Skip to content

Commit

Permalink
Added amass.
Browse files Browse the repository at this point in the history
  • Loading branch information
bellma101 committed Mar 8, 2019
1 parent c959c19 commit c7fa4be
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 3 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ Please see the [Wiki](https://github.com/SolomonSklash/chomp-scan/wiki) for deta
* [dnscan](https://github.com/rbsec/dnscan)
* [subfinder](https://github.com/subfinder/subfinder)
* [sublist3r](https://github.com/aboul3la/Sublist3r)
* [amass](https://github.com/OWASP/Amass)
* [massdns](https://github.com/blechschmidt/massdns) + [altdns](https://github.com/infosec-au/altdns)

#### Screenshots (optional)
Expand Down
56 changes: 53 additions & 3 deletions chomp-scan.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ CONFIG_FILE="";
ENABLE_DNSCAN=0;
ENABLE_SUBFINDER=0;
ENABLE_SUBLIST3R=0;
ENABLE_AMASS=0;
ENABLE_ALTDNS=0;
ENABLE_MASSDNS=1; # Constant
ENABLE_INCEPTION=0;
Expand Down Expand Up @@ -84,6 +85,7 @@ DIRSEARCH=~/bounty/tools/dirsearch/dirsearch.py;
SNALLY=~/bounty/tools/snallygaster/snallygaster;
CORSTEST=~/bounty/tools/CORStest/corstest.py;
S3SCANNER=~/bounty/tools/S3Scanner/s3scanner.py;
AMASS=~/bounty/tools/amass/amass;

# Other variables
ALL_IP=all_discovered_ips.txt;
Expand Down Expand Up @@ -256,6 +258,10 @@ function parse_config() {
ENABLE_ALTDNS=1;
fi

if [[ $(grep '^ENABLE_AMASS' "$CONFIG_FILE" | cut -d '=' -f 2) == "YES" ]]; then
ENABLE_AMASS=1;
fi

SUB_WORDLIST=$(grep '^SUBDOMAIN_WORDLIST' "$CONFIG_FILE" | cut -d '=' -f 2);
# Set to one of the defaults, else use provided wordlist
case "$SUB_WORDLIST" in
Expand All @@ -281,7 +287,7 @@ function parse_config() {
fi

# Check that at least one subdomain enumeration tool is enabled
if [[ "$ENABLE_DNSCAN" -eq 0 ]] && [[ "$ENABLE_SUBFINDER" -eq 0 ]] && [[ "$ENABLE_SUBLIST3R" -eq 0 ]]; then
if [[ "$ENABLE_DNSCAN" -eq 0 ]] && [[ "$ENABLE_SUBFINDER" -eq 0 ]] && [[ "$ENABLE_SUBLIST3R" -eq 0 ]] && [[ "ENABLE_AMASS" -eq 0 ]]; then
echo -e "$RED""[!] At least one subdomain enumeration tool must be enabled. Please check the configuration file.""$NC";
exit 1;
fi
Expand Down Expand Up @@ -668,6 +674,10 @@ function check_paths() {
echo -e "$RED""[!] The path or the file specified by the path for S3Scanner does not exit.";
exit 1;
fi
if [[ "$AMASS" == "" ]] || [[ ! -f "$AMASS" ]]; then
echo -e "$RED""[!] The path or the file specified by the path for amass does not exit.";
exit 1;
fi
}

function unique() {
Expand Down Expand Up @@ -818,6 +828,30 @@ function run_sublist3r() {
sleep 1;
}

function run_amass() {
# Call with domain as $1 anbd wordlist as $2

echo -e "$GREEN""[i]$BLUE Scanning $1 with amass.""$NC";
echo -e "$GREEN""[i]$ORANGE Command: amass -d $1 -w $2 -ip -rf resolvers.txt -active -o $WORKING_DIR/amass-output.txt -min-for-recursive 3 -bl $BLACKLIST""$NC";
START=$(date +%s);
"$AMASS" -d "$1" -w "$2" -ip -rf resolvers.txt -active -o "$WORKING_DIR"/amass-output.txt -min-for-recursive 3 -bl "$BLACKLIST";
END=$(date +%s);
DIFF=$(( END - START ));

# Check that output file exists amd parse output
if [[ -f "$WORKING_DIR"/amass-output.txt ]]; then
# Cat output into main lists
cut -d ' ' -f 1 "$WORKING_DIR"/amass-output.txt >> "$WORKING_DIR"/"$ALL_DOMAIN";
# cut -d ' ' -f 1 "$WORKING_DIR"/amass-output.txt >> "$WORKING_DIR"/"$ALL_RESOLVED";
cut -d ' ' -f 2 "$WORKING_DIR"/amass-output.txt >> "$WORKING_DIR"/"$ALL_IP";
echo -e "$GREEN""[i]$BLUE sublist3r took $DIFF seconds to run.""$NC";
echo -e "$GREEN""[!]$ORANGE amass found $(wc -l "$WORKING_DIR"/amass-output.txt | cut -d ' ' -f 1) domains.""$NC";
fi

list_found;
sleep 1;
}

function run_altdns() {
# Run altdns with found subdomains combined with altdns-wordlist.txt

