Chomp Scan

✨ deeznutz

✨ Master ✨
Staff member
May 15, 2017
A scripted pipeline of tools to simplify the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs.


Chomp Scan is a Bash script that chains together the fastest and most effective tools (in my opinion/experience) for doing the long and sometimes tedious process of recon. No more looking for word lists and trying to remember when you started a scan and where the output is. Chomp Scan creates a timestamped output directory based on the search domain, e.g., and puts all tool output there, split into individual sub-directories as appropriate. Custom output directories are also supported via the -o flag.

New: Chomp Scan now integrates Notica, which allows you to receive a notification when the script finishes. Simply visit Notica and get a unique URL parameter. Simply pass the parameter to Chomp Scan via the -n flag, keep the Notica page open in a browser tab on your computer or phone, and you will receive a message when Chomp Scan has finished running. No more constantly checking/forgetting to check those long running scans.
Chomp Scan runs in multiple modes. The primary one is using command-line arguments to select which scanning phases to use, which wordlists, etc. A guided interactive mode is available, as well as a non-interactive mode, useful if you do not want to deal with setting multiple arguments.

A list of interesting words is included, such as dev, test, uat, staging, etc., and domains containing those terms are flagged. This way you can focus on the interesting domains first if you wish. This list can be customized to suit your own needs, or replaced with a different file via the -X flag.

A blacklist file is included, to exclude certain domains from the results. However it does not prevent those domains from being resolved, only from being used for port scanning and content discovery. It can be passed via the -b flag.
Chomp Scan supports limited canceling/skipping of tools by pressing Ctrl-c. This can sometimes have unintended side effects, so use with care.
Note: Chomp Scan is in active development, and new/different tools will be added as I come across them. Pull requests and comments welcome!

Scanning Phases

Subdomain Discovery (3 different sized wordlists)
  • dnscan
  • subfinder
  • sublist3r
  • massdns + altdns

Screenshots (optional)
  • aquatone

Port Scanning (optional)

Information Gathering (optional) (4 different sized wordlists)
  • subjack
  • bfac
  • whatweb
  • wafw00f
  • nikto

Content Discovery (optional) (4 different sized wordlists)

  • ffuf
  • gobuster
  • dirsearch

A variety of wordlists are used, both for subdomain bruteforcing and content discovery. Daniel Miessler's Seclists are used heavily, as well as Jason Haddix's lists. Different wordlists can be used by passing in a custom wordlist or using one of the built-in named argument lists below.

Download Chomp-Scan
Top Bottom