mXtract v1.2 – Memory Extractor & Analyzer

mXtract is an opensource linux based tool that analyzes and dumps memory. It is developed as an offensive pentration testing tool, its primary purpose is to scan memory for private keys, ips, and passwords using regexes. Remember, your results are only as good as your regexes.ScreenshotsScan with verbose and with a simple IP regex, scanning every data segment, displaying process info and scanning environment files. Scan with verbose and with a simple IP regex, scanning only heap and stack, displaying process info and scanning environment files. Scan without verbose, and with a simple IP regex, displaying process info and scanning environment files.Why dump directly from memory?In most linux environments users can access the memory of processes, this allows attackers to harvest credentials, private keys, or anything that isnt suppose to be seen but is being processed by a program in clear text.FeaturesAbility to enter regex listsClear and Readable DisplayAbility to Mass Scan Every Proccess or a Specific PIDAble to choose memory sections to scanAbility to Show Detailed Process InformationAbility to Scan Process Environment FilesMemory dumps automatically removes unicode characters which allows for processing with other tools or manuallyGetting startedDownloading: git clone https://github.com/rek7/mXtractCompiling: cd mXtract && sh compile.shThis will create the directory bin/ and compile the binary as mXtractCommandsGeneral: -v Enable Verbose Output -s Suppress Banner -h Help -c Suppress Colored OutputTarget and Regex: -i Show Detailed Process/User Info -a Scan all Memory Ranges not just Heap/Stack -e Scan Process Environment Files -r= Regex Database to Use -p= Specify Single PID to ScanOutput: -wm Write Raw Memory to File Default Directory is: ‘pid/’ -wi Write Process Info to Beginning of File (Used in Conjunction with -w) -wr Write Regex Output to File (Will Appear in the Output Directory) -f= Regex Results Filename Default is: ‘regex_results.txt’ -d= Custom Ouput DirectoryDownload mXtract

Link: http://feedproxy.google.com/~r/PentestTools/~3/afNZNO7w4Xk/mxtract-v12-memory-extractor-analyzer.html

Osmedeus – Fully Automated Offensive Security Tool For Reconnaissance And Vulnerability Scanning

Osmedeus allow you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target.How to useIf you have no idea what are you doing just type the command below or check out the Advance Usage./osmedeus.py -t example.comInstallationgit clone https://github.com/j3ssie/Osmedeuscd Osmedeus./install.shThis install only focus on Kali linux, check more install on Wiki pageFeaturesSubdomain Scan.Subdomain TakeOver Scan.Screenshot the target.Basic recon like Whois, Dig info.IP Discovery.CORS Scan.SSL Scan.Headers Scan.Port Scan.Vulnerable Scan.Seperate workspaces to store all scan output and details logging.REST API.SPA Web UI.Slack notifications.DemoScreenshotsContact@j3ssiejjjDownload Osmedeus

Link: http://feedproxy.google.com/~r/PentestTools/~3/DCeXRDXo4J0/osmedeus-fully-automated-offensive.html

Flightsim – A Utility To Generate Malicious Network Traffic And Evaluate Controls

flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.InstallationDownload the latest flightsim binary for your OS from the GitHub Releases page. Alternatively, the utility can be built using Golang in any environment (e.g. Linux, MacOS, Windows), as follows:go get -u github.com/alphasoc/flightsim/…Running Network Flight SimulatorUpon installation, test flightsim as follows:$ flightsim –helpAlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)flightsim is an application which generates malicious network traffic for securityteams to evaluate security controls (e.g. firewalls) and ensure that monitoring toolsare able to detect malicious traffic.Usage: flightsim [command]Available Commands: help Help about any command run Run all simulators (default) or a particular test version Print version and exitFlags: -h, –help help for flightsimUse “flightsim [command] –help" for more information about a commandThe utility runs individual modules to generate malicious traffic. To perform all available tests, simply use flightsim run which will generate traffic using the first available non-loopback network interface. NB: when running the C2 modules, flightsim will gather current C2 addresses from the Cybercrime Tracker and AlphaSOC API, so requires egress Internet access.To list the available modules, use flightsim run –help. To execute a particular test, use flightsim run , as below.$ flightsim run –helpRun all simulators (default) or a particular testUsage: flightsim run [c2-dns|c2-ip|dga|hijack|scan|sink|spambot|tunnel] [flags]Flags: -n, number of hosts generated for each simulator (default 10) –fast run simulator fast without sleep intervals -h, –help help for run -i, –interface string network interface to use$ flightsim run dgaAlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)The IP address of the network interface is 172.31.84.103The current time is 10-Jan-18 09:30:28Time Module Description——————————————————————————–09:30:28 dga Starting09:30:28 dga Generating list of DGA domains09:30:30 dga Resolving rdumomx.xyz09:30:31 dga Resolving rdumomx.biz09:30:31 dga Resolving rdumomx.top09:30:32 dga Resolving qtovmrn.xyz09:30:32 dga Resolving qtovmrn.biz09:30:33 dga Resolving qtovmrn.top09:30:33 dga Resolving pbuzkkk.xyz09:30:34 dga Resolving pbuzkkk.biz09:30:34 dga Resolving pbuzkkk.top09:30:35 dga Resolving wfoheoz.xyz09:30:35 dga Resolving wfoheoz.biz09:30:36 dga Resolving wfoheoz.top09:30:36 dga Resolving lhecftf.xyz09:30:37 dga Resolving lhecftf.biz09:30:37 dga Resolving lhecftf.top09:30:38 dga FinishedAll done! Check your SIEM for alerts using the timestamps and details above.Description of ModulesThe modules packaged with the utility are listed in the table below. Module Description c2-dns Generates a list of current C2 destinations and performs DNS requests to each c2-ip Connects to 10 random current C2 IP:port pairs to simulate egress sessions dga Simulates DGA traffic using random labels and top-level domains hijack Tests for DNS hijacking support via ns1.sandbox.alphasoc.xyz scan Performs a port scan of 10 random RFC 1918 addresses using common ports sink Connects to 10 random sinkholed destinations run by security providers spambot Resolves and connects to random Internet SMTP servers to simulate a spam bot tunnel Generates DNS tunneling requests to *.sandbox.alphasoc.xyz Download Flightsim

Link: http://feedproxy.google.com/~r/PentestTools/~3/iP4qxku8k_8/flightsim-utility-to-generate-malicious.html

H2T – Scans A Website And Suggests Security Headers To Apply

h2t is a simple tool to help sysadmins to hardening their websites.Until now h2t checks the website headers and recommends how to make it better.DependencesPython 3coloramarequestsInstall$ git clone https://github.com/gildasio/h2t$ cd h2t$ pip install -r requirements.txt$ ./h2t.py -hUsageh2t has subcommands: list and scan.$ ./h2t.py -husage: h2t.py [-h] {list,l,scan,s} …h2t – HTTP Hardening Toolpositional arguments: {list,l,scan,s} sub-command help list (l) show a list of available headers in h2t catalog (that can be used in scan subcommand -H option) scan (s) scan url to hardening headersoptional arguments: -h, –help show this help message and exitList SubcommandThe list subcommand lists all headers cataloged in h2t and can show informations about it as a description, links for more information and for how to’s.$ ./h2t.py list -husage: h2t.py list [-h] [-p PRINT [PRINT …]] [-B] [-a | -H HEADERS [HEADERS …]]optional arguments: -h, –help show this help message and exit -p PRINT [PRINT …], –print PRINT [PRINT …] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -B, –no-banner don’t print the h2t banner -a, –all list all available headers [default] -H HEADERS [HEADERS …], –headers HEADERS [HEADERS …] a list of headers to look for in the h2t catalogScan SubcommandThe scan subcommand perform a scan in a website looking for their headers.$ ./h2t.py scan -husage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS …]] [-p PRINT [PRINT …]] [-i IGNORE_HEADERS [IGNORE_HEADERS …]] [-B] [-E] [-n] [-u USER_AGENT] [-r | -s] urlpositional arguments: url url to look foroptional arguments: -h, –help show this help message and exit -v, –verbose increase output verbosity: -v print response headers, -vv print response and request headers -a, –all scan all cataloged headers [default] -g, –good scan good headers only -b, –bad scan bad headers only -H HEADERS [HEADERS …], –headers HEADERS [HEADERS …] scan only these headers (see available in list sub- command) -p PRINT [PRINT …], –print PRINT [PRINT …] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -i IGNORE_HEADERS [IGNORE_HEADERS …], –ignore-headers IGNORE_HEADERS [IGNORE_HEADERS …] a list of headers to ignore in the results -B, –no-banner don’t print the h2t banner -E, –no-explanation don’t print the h2t output explanation -o {normal,csv,json}, –output {normal,csv,json} choose which output format to use (available: normal, csv, json) -n, –no-redirect don’t follow http redirects -u USER_AGENT, –user-agent USER_AGENT set user agent to scan request -k, –insecure don’t verify SSL certificate as valid -r, –recommendation output only recommendations [default] -s, –status output actual status (eg: existent headers only)OutputFor now the output is only in normal mode. Understant it as follows:[+] Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it.[+] Yellow Headers are good headers that is not applied on your website. We recommend apply them.[-] Green Headers are good headers that is already used in your website. It’s shown when use -s flag.Example:Cookie HTTP Only would be good to be appliedCookie over SSL/TLS would be good to be appliedServer header would be good to be removedReferrer-Policy would be good to be appliedX-Frame-Options is already in use, nothing to do hereX-XSS-Protection is already in use, nothing to do hereScreenshotsList h2t catalogScan from fileScan urlScan verboseHeaders informationDownload H2T

