DEV Community: Bhawesh Chaudhary

🚀 Introducing Astra v1.1 – Local, Powerful, and Now Even More Flexible

Bhawesh Chaudhary — Sun, 18 May 2025 07:25:52 +0000

I'm excited to announce the release of Astra v1.1, the latest version of my open-source network scanning tool built for security researchers, sysadmins, and curious tinkerers. Astra combines speed, flexibility, and privacy — all without relying on third-party APIs.

If you’re tired of bloated, cloud-reliant scanners, Astra is for you.

🌐 What is Astra?

Astra is a Python-based CLI tool that lets you:

Scan domains and CIDR ranges
Identify open TCP ports
Resolve DNS locally
Run scans without relying on external APIs (although ipinfo.io integration is optionally supported)

Whether you're probing a bug bounty target, analyzing your own infrastructure, or conducting research in an isolated lab, Astra gives you full control with no data leakage.

🔍 What’s New in Astra v1.1?

Version 1.1 builds on the foundation of Astra with new scanning modes, improved usability, and better performance tuning. Here’s what’s new:

✅ New Features:

CIDR Scan Enhancements: Now supports selective scanning like --first-1-per-cidr, --first-2-per-cidr, and --first-10-per-cidr.
Output Flexibility: Save results in either JSON or CSV using --output-format.
Expanded Port Options: Quickly scan the first 300 or 1000 ports with --first-300 or --first-1000.
Improved Verbose Logging: Enhanced logs help you trace what Astra is doing under the hood.
Performance Tuning: Fine-tune with --timeout, --max-ips, and per-CIDR controls.

🛠️ Quality of Life Improvements:

Simplified config setup via ~/.astra/config.json.
Better help output (-h now clearly documents all flags).
Graceful handling of invalid domains and empty scan results.

🚦 Use Cases

1. Scan a Domain:

python3 astra.py apple.com --verbose

2. Scan a CIDR Range:

python3 astra.py --cidr 192.168.1.0/24 --first-300 --first-2-per-cidr

3. Limit Resources on Large Scans:

python3 astra.py facebook.com --first-1000 --max-ips 100 --timeout 2.0

4. Export to File:

python3 astra.py apple.com --output results.json --output-format json

🧰 Why Choose Astra?

🔒 Privacy First: Runs locally. No third-party API calls required.
⚙️ Highly Customizable: Scan any range of ports, control IP selection, and tune timeouts.
💡 Transparent Output: Know exactly what's happening with verbose logs and structured results.
🧩 Open Source: Modify, contribute, or build on top of Astra — your tool, your rules.

🔧 Installation is Simple

git clone https://github.com/bhaweshchaudhary/Astra.git
cd astra
python3 -m venv venv
source venv/bin/activate  # Or venv\Scripts\activate on Windows
pip install -r requirements.txt
python3 astra.py -h

🙋‍♂️ FAQs

Is Astra legal to use?
Yes, only with permission. Unauthorized scanning is illegal.

Does it support UDP or IPv6?
Not yet — but it’s on the roadmap.

Can I contribute?
Absolutely! Fork the repo, check out DEVELOPER.md, and submit a pull request.

🎯 Final Thoughts

Astra v1.1 represents a step forward in ethical, private, and powerful network scanning. Whether you're in offensive security, blue team defense, or just exploring your own network, Astra gives you a lightweight yet robust tool to get the job done — no cloud dependencies, no bