ENABLE_DIRSEARCH=0;
ENABLE_SUBJACK=0;
ENABLE_CORSTEST=0;
ENABLE_S3SCANNER=0;
ENABLE_BFAC=0;
ENABLE_WHATWEB=0;
ENABLE_WAFW00F=0;
Expand Down Expand Up @@ -82,6 +83,7 @@ BFAC=~/bounty/tools/bfac/bfac;
DIRSEARCH=~/bounty/tools/dirsearch/dirsearch.py;
SNALLY=~/bounty/tools/snallygaster/snallygaster;
CORSTEST=~/bounty/tools/CORStest/corstest.py;
S3SCANNER=~/bounty/tools/S3Scanner/s3scanner.py;

# Other variables
ALL_IP=all_discovered_ips.txt;
Expand Down Expand Up @@ -120,7 +122,7 @@ function usage() {
echo -e "$BLUE""\\t-c \\n\\t\\t$ORANGE (optional) Enable content discovery phase. The wordlist for this option defaults to short if not provided.""$NC";
echo -e "$BLUE""\\t-C wordlist \\n\\t\\t$ORANGE (optional) The wordlist to use for content discovery. Five built-in lists, small, medium, large, xl, and xxl can be used, as well as the path to a custom wordlist. The default is small.""$NC";
echo -e "$BLUE""\\t-s \\n\\t\\t$ORANGE (optional) Enable screenshots using Aquatone.""$NC";
echo -e "$BLUE""\\t-i \\n\\t\\t$ORANGE (optional) Enable information gathering phase, using subjack, CORStest, bfac, whatweb, wafw00f, and nikto.""$NC";
echo -e "$BLUE""\\t-i \\n\\t\\t$ORANGE (optional) Enable information gathering phase, using subjack, CORStest, S3Scanner, bfac, whatweb, wafw00f, and nikto.""$NC";
echo -e "$BLUE""\\t-p \\n\\t\\t$ORANGE (optional) Enable portscanning phase, using masscan (run as root) and nmap.""$NC";
echo -e "$BLUE""\\t-I \\n\\t\\t$ORANGE (optional) Enable interactive mode. This allows you to select certain tool options and inputs interactively. This cannot be run with -D.""$NC";
echo -e "$BLUE""\\t-D \\n\\t\\t$ORANGE (optional) Enable default non-interactive mode. This mode uses pre-selected defaults and requires no user interaction or options. This cannot be run with -I.""$NC";
Expand Down Expand Up @@ -311,6 +313,10 @@ function parse_config() {
ENABLE_CORSTEST=1;
fi

if [[ $(grep '^ENABLE_S3SCANNER' "$CONFIG_FILE" | cut -d '=' -f 2) == "YES" ]]; then
ENABLE_S3SCANNER=1;
fi

if [[ $(grep '^ENABLE_BFAC' "$CONFIG_FILE" | cut -d '=' -f 2) == "YES" ]]; then
ENABLE_BFAC=1;
fi
Expand Down Expand Up @@ -617,6 +623,10 @@ function check_paths() {
echo -e "$RED""[!] The path or the file specified by the path for CORStest does not exit.";
exit 1;
fi
if [[ "$S3SCANNER" == "" ]] || [[ ! -f "$S3SCANNER" ]]; then
echo -e "$RED""[!] The path or the file specified by the path for S3Scanner does not exit.";
exit 1;
fi
}

function unique() {
Expand Down Expand Up @@ -1606,12 +1616,34 @@ function run_corstest() {
fi
}