Link: http://feedproxy.google.com/~r/PentestTools/~3/LaZLa7zlv9k/h2t-scans-website-and-suggests-security.html

mXtract – Memory Extractor & Analyzer

An opensource linux based tool that analyses and dumps memory. Its developed as an offensive pentration testing tool which can be used to scan memory for private keys, ips, and passwords using regexes. Remember your results are only as good as your regexes.ScreenshotsScan with verbose and with a simple IP regex, scanning every data segment.Scan with verbose and with a simple IP regex, scanning only heap and stack.Scan without verbose, and with a simple IP regex.Why dump directly from memory?In most linux environments users can access the memory of processes, this allows attackers to harvest credentials, private keys, or anything that isnt suppose to be seen but is being processed by a program in clear text.FeaturesAbility to enter regex listsClear and Readable DisplayAbility to Mass Scan Every Proccess or a Specfic PIDAble to choose memory sections to scanMemory dumps automatically removes unicode characters which allows for processing with other tools or manuallyGetting startedCompiling: g++ -std=c++11 -O2 src/main.cpp -o mxtractCommands -v Enable Verbose Output -s Suppress Banner -h Help -c suppress colored output -r= Regex DB -a Scan all memory ranges not just heap/stack -w Write raw memory to file Default directory is pid/ -o Write regex output to file -d= Custom Ouput Directory -p= Specify single pid to scan Either -r= or -w neededDownload mXtract

Link: http://feedproxy.google.com/~r/PentestTools/~3/klmJCxzlVRA/mxtract-memory-extractor-analyzer.html

Freevulnsearch – Free And Open NMAP NSE Script To Query Vulnerabilities Via The cve-search.org API

This NMAP NSE script is part of the Free OCSAF project – https://freecybersecurity.org. In conjunction with the version scan “-sV" in NMAP, the corresponding vulnerabilities are automatically assigned using CVE (Common Vulnerabilities and Exposures) and the severity of the vulnerability is assigned using CVSS (Common Vulnerability Scoring System). For more clarity, the CVSS are still assigned to the corresponding v3.0 CVSS ratings:Critical (CVSS 9.0 – 10.0)High (CVSS 7.0 – 8.9)Medium (CVSS 4.0 – 6.9)Low (CVSS 0.1 – 3.9)None (CVSS 0.0)The CVEs are queried by default using the CPEs determined by NMAP via the ingenious and public API of the cve-search.org project, which is provided by circl.lu. For more information visit https://www.cve-search.org/api/.Confidentiality information:The queries are made using the determined CPE via the circl.lu API. For further information on the confidentiality of the circl.lu API, please visit https://www.circl.lu/services/cve-search/ directly.The best way is to install cve-search (https://github.com/cve-search/cve-search) locally and use your own API withnmap -sV –script freevulnsearch –script-args apipath= <target>Installation:You can either specify the script path directly in the NMAP command, for examplenmap -sV –script ~/freevulnsearch <target>or copy the script into the appropriate directory of your NMAP installation.In KALI LINUXâ„¢ for example: /usr/share/nmap/scripts/sudo nmap –script-ubdatedbImportant note: First read the confidentiality information. It is recommended to run freevulnsearch.nse separately without additional NSE scripts. If you do not want to make an assignment to the category safe, vuln and external, then do not execute the nmap –script-updatedb command mentioned above.Usage:The usage is simple, just use NMAP -sV and this script.nmap -sV –script freevulnsearch <target>According to my tests, for stability reasons, only http without TLS should be used when querying the API for many simultaneous requests. For this reason, you can optionally disable TLS using an input argument. Important, after that the API query to circl.lu is unencrypted.nmap -sV –script freevulnsearch –script-args notls=yes <target>If you scan with the categories safe or vuln then exclude the script or the category external or do not add the script to the NMAP default directory. It is recommended to run freevulnsearch.nse separately without additional NSE scripts.CPE exception handling for format:If a NMAP CPE is not clear, several functions in the freevulnsearch.nse script check whether the formatting of the CPE is inaccurate. For example:(MySQL) 5.0.51a-3ubuntu5 -to- 5.0.51a(Exim smtpd) 4.90_1 -to- 4.90(OpenSSH) 6.6.1p1 -to- 6.6:p1(OpenSSH) 7.5p1 -to- 7.5:p1…Download Freevulnsearch

Link: http://www.kitploit.com/2019/03/freevulnsearch-free-and-open-nmap-nse.html

Vuls – Vulnerability Scanner For Linux/FreeBSD, Agentless, Written In Go

Vulnerability scanner for Linux/FreeBSD, agentless, written in golang.Twitter: @vuls_enDEMOAbstractFor a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden. To avoid downtime in production environment, it is common for system administrator to choose not to use the automatic update option provided by package manager and to perform update manually. This leads to the following problems.System administrator will have to constantly watch out for any new vulnerabilities in NVD(National Vulnerability Database) or similar databases.It might be impossible for the system administrator to monitor all the software if there are a large number of software installed in server.It is expensive to perform analysis to determine the servers affected by new vulnerabilities. The possibility of overlooking a server or two during analysis is there.Vuls is a tool created to solve the problems listed above. It has the following characteristics.Informs users of the vulnerabilities that are related to the system.Informs users of the servers that are affected.Vulnerability detection is done automatically to prevent any oversight.Report is generated on regular basis using CRON or other methods. to manage vulnerability.Main FeaturesScan for any vulnerabilities in Linux/FreeBSD ServerSupports major Linux/FreeBSDAlpine, Ubuntu, Debian, CentOS, Amazon Linux, RHEL, Oracle Linux, SUSE Enterprise Linux and Raspbian, FreeBSDCloud, on-premise, DockerHigh quality scanVuls uses Multiple vulnerability databasesNVDJVN(Japanese)OVALRedHatDebianUbuntuSUSEOracle LinuxAlpine-secdbRed Hat Security AdvisoriesDebian Security Bug TrackerCommands(yum, zypper, pkg-audit)RHSA/ALAS/ELSA/FreeBSD-SAExploit DatabaseChangelogFast scan and Deep scanFast ScanScan without root privilege, no dependenciesAlmost no load on the scan target serverOffline mode scan with no internet access. (Red Hat, CentOS, OracleLinux, Ubuntu, Debian)Fast Root ScanScan with root privilegeAlmost no load on the scan target serverDetect processes affected by update using yum-ps (RedHat, CentOS, Oracle Linux and Amazon Linux)Detect processes which updated before but not restarting yet using checkrestart of debian-goodies (Debian and Ubuntu)Offline mode scan with no internet access. (RedHat, CentOS, OracleLinux, Ubuntu, Debian)Deep ScanScan with root privilegeParses the ChangelogChangelog has a history of version changes. When a security issue is fixed, the relevant CVE ID is listed. By parsing the changelog and analysing the updates between the installed version of software on the server and the newest version of that software it’s possible to create a list of all vulnerabilities that need to be fixed.Sometimes load on the scan target serverRemote scan and Local scanRemote ScanUser is required to only setup one machine that is connected to other target servers via SSHLocal ScanIf you don’t want the central Vuls server to connect to each server by SSH, you can use Vuls in the Local Scan mode.Dynamic AnalysisIt is possible to acquire the state of the server by connecting via SSH and executing the command.Vuls warns when the scan target server was updated the kernel etc. but not restarting it.Scan middleware that are not included in OS package managementScan middleware, programming language libraries and framework for vulnerabilitySupport software registered in CPEMISCNondestructive testingPre-authorization is NOT necessary before scanning on AWSVuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.Auto generation of configuration file templateAuto detection of servers set using CIDR, generate configuration file templateEmail and Slack notification is possible (supports Japanese language)Scan result is viewable on accessory software, TUI Viewer on terminal or Web UI (VulsRepo).What Vuls Doesn’t DoVuls doesn’t update the vulnerable packages.Authorskotakanbe (@kotakanbe) created vuls and these fine people have contributed.Change LogPlease see CHANGELOG.Download Vuls

