Hi.
After merging, An error occurs in relation to the file or directory.
I think this problem occurs in a single domain.
Files are stored in the root directory(/ ).
root@oldesec:~/chomp-scan# ./chomp-scan.sh -L config
Beginning scan with config file options.
[i] Scanning example.com with dnscan.
[i] Command: /root/bounty/tools/dnscan/dnscan.py -d example.com -t 25 -o /dnscan_out.txt -w wordlists/subdomains-top1mil-20000.txt.
[*] Processing domain example.com
[*] Using system resolvers ['127.0.0.53']
[+] Getting nameservers
94.130.248.104 - ns2.schokokeks-dns.de
178.63.68.96 - ns1.schokokeks-dns.de
37.120.167.100 - ns3.schokokeks-dns.de
[-] Zone transfer failed
[+] IPv6 (AAAA) records found. Try running dnscan with the -6 option.
2a01:4f8:121:1ffe:1:1008:0:104b
[+] TXT records found
"v=spf1 a mx include:_spf.schokokeks-dns.de -all"
[+] MX records found, added to target list
100 zucker.schokokeks.org.
[*] Scanning example.com for A records
178.63.68.96 - example.com
[i] dnsscan took 2 seconds to run.
[!] dnscan found 1 IP/domain pairs.
[+] Found 1 unique IPs so far.
[+] Found 2 unique discovered domains so far.
[+] Found 0 unique resolvable domains so far.
./chomp-scan.sh: line 847: /tmp: Is a directory
mv: cannot overwrite non-directory '/all_discovered_domains.txt' with directory '/tmp'
[i] Scanning example.com with subfinder.
[i] Command: subfinder -d example.com -o /subfinder-domains.txt -t 25 -w wordlists/subdomains-top1mil-20000.txt.
[NOTE] Edit /root/.config/subfinder/config.json with your options !===============================================
-=Subfinder v1.1.3 github.com/subfinder/subfinder
===============================================
Running Source: Ask
Running Source: Archive.is
Running Source: Baidu
Running Source: Bing
Running Source: CertDB
Running Source: CertificateTransparency
Running Source: Certspotter
Running Source: Commoncrawl
Running Source: Crt.sh
Running Source: Dnsdb
Running Source: DNSDumpster
Running Source: DNSTable
Running Source: Dogpile
Running Source: Exalead
Running Source: Findsubdomains
Running Source: Googleter
Running Source: Hackertarget
Running Source: Ipv4Info
Running Source: PTRArchive
Running Source: Sitedossier
Running Source: Threatcrowd
Running Source: ThreatMiner
Running Source: WaybackArchive
Running Source: Yahoo
Running enumeration on example.com
waybackarchive: parse http://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=json&fl=original&collapse=urlkey&page=: net/url: invalid control character in URL
dnsdb: Unexpected return status 503
ptrarchive: Get http://ptrarchive.com/tools/search3.htm?label=example.com&date=ALL: read tcp 206.189.223.157:36772->104.171.118.90:80: read: connection reset by peer
archiveis: Get http://archive.is/*.example.com: dial tcp 78.108.190.21:80: connect: connection timed out
Total 7 Unique subdomains found for example.com
.example.com
blog.example.com
bugs.example.com
crashes.example.com
files.example.com
flimp.example.com
www.example.com
[i] Subfinder took 132 seconds to run.
[!] Subfinder found 7 domains.
[+] Found 1 unique IPs so far.
[+] Found 9 unique discovered domains so far.
[+] Found 0 unique resolvable domains so far.
[i] Scanning example.com with sublist3r.
[i] Command: /root/bounty/tools/Sublist3r/sublist3r.py -d example.com -v -b -t 50 -o /sublist3r-output.txt.
____ _ _ _ _ _____
/ ___| _ _| |__ | (_)___| |_|___ / _ __
\___ \| | | | '_ \| | / __| __| |_ \| '__|
___) | |_| | |_) | | \__ \ |_ ___) | |
|____/ \__,_|_.__/|_|_|___/\__|____/|_|
# Coded By Ahmed Aboul-Ela - @aboul3la
[-] Enumerating subdomains now for example.com
[-] verbosity is enabled, will show the subdomains results in realtime
[-] Searching now in Baidu..
[-] Searching now in Yahoo..
[-] Searching now in Google..
[-] Searching now in Bing..
[-] Searching now in Ask..
[-] Searching now in Netcraft..
[-] Searching now in DNSdumpster..
[-] Searching now in Virustotal..
[-] Searching now in ThreatCrowd..
[-] Searching now in SSL Certificates..
[-] Searching now in PassiveDNS..
ThreatCrowd: blog.example.com
Virustotal: blog.example.com
Virustotal: files.example.com
Virustotal: flimp.example.com
Virustotal: bugs.example.com
Virustotal: crashes.example.com
Virustotal: www.example.com
Bing: blog.example.com
Bing: crashes.example.com
Bing: flimp.example.com
Bing: files.example.com
Google: flimp.example.com
Google: crashes.example.com
Google: blog.example.com
Google: files.example.com
Yahoo: blog.example.com
Yahoo: flimp.example.com
DNSdumpster: crashes.example.com
SSL Certificates: files.example.com
SSL Certificates: crashes.example.com
SSL Certificates: flimp.example.com
SSL Certificates: blog.example.com
SSL Certificates: www.example.com
SSL Certificates: bugs.example.com
Yahoo: crashes.example.com
Yahoo: files.example.com
DNSdumpster: www.example.com
DNSdumpster: blog.example.com
DNSdumpster: files.example.com
DNSdumpster: flimp.example.com
DNSdumpster: bugs.example.com
[-] Starting bruteforce module now using subbrute..
example.com
^C
[!] Cancelling command.
./chomp-scan.sh: line 875: 14650 Killed "$SUBLIST3R" -d "$1" -v -b -t 50 -o "$WORKING_DIR"/sublist3r-output.txt
[+] Found 1 unique IPs so far.
[+] Found 9 unique discovered domains so far.
[+] Found 0 unique resolvable domains so far.
[i] Scanning example.com with amass.
[i] Command: amass -d example.com -w wordlists/subdomains-top1mil-20000.txt -ip -rf resolvers.txt -active -o /amass-output.txt -min-for-recursive 3 -bl blacklist.txt
bugs.example.com 178.63.68.96,2a01:4f8:121:1ffe:1:1008:0:1321
blog.example.com 178.63.68.96,2a01:4f8:121:1ffe:1:1008:0:104c
www.example.com 178.63.68.96,2a01:4f8:121:1ffe:1:1008:0:104b
flimp.example.com 178.63.68.96,2a01:4f8:121:1ffe:1:1008:0:145f
crashes.example.com 178.63.68.96,2a01:4f8:121:1ffe:1:1008:0:104d
example.com 178.63.68.96,2a01:4f8:121:1ffe:1:1008:0:104b
files.example.com 178.63.68.96,2a01:4f8:121:1ffe:1:1008:0:105b
autoconfig.example.com 178.63.68.96,2a01:4f8:121:1ffe:1:1285:0:676
Average DNS queries performed: 107/sec, DNS names remaining: 8
^C
OWASP Amass v2.9.11 https://github.com/OWASP/Amass
--------------------------------------------------------------------------------
8 names discovered - scrape: 1, cert: 5, api: 1, dns: 1
--------------------------------------------------------------------------------
ASN: 24940 - HETZNER-AS, DE
178.63.0.0/16 8 Subdomain Name(s)
2a01:4f8::/29 8 Subdomain Name(s)
[!] Cancelling command.
[i] amass took 97 seconds to run.
[!] amass found 8 domains.
[+] Found 8 unique IPs so far.
[+] Found 11 unique discovered domains so far.
[+] Found 0 unique resolvable domains so far.
[i] Running goaltdns against all 11 unique discovered subdomains to generate domains for masscan to resolve.
[i] Command: goaltdns -l /all_discovered_domains.txt -w wordlists/altdns-words.txt -o /goaltdns-output.txt.
[i] Goaltdns took 0 seconds to run.
[i] Goaltdns generated 12343 subdomains.
[i] Scanning 11339 current unique example.com domains and IPs, goaltdns generated domains, and domain-appended wordlist with massdns (in quiet mode).
[i] Command: cat (all found domains and IPs) | /root/bounty/tools/massdns/bin/massdns -r resolvers.txt -q -t A -o S -w /massdns-result.txt.
[i] Massdns took 25 seconds to run.
[!] Check /massdns-CNAMEs.txt for a list of CNAMEs found.
[+] Found 8 unique IPs so far.
[+] Found 11 unique discovered domains so far.
[+] Found 6 unique resolvable domains so far.
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
sort: read failed: /: Is a directory
mv: '/temp4' and '/temp4' are the same file
[i] Running subjack against all 6 unique discovered subdomains to check for subdomain takeover.
[i] It will run twice, once against HTTPS and once against HTTP.
[i] Command: subjack -d example.com -w /all_resolved_domains.txt -v -t 20 -ssl -m -o /subjack-output.txt
[Not Vulnerable] files.example.com
[Not Vulnerable] example.com
[Not Vulnerable] crashes.example.com
[Not Vulnerable] blog.example.com
[Not Vulnerable] www.example.com
[Not Vulnerable] bugs.example.com
[Not Vulnerable] blog.example.com
[Not Vulnerable] bugs.example.com
[Not Vulnerable] crashes.example.com
[Not Vulnerable] files.example.com
[Not Vulnerable] example.com
[Not Vulnerable] www.example.com
[i] Subjack took 0 seconds to run.
[i] Full Subjack results are at /subjack-output.txt.
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
./chomp-scan.sh: line 791: /: Is a directory
sort: read failed: /: Is a directory
mv: '/temp4' and '/temp4' are the same file
wc: /: Is a directory
[!] No interesting domains have been found yet.
[+] Found 8 unique IPs so far.
[+] Found 11 unique discovered domains so far.
[+] Found 6 unique resolvable domains so far.
[i] Creating a Burp scope file with rescope.
[-] Grabbing targets from /all_resolved_domains.txt
[-] Parsing to JSON (Burp Suite)
[โ] Done. Wrote 1256 bytes to /burp-scope.json
[i] Total script run time: 1558171283 seconds.
root@oldesec:/# ls /
all_discovered_domains.txt etc media subjack-https-output.txt
all_discovered_ips.txt goaltdns-output.txt mnt sys
all_resolved_domains.txt home opt temp4
amass-output.txt initrd.img proc tmp
bin initrd.img.old root usr
boot lib run var
burp-scope.json lib64 sbin vmlinuz
dev lost+found snap vmlinuz.old
dnscan-domains.txt massdns-CNAMEs.txt srv
dnscan-ips.txt massdns-appended.txt subfinder-domains.txt
dnscan_out.txt massdns-result.txt subjack-http-output.txt