Expand Down Expand Up @@ -890,7 +924,7 @@ function run_massdns() {
function run_subdomain_brute() {
# Ask user for wordlist size
while true; do
echo -e "$ORANGE""[i] Beginning subdomain enumeration. This will use dnscan, subfinder, sublist3r, and massdns + altdns.";
echo -e "$ORANGE""[i] Beginning subdomain enumeration. This will use dnscan, subfinder, sublist3r, amass, and massdns + altdns.";
echo -e "$GREEN""[?] What size wordlist would you like to use for subdomain bruteforcing?";
echo -e "$GREEN""[i] Sizes are [S]mall (22k domains), [L]arge (102k domains), and [H]uge (199k domains).";
echo -e "$ORANGE";
Expand All @@ -901,6 +935,7 @@ function run_subdomain_brute() {
run_dnscan "$DOMAIN" "$SHORT";
run_subfinder "$DOMAIN" "$SHORT";
run_sublist3r "$DOMAIN";
run_amass "$DOMAIN" "$SHORT";
run_massdns "$DOMAIN" "$SHORT";
break
;;
Expand All @@ -909,6 +944,7 @@ function run_subdomain_brute() {
run_dnscan "$DOMAIN" "$LONG";
run_subfinder "$DOMAIN" "$LONG";
run_sublist3r "$DOMAIN";
run_amass "$DOMAIN" "$LONG";
run_massdns "$DOMAIN" "$LONG";
return;
;;
Expand All @@ -917,6 +953,7 @@ function run_subdomain_brute() {
run_dnscan "$DOMAIN" "$SHORT";
run_subfinder "$DOMAIN" "$HUGE";
run_sublist3r "$DOMAIN";
run_amass "$DOMAIN" "$HUGE";
run_massdns "$DOMAIN" "$HUGE";
break;
;;
Expand Down Expand Up @@ -2048,6 +2085,16 @@ if [[ "$CONFIG_FILE" != "" ]]; then
run_sublist3r "$DOMAIN";
fi

# Run amass
if [[ "$ENABLE_AMASS" -eq 1 ]]; then
# Check if $SUBDOMAIN_WORDLIST is set, else use short as default
if [[ "$SUBDOMAIN_WORDLIST" != "" ]]; then
run_amass "$DOMAIN" "$SUBDOMAIN_WORDLIST";
else
run_amass "$DOMAIN" "$SHORT";
fi
fi

# Run masscan and/or altdns
if [[ "$ENABLE_MASSDNS" -eq 1 ]]; then # Masscan will always run in order to get resolved domains
if [[ "$ENABLE_ALTDNS" -eq 1 ]]; then
Expand Down Expand Up @@ -2306,6 +2353,7 @@ if [[ "$DEFAULT_MODE" == 1 ]]; then
run_dnscan "$DOMAIN" "$SHORT";
run_subfinder "$DOMAIN" "$SHORT";
run_sublist3r "$DOMAIN";
run_amass "$DOMAIN" "$SHORT";
run_massdns "$DOMAIN" "$SHORT";

# Call unique to make sure list is up to date for content discovery
Expand Down Expand Up @@ -2381,19 +2429,21 @@ fi

# Always run subdomain bruteforce tools
if [[ "$SUBDOMAIN_BRUTE" == 1 ]]; then
echo -e "$BLUE""[i] Beginning subdomain enumeration dnscan, subfinder, sublist3r, and massdns+altdns.""$NC";
echo -e "$BLUE""[i] Beginning subdomain enumeration dnscan, subfinder, sublist3r, amass, and massdns+altdns.""$NC";
sleep 0.5;

# Check if $SUBDOMAIN_WORDLIST is set, else use short as default
if [[ "$SUBDOMAIN_WORDLIST" != "" ]]; then
run_dnscan "$DOMAIN" "$SUBDOMAIN_WORDLIST";
run_subfinder "$DOMAIN" "$SUBDOMAIN_WORDLIST";
run_sublist3r "$DOMAIN";
run_amass "$DOMAIN" "$SUBDOMAIN_WORDLIST";
run_massdns "$DOMAIN" "$SUBDOMAIN_WORDLIST";
else
run_dnscan "$DOMAIN" "$SHORT";
run_subfinder "$DOMAIN" "$SHORT";
run_sublist3r "$DOMAIN";
run_amass "$DOMAIN" "$SHORT";
run_massdns "$DOMAIN" "$SHORT";
fi
fi
Expand Down
1 change: 1 addition & 0 deletions config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ INTERESTING=
ENABLE_DNSCAN=YES
ENABLE_SUBFINDER=YES
ENABLE_SUBLIST3R=YES
ENABLE_AMASS=YES
ENABLE_ALTDNS=YES
# Set wordlist
# Possible options are SHORT, lONG, HUGE, or the path to a custom wordlist
Expand Down
8 changes: 8 additions & 0 deletions installer.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,14 @@ function install_go() {
rm -rf go1.12.linux-amd64.tar.gz;
}

function install_amass() {
echo -e "$GREEN""Installing amass from Github.""$NC";
wget https://github.com/OWASP/Amass/releases/download/2.9.3/amass_2.9.3_linux_amd64.zip -O "$TOOLS"/amass.zip;
unzip "$TOOLS"/amass.zip;
mv amass_2.9.3_linux_amd64 amass;
rm amass.zip;
}

# Create install directory
mkdir -pv "$HOME"/bounty/tools;

Expand Down

0 comments on commit c7fa4be

Please sign in to comment.