Link: http://www.kitploit.com/2019/03/vuls-vulnerability-scanner-for.html

Cat-Nip – Automated Basic Pentest Tool (Designed For Kali Linux)

Cat-Nip Automated Basic Pentest Toolthis tool will make your basic pentesting task like Information Gathering, Auditing, And Reporting so this tool will do every task fully automatic.Usage GuideDownload / Clone Cat-Nip~# git clone https://github.com/baguswiratmaadi/catnipGo Inside Cat-Nip Dir~# cd catnipGive Permission To Cat-Nip~# chmod 777 catnip.shRun Cat-Nip~# ./catnip.shChangelog1.0 First ReleasePentest Tools Auto Executed With Cat-NipWhois LookupDNSmapNmapDmitryTheharvesterLoad Balancing DetectorSSLyzeAutomaterUa TesterGobusterGrabberParseroUniscanAnd More Tool SoonScreenshotthis is preview Cat-NipTools PreviewOutput ResultReport In HTMLDisclaimerDo not scan government and private IT objects without legal permission.Do At Your Own RiskDownload Catnip

Link: http://feedproxy.google.com/~r/PentestTools/~3/8By2_tKKSAQ/cat-nip-automated-basic-pentest-tool.html

Chomp Scan – A Scripted Pipeline Of Tools To Streamline The Bug Bounty/Penetration Test Reconnaissance Phase