function run_s3scanner() {
# Call with domain as $1 and domain list as $2
if [[ $2 == $WORKING_DIR/$ALL_RESOLVED ]]; then
echo -e "$GREEN""[i]$BLUE Running S3Scanner against all $(wc -l "$2" | cut -d ' ' -f 1) unique discovered domains.""$NC";
echo -e "$GREEN""[i]$BLUE Command: s3scanner.py ""$NC";
# Run S3Scanner
START=$(date +%s);
python "$S3SCANNER" "$2" -d -l -o "$WORKING_DIR"/s3scanner-output.txt;
END=$(date +%s);
DIFF=$(( END - START ));
echo -e "$GREEN""[i]$BLUE S3Scanner took $DIFF seconds to run.""$NC";
else
echo -e "$GREEN""[i]$BLUE Running S3Scanner against all $(wc -l "$2" | cut -d ' ' -f 1) discovered interesting domains.""$NC";
echo -e "$GREEN""[i]$BLUE Command: s3scanner.py ""$NC";
# Run S3Scanner
START=$(date +%s);
python "$S3SCANNER" "$2" -d -l -o "$WORKING_DIR"/s3scanner-output.txt;
END=$(date +%s);
DIFF=$(( END - START ));
echo -e "$GREEN""[i]$BLUE S3Scanner took $DIFF seconds to run.""$NC";
fi
}

function run_information_gathering() {
# Ask user to do information gathering on discovered domains
while true; do
echo -e "$GREEN""[?] Do you want to begin information gathering on [A]ll/[I]nteresting/[N]o discovered domains?";
echo -e "$ORANGE""[i] This will run subjack, CORStest, bfac, whatweb, wafw00f, and nikto.";
echo -e "$ORANGE""[i] This will run subjack, CORStest, S3Scanner, bfac, whatweb, wafw00f, and nikto.";
read -rp "[?] Please enter A/a, I/i, or N/n. " ANSWER

case $ANSWER in
Expand All @@ -1629,6 +1661,7 @@ while true; do
[sS]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_bfac "$WORKING_DIR"/"$ALL_RESOLVED";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
Expand All @@ -1638,6 +1671,7 @@ while true; do
[mM]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_bfac "$WORKING_DIR"/"$ALL_RESOLVED";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
Expand All @@ -1647,6 +1681,7 @@ while true; do
[lL]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_bfac "$WORKING_DIR"/"$ALL_RESOLVED";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
Expand All @@ -1656,6 +1691,7 @@ while true; do
[xX]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_bfac "$WORKING_DIR"/"$ALL_RESOLVED";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
Expand All @@ -1665,6 +1701,7 @@ while true; do
[2]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_bfac "$WORKING_DIR"/"$ALL_RESOLVED";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
Expand Down Expand Up @@ -1703,6 +1740,7 @@ while true; do
[sS]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_bfac "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
Expand All @@ -1712,6 +1750,7 @@ while true; do
[mM]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_bfac "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_whatweb "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
Expand All @@ -1721,6 +1760,7 @@ while true; do
[lL]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_bfac "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_whatweb "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
Expand All @@ -1730,6 +1770,7 @@ while true; do
[xX]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_bfac "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
Expand All @@ -1739,6 +1780,7 @@ while true; do
[2]* )
run_subjack "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_bfac "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
Expand Down Expand Up @@ -1983,6 +2025,18 @@ if [[ "$CONFIG_FILE" != "" ]]; then
fi
fi

# Run S3Scanner
if [[ "$ENABLE_S3SCANNER" -eq 1 ]]; then
if [[ "$USE_ALL" == 1 ]]; then
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
# Make sure there are interesting domains
elif [[ $(wc -l "$WORKING_DIR"/"$INTERESTING_DOMAINS" | cut -d ' ' -f 1) -gt 0 ]]; then
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
else
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
fi
fi

# Run bfac
if [[ "$ENABLE_BFAC" -eq 1 ]]; then
if [[ "$USE_ALL" == 1 ]]; then
Expand Down Expand Up @@ -2085,6 +2139,7 @@ if [[ "$DEFAULT_MODE" == 1 ]]; then
run_nmap;
run_subjack "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_bfac "$WORKING_DIR"/"$ALL_RESOLVED";
run_nikto "$WORKING_DIR"/"$ALL_RESOLVED";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
Expand Down Expand Up @@ -2181,7 +2236,7 @@ fi

