Recon Tool: CHOMTE.SH

Reading Time: 2 Minutes

Description

CHOMTE.SH by mr-rizwan-syed is a versatile framework designed for automating reconnaissance tasks. It’s useful for bug bounty hunters and penetration testers in both internal and external network engagements. Its key features include subdomain gathering, DNS subdomain brute-forcing, quick port scanning, HTTP probing, service enumeration, and generating reports in various formats. Additionally, it performs content discovery, identifies common misconfigurations and vulnerabilities, conducts deep internet reconnaissance, provides command transparency, and specializes in JavaScript reconnaissance.

Major Features

CHOMTE.SH has the following features:

1. Gather Subdomains using subfinder: This feature allows you to gather subdomains using the subfinder tool.
2. DNS Subdomain Bruteforcing using dmut: This feature enables DNS subdomain bruteforcing using the dmut tool.
3. Quick Port Scan using Naabu: This feature allows for quick port scanning using the Naabu tool.
4. HTTP Probing using projectdiscovery HTTPX: This feature allows for HTTP probing using the projectdiscovery HTTPX tool to generate a CSV file.
5. Service Enumeration using Nmap: This feature enables service enumeration using Nmap by scanning ports that are only open on the host.
6. Nmap Report Format: This feature allows you to generate reports in XML, NMAP, CSV, and HTML (raw and styled) formats.
7. Content Discovery Scan: Find sensitive files exposed in Web Applications
8. Common Misconfigurations & Vulnerabilities of Infrastructure / Web Applications
9. Internet Deep Recon: Shodan / Certificate Transparency
10. Command Transparency: You will be able to see the commands that are running and where files are being saved
11. JavaScript Reon: Hardcoded credentials / Sensitive Keys / Passwords
12. Customizable Flags: Tool arguments can be changed by modifying flags.conf file

Check out the Mindmap

Installation

To install CHOMTE.SH, follow these steps:

1. Clone the repository: git clone https://github.com/mr-rizwan-syed/chomtesh
2. Change the directory: cd chomtesh
3. Switch to root user sudo su
4. Make the script executable: chmod +x *.sh
5. Run the installation script: ./install.sh
6. Run Chomte.sh: ./chomte.sh

Usage

To use CHOMTE.SH, run the script with the following flags:

Mandatory Flags

• -p or –project: Specify the project name here.
• -d or –domain: Specify the root domain here or a domain list.
• -i or –ip: Specify the IP/CIDR/IP list here.

Optional Flags

-n or –nmap : Nmap scan against open ports.
-brt or –dnsbrute : DNS Recon Bruteforce.
-hpl or –hostportlist : HTTP Probing on Host:Port List
-cd or –content : Content Discovery – Path is optional
-e or –enum : Active Enum based on technologies
-h or –help : Show help.

Example

Here are some example commands:

Internet Deep Recon

Shodan Recon Setup

cd chomtesh

echo 'SHODAN-API-KEY' > .token

Horizontal Recon – To gather Root / TLD using crt.sh

Here are some example commands:

./crt.sh teslaoutput tesla.com

./crt.sh teslaoutput "TESLA, INC."

Customization

CHOMTE.SH allows you to customize the tool flags by editing the flags.conf file.
Add API keys to subfinder ~/.config/subfinder/provider-config.yaml Subfinder API Keys.

Clone the repo from here: GitHub Link