Additional comments for chomp-scan tools

[oldesec]

Hello,

I have two ideas.

1. I think adding the knocpy tool will help.

Ref: https://github.com/guelfoweb/knock

2. To avoid time-consuming work(For example, massdns. (brute force), it would be helpful to add a "quick" option.

Thanks.

[SolomonSklash]

I am working on a -q quick option.

As far as knockpy, I've compared it to other subdomain enumeration tools and found that it is slower and finds fewer domains. The combination of dnscan, subfinder, and sublist3r has been the best in my experience. Is there anything it does I'm not aware of that would make it worth including?

Thanks for the feedback, much appreciated.

[oldesec]

Hello @SolomonSklash

You are right,

I have one more comment.

How about using "goaltdns" instead of "altdns"?

Ref: https://github.com/subfinder/goaltdns

Looks a bit faster to me.

And I have a question. Why is "sublist3r" and "subfinder" used together?

Does it show another result?

[SolomonSklash]

So I've looked into goaltdns. For what I'm using it for, just to generate alternate DNS names and not to resolve them, it is really fast. I've seen it generate 4M+ in a second or less. As it's so quick, I don't see much reason to switch.

The reason I use both sublist3er and subfinder is they're both pretty fast, given very large wordlists, and they sometimes find different results.

[oldesec]

Thank you for your response. @SolomonSklash

What do you think of the "amass" tool?

ref: https://github.com/OWASP/Amass

I often know that hunters use this tool.

[SolomonSklash]

I know Amass is pretty widely used, but in my (limited) experience with it, it's rather slow. I will play with it some more and see how fast I can make it and compare its output to other tools like subfinder.

[SolomonSklash]

@oldesec I've created a config file option, which should serve the purpose as a --quick option. Let me know if that will cover what you're looking for.

[oldesec]

@SolomonSklash Hello.

How about reading the list of target domains from a file?

Even if currently use the same option, you must change the target domain several times

currently:

./chomp-scan -u google.com  -a
./chomp-scan -u github.com  -a

For example, patch versions

Target domain file list:

google.com
github.com

New command line

./chomp-scan -uf ./target.txt -s -a

Thanks.

[oldesec]

Hi. @SolomonSklash

The "quick" option can be configured by the user.

Good config option.

As above, I think should read the domain list separately.

Otherwise, need to create config by domain.

[SolomonSklash]

I will look into a good way to read from a domain list.

[oldesec]

@SolomonSklash I have occasionally seen hunters use the massdns + subbrute combination.

Are altdns + massdns combinations better?

[SolomonSklash]

@oldesec I looked into subbrute. The problem is that is was just so slow compared to subfinder and dnscan. I ran tests comparing several subdomain enumeration tools and found that subfinder and dnscan were the fastest by far. Altdns only generates possible domain names, so it serves a different purpose altogether.

[oldesec]

@SolomonSklash Hmm.. massdns provides functionality similar to "subbrute".

Ref

$ ./scripts/subbrute.py lists/names.txt example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt
https://github.com/blechschmidt/massdns/blob/master/scripts/subbrute.py

Will this be slow? What do you think?

[oldesec]

Hmm... "Altdns" sometimes creates a very large amount of domains. Create a file of "GB". Do you think this is normal?

[SolomonSklash]

The way Chomp Scan uses massdns is to do DNS lookups very quickly on the domains that the previous tools, like subfinder, dnscan, and sublist3r have found. It's essentially just a fast DNS resolver in this case. It can do bruteforcing with subbrute, but that's not how I'm using it here, and that is by design.

Altdns can generate very large domain lists, which is OK and expected. Using it in combination with a fast DNS resolver like massdns is what makes it work.

If you like I can add subbrute as an option so you can test out its speed within Chomp Scan. Would you be interested in that?

[oldesec]

Hmm... @SolomonSklash sometimes slowly, need to get the best results. If can find a domain that won't find at a slow rate. So, it would be nice to be able to provide options.

But I do not know the performance of the "subbrute + massdns" combination. If you have the same performance as "altdns + massdns", you do not need to add it.

Because it is a duplicate test.

[oldesec]

Just Info:

Often, the "altdns" tool generates the following error:

"altdns" seems to be not currently maintained.

I am testing "goaltdns".

In order to succeed in reconnaissance in a low-end environment

Traceback (most recent call last):
  File "/root/tools/altdns/altdns.py", line 354, in <module>
    main()
  File "/root/tools/altdns/altdns.py", line 313, in main
    remove_duplicates(args)
  File "/root/tools/altdns/altdns.py", line 225, in remove_duplicates
    blines = set(b)
MemoryError

[oldesec]

@SolomonSklash

The "CARStest" tool is out of date.

The "CORRScanner" tool appears to be up-to-date.

Ref: https://github.com/chenjj/CORScanner

Hmm... Is it a different perspective?

There is insufficient explanation of the tool.

[SolomonSklash]

I'll look at adding goaltdns as an alternative to altdns. I didn't know altdns wasn't being maintained, and I hadn't come across any errors.

What do you mean CORStest is out of date? I compared it to CORScanner and found CORStest is faster and provided better results. I can add support for CORScanner as well I suppose.

[SolomonSklash]

@oldesec I've added goaltdns in v5.4.

[oldesec]

I'll look at adding goaltdns as an alternative to altdns. I didn't know altdns wasn't being maintained, and I hadn't come across any errors.

Sometimes, altdns causes a memory error. On a cloud machine with 1GB of RAM I will test the "goaltdns" tool. If get the same error, can go back to "altdns".

What do you mean CORStest is out of date? I compared it to CORScanner and found CORStest is faster and provided better results. I can add support for CORScanner as well I suppose.

I left a question for the person in charge. If he answers, I will give you a link here.

[oldesec]

I have completed testing the "goaltdns" tool. Exactly, the memory error has disappeared. Good change.

[oldesec]

@SolomonSklash I saw the addition of the "amass" tool. Does this provide better performance? what do you think?

[SolomonSklash]

Amass did seem to be faster than I remembered. It seems to function a little differently than some of the other tools, in that it does its own DNS lookups, so it will provide better results. Definitely worth adding overall.

[oldesec]

@SolomonSklash Answers to the CORScanner tool. I share.

This tool covers most of the CORS misconfiguration types in the CORStest tool, except for some types that are difficult to be exploited. You can find them in the misconfiguration types section of the README.md.

The tool is originally developed for my large-scale measurement research(scanned 97,199,966 subdomains). This tool is faster and supports more customized features, e.g., file output, self-defined headers.

Ref:https://github.com/chenjj/CORScanner/issues/5