[Q/A] About tool composition

[oldesec]

Hi.

I looked at the tools and found out singularities.

For example, most subdomain search tools are receiving wordlists.

Example)

run_dnscan "$DOMAIN" "$SHORT";
run_subfinder "$DOMAIN" "$SHORT";
run_knock "$DOMAIN" "$SHORT";
run_amass "$DOMAIN" "$SHORT";
run_massdns "$DOMAIN" "$SHORT";

It seems that the tools are running in brute forcing mode.

That is, there is a concern that the same wordlist is input and the same result is output.

And it takes a long time.

Is this the design you intended?

And it appears that there is an option error in the tool.

The tool currently uses the "-w" option without the "brute" option.

the present:

"$AMASS" -d "$1" -w "$2" -ip -rf resolvers.txt -active -o "$WORKING_DIR"/amass-output.txt -min-for-recursive 3 -bl "$BLACKLIST";

Ref: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md

-brute: Perform brute force subdomain enumeration
-w:     Change the wordlist used during brute forcing

Thanks

[SolomonSklash]

As far as amass, you're right, it needs the -brute flag. Good catch, I will add it.

As far as the tool composition, I have intended for each tool to use the same wordlist. I get that this leads to each tool possibly finding the same thing, but to me that seemed better than getting a random collection of results from each tool's built-in wordlist and never knowing exactly which wordlist you are using. Which is better, I'm not 100% sure, but that is my reasoning at least.

[SolomonSklash]

I have fixed the amass -brute flag. Thanks!