Skip to content

osm6495/appscan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.github/workflows
.github/workflows
 
 
resources
resources
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
out.json
out.json
 
 
out.txt
out.txt
 
 

Repository files navigation

Contributors Forks Stargazers Issues MIT License LinkedIn


AppScan

A CLI tool to automate DNS querying and subdomain enumeration for bug bounty hunting
View Demo · Report Bug · Request Feature

Table of Contents
  1. Usage
  2. Getting Started
  3. Roadmap
  4. Contributing
  5. License
  6. Contact

Usage

A CLI tool to automate DNS querying and subdomain enumeration for bug bounty hunting

Usage: appscan <COMMAND>

Commands:
  dns   Scan for DNS records
  http  Scan for HTTP responses
  help  Print this message or the help of the given subcommand(s)

Use the dns subcommand to use massdns to find all of the DNS records for the provided urls, then use the http subcommand to enumerate possible other subdomains on those domains and query them for a response.

DNS

Scan for DNS records

Usage: appscan dns [OPTIONS] --output-file <OUTPUT_FILE> [FILE_PATH]
Example: appscan dns -o ./dns.txt ./in_scope_domains.txt

Arguments:
  [FILE_PATH]  Path to the URL file

Options:
  -u, --url <URL>                  Specify a single URL, rather than a filepath to a list of URLs
      --no-spinner                 Disable loading spinner
  -o, --output-file <OUTPUT_FILE>  Specify the txt file to output the generated DNS records to
  -h, --help                       Print help
  -V, --version                    Print version

HTTP

Scan for HTTP responses

Usage: appscan http [OPTIONS] --output-file <OUTPUT_FILE> [FILE_PATH]
Example: appscan http -m common -o ./responses.json ./dns.txt

Arguments:
  [FILE_PATH]  Path to the URL file

Options:
  -u, --url <URL>                  Specify a single URL, rather than a filepath to a list of URLs
  -m, --method <METHOD>            Specify the json file to output the generated http responses to [default: get]
  -v, --verbose                    Include all responses, including 400 errors
      --no-spinner                 Disable loading spinner
  -o, --output-file <OUTPUT_FILE>  Specify the json file to output the generated http responses to
  -h, --help                       Print help
  -V, --version                    Print version

The HTTP subcommand can use the results from the DNS scanning, or a separate list of URLS.

By default, only GET requests are made, but you can specify other methods with the -m flag like:

appscan http -m get,post,patch ./dns.txt

HTTP methods are case-insensitive and there is also an "all" and a "common" option for methods. -m all will use all possible http methods, which is not likely to be as useful as -m common, which automatically uses GET, POST, PUT, PATCH, and DELETE.

Getting Started

Installing the latest version

You can use download a pre-built binary directly from the latest release: https://github.com/osm6495/appscan/releases

  1. Select the latest version at the top of the page and open the Assets section
  2. Download the file that applies for your system
  3. (Optional) Move the binary to your /usr/bin directory for Linux and Mac or C:\Program Files for Windows. This will allow you to use the appscan command without directly calling the binary or having the source code.

Installing from Source

Below is an example of how you can instruct your audience on installing and setting up your app. This template doesn't rely on any external dependencies or services.

  1. Install Rust: http://rust-lang.org/
  2. Clone the repo
git clone https://github.com/osm6495/appscan
cd appscan
  1. Build the binary
cargo build --release
  1. Run the program
./target/release/appscan -h
  1. (Optional) Move the binary to your /usr/bin directory for Linux and Mac or C:\Program Files for Windows. This will allow you to use the appscan command without directly calling the binary or having the source code.
sudo mv ./target/release/appscan /usr/bin/appscan

Roadmap

  • Allow other http methods to be included along with "common" in the -m flag for the http subcommand, to allow for something like -m common, options
  • Switch from massdns to puredns (which uses massdns): https://github.com/d3mondev/puredns, this would better handle wildcard domains and would simplify subdomain bruteforcing
  • Add an option for pretty output, either a subcommand that parses the output file and points out any interesting findings, or a flag that includes these in stdout as the scan runs

See the open issues for a full list of proposed features (and known issues).

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

License

Distributed under the MIT License. See LICENSE.txt for more information.

Contact

Owen McCarthy - contact@owen.biz

Acknowledgements

About

A CLI tool to automate DNS querying and subdomain enumeration for bug bounty hunting

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages