An automated scanning tool using Dockers & RabbitMQ to help with bug bounties
The whole setup is based on workflows:
- Passive Subdomains Enumeration -> Dedup & keep new ones -> shuffleDNS -> httprobe -> dirsearch
- IP or Subnet -> Masscan -> Nmap Services -> Dirsearch http/https ports
- RabbitMQ
- Amass / Assetfinder / Findomain / Subfinder / Chaos
- Massdns / Nmap
- Dnsgen
- httprobe / anew
- Dirsearch
- Add Dirsearch implementation
- Add Rapid7 Sonar via Crobat
- Pull fresh Resolvers (via cronjob)
- Scan IP found from Massdns step for Open Ports (masscan / nmap)
- Add shuffleDNS & dnsvalidator tools to wrap arround Massdns
- Add waybackmachine/commoncrawl results
- Change dirsearch to ffuf, better html output
- git clone the repo
- Put resolvers.txt in the docker/input/ directory, which you can get through a daily run of dnsvalidator
- Put wordlist.txt in the docker/input/ directory, which is the list dirsearch will use
- Results are stored in docker/output/ directory
- Build using
--compatibilitymode due to the use of replicas for dirsearch.
docker-compose --compatibility up --build
- At the moment you can run this using:
python app/send.py passive domain.com
python app/send.py ip-scan x.x.x.x/x <date>
- You will need a key to run chaos project, create an env file in the root path and add a line with your key
CHAOS_KEY=key
- Dirsearch runs with 5 replicas, you can edit to add more or less.
Useful commands
Use docker-compose exec rabbitmq bash to get into the rabbitmq container
Use rabbitmqctl list_queues to get a list of all the queues and the number of messages they have
Use rabbitmqadmin get queue=dir-scan count=100 to list the last 100 entries in the dir-scan queue