# -i information gathering
if [[ "$INFO_GATHERING" == 1 ]]; then
echo -e "$BLUE""[i] Beginning information gathering with subjack, CORStest, bfac, whatweb, wafw00f, and nikto.""$NC";
echo -e "$BLUE""[i] Beginning information gathering with subjack, CORStest, S3Scanner, bfac, whatweb, wafw00f, and nikto.""$NC";
sleep 0.5;

# Call unique to make sure list is up to date for content discovery
Expand All @@ -2190,6 +2245,7 @@ if [[ "$INFO_GATHERING" == 1 ]]; then
if [[ "$USE_ALL" == 1 ]]; then
run_subjack "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_bfac "$WORKING_DIR"/"$ALL_RESOLVED";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
Expand All @@ -2198,13 +2254,15 @@ if [[ "$INFO_GATHERING" == 1 ]]; then
elif [[ $(wc -l "$WORKING_DIR"/"$INTERESTING_DOMAINS" | cut -d ' ' -f 1) -gt 0 ]]; then
run_subjack "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_bfac "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$INTERESTING_DOMAINS";
run_nikto "$WORKING_DIR"/"$INTERESTING_DOMAINS";
else
run_subjack "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_corstest "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_s3scanner "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_bfac "$WORKING_DIR"/"$ALL_RESOLVED";
run_whatweb "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
run_wafw00f "$DOMAIN" "$WORKING_DIR"/"$ALL_RESOLVED";
Expand Down
1 change: 1 addition & 0 deletions config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ CONTENT_WORDLIST=
# Set which tools run
ENABLE_SUBJACK=YES
ENABLE_CORSTEST=YES
ENABLE_S3SCANNER=YES
ENABLE_BFAC=YES
ENABLE_WHATWEB=YES
ENABLE_WAFW00F=YES
Expand Down
10 changes: 10 additions & 0 deletions installer.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ function install_kali() {
install_aquatone;
install_sublist3r;
install_corstest;
install_s3scanner;
install_go_tools;
}
function install_debian() {
Expand All @@ -37,6 +38,7 @@ function install_debian() {
install_aquatone;
install_sublist3r;
install_corstest;
install_s3scanner;
install_nikto;
install_go;
install_go_tools;
Expand All @@ -52,6 +54,7 @@ function install_ubuntu() {
install_aquatone;
install_sublist3r;
install_corstest;
install_s3scanner;
install_go;
install_go_tools;
}
Expand Down Expand Up @@ -116,6 +119,11 @@ function install_corstest() {
git clone https://github.com/RUB-NDS/CORStest.git "$TOOLS"/CORStest;
}

function install_s3scanner() {
echo -e "$GREEN""Installing S3Scanner from Github.""$NC";
git clone https://github.com/sa7mon/S3Scanner.git "$TOOLS"/CORStest;
}

function install_go_tools() {
source $HOME/.profile;
echo -e "$GREEN""Installing Go tools from Github.""$NC";
Expand Down Expand Up @@ -164,3 +172,5 @@ else
fi

echo -e "$GREEN""Please run 'source ~/.profile' to add the Go binary path to your \$PATH variable, then run Chomp Scan.""$NC";
echo -e "$ORANGE""Note: In order to use S3Scanner, you must configure your personal AWS credentials in the aws CLI tool.""$NC";
echo -e "$ORANGE""See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html for details.""$NC";
5 changes: 5 additions & 0 deletions requirements2.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,8 @@ termcolor
dnspython
requests
colorama
awscli
sh
pytest-xdist
coloredlogs
boto3
5 changes: 5 additions & 0 deletions requirements3.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,8 @@ colorama
requests
requests[socks]
argparse
awscli
sh
pytest-xdist
coloredlogs
boto3

0 comments on commit 001b422

Please sign in to comment.