A scripted pipeline of tools to simplify the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs.ScopeChomp Scan is a Bash script that chains together the fastest and most effective tools (in my opinion/experience) for doing the long and sometimes tedious process of recon. No more looking for word lists and trying to remember when you started a scan and where the output is. Chomp Scan creates a timestamped output directory based on the search domain, e.g. example.com-21:38:15, and puts all tool output there, split into individual sub-directories as appropriate. Custom output directories are also supported via the -o flag.New: Chomp Scan now integrates Notica, which allows you to receive a notification when the script finishes. Simply visit Notica and get a unique URL parameter. Simply pass the parameter to Chomp Scan via the -n flag, keep the Notica page open in a browser tab on your computer or phone, and you will receive a message when Chomp Scan has finished running. No more constantly checking/forgetting to check those long running scans.Chomp Scan runs in multiple modes. The primary one is using command-line arguments to select which scanning phases to use, which wordlists, etc. A guided interactive mode is available, as well as a non-interactive mode, useful if you do not want to deal with setting multiple arguments.A list of interesting words is included, such as dev, test, uat, staging, etc., and domains containing those terms are flagged. This way you can focus on the interesting domains first if you wish. This list can be customized to suit your own needs, or replaced with a different file via the -X flag.A blacklist file is included, to exclude certain domains from the results. However it does not prevent those domains from being resolved, only from being used for port scanning and content discovery. It can be passed via the -b flag.Chomp Scan supports limited canceling/skipping of tools by pressing Ctrl-c. This can sometimes have unintended side effects, so use with care.Note: Chomp Scan is in active development, and new/different tools will be added as I come across them. Pull requests and comments welcome!Scanning PhasesSubdomain Discovery (3 different sized wordlists)dnscansubfindersublist3rmassdns + altdnsScreenshots (optional)aquatonePort Scanning (optional)masscan and/or nmapnmap output styled with nmap-bootstrap-xslInformation Gathering (optional) (4 different sized wordlists)subjackbfacwhatwebwafw00fniktoContent Discovery (optional) (4 different sized wordlists)ffufgobusterdirsearchWordlistsA variety of wordlists are used, both for subdomain bruteforcing and content discovery. Daniel Miessler’s Seclists are used heavily, as well as Jason Haddix’s lists. Different wordlists can be used by passing in a custom wordlist or using one of the built-in named argument lists below.Subdomain Bruteforcing Argument Name Filename Word Count Description short subdomains-top1mil-20000.txt 22k From Seclists long sortedcombined-knock-dnsrecon-fierce-reconng.txt 102k From Seclists huge huge-200k.txt 199k Combination I made of various wordlists, including Seclists Content Discovery Argument Name Filename Word Count Description small big.txt 20k From Seclists medium raft-large-combined.txt 167k Combination of the raft wordlists in Seclists large seclists-combined.txt 215k Larger combination of all the Discovery/DNS lists in Seclists xl haddix_content_discovery_all.txt 373k Jason Haddix’s all content discovery list xxl haddix-seclists-combined.txt 486k Combination of the two previous lists Misc.altdns-words.txt – 240 words – Used for creating domain permutations for masscan to resolve. Borrowed from altdns.interesting.txt – 43 words – A list I created of potentially interesting words appearing in domain names. Provide your own interesting words list with the -X flag.InstallationClone this repo and run the installer.sh script. Make sure to source ~/.profile after running the installer in order to add the Go binary path to your $PATH variable. Then run Chomp Scan.UsageChomp Scan always runs subdomain enumeration, thus a domain is required via the -u flag. The domain should not contain a scheme, e.g. http:// or https://. By default, HTTPS is always used. This can be changed to HTTP by passing the -H flag. A wordlist is optional, and if one is not provided the built-in short list (20k words) is used.Other scan phases are optional. Content discovery can take an optional wordlist, otherwise it defaults to the built-in short (22k words) list.The final results of the scan are stored in two text files in the output directory. All unique domains that are found are stored in all_discovered_domains.txt, and all unique IPs that are discovered are stored in all_discovered_ips.txt.chomp-scan.sh -u example.com -a d short -cC large -p -o path/to/directoryUsage of Chomp Scan: -u domain (required) Domain name to scan. This should not include a scheme, e.g. https:// or http://. -d wordlist (optional) The wordlist to use for subdomain enumeration. Three built-in lists, short, long, and huge can be used, as well as the path to a custom wordlist. The default is short. -c (optional) Enable content discovery phase. The wordlist for this option defaults to short if not provided. -C wordlist (optional) The wordlist to use for content discovery. Five built-in lists, small, medium, large, xl, and xxl can be used, as well as the path to a custom wordlist. The default is small. -s (optional) Enable screenshots using Aquatone. -i (optional) Enable information gathering phase, using subjack, bfac, whatweb, wafw00f, and nikto. -p (optional) Enable portscanning phase, using masscan (run as root) and nmap. -I (optional) Enable interactive mode. This allows you to select certain tool options and inputs interactively. This cannot be run with -D. -D (optional) Enable default non-interactive mode. This mode uses pre-selected defaults and requires no user interaction or options. This cannot be run with -I. Options: Subdomain enumeration wordlist: short. Content discovery wordlist: small. Aquatone screenshots: yes. Portscanning: yes. Information gathering: yes. Domains to scan: all unique discovered. -b wordlist (optional) Set custom domain blacklist file. -X wordlist (optional) Set custom interesting word list. -o directory (optional) Set custom output directory. It must exist and be writable. -a (optional) Use all unique discovered domains for scans, rather than interesting domains. This cannot be used with -A. -A (optional, default) Use only interesting discovered domains for scans, rather than all discovered domains. This cannot be used with -a. -H (optional) Use HTTP for connecting to sites instead of HTTPS. -h (optional) Display this help page.In The FutureChomp Scan is still in active development, as I use it myself for bug hunting, so I intend to continue adding new features and tools as I come across them. New tool suggestions, feedback, and pull requests are all welcomed. Here is a short list of potential additions I’m considering:Adding a config file, for more granular customization of tools and parametersAdding testing/support for Ubuntu/DebianA possible Python re-write (and maybe a Go re-write after that!)The generation of an HTML report, similar to what aquatone providesExamplesDownload Chomp-Scan

Link: http://www.kitploit.com/2019/03/chomp-scan-scripted-pipeline-of-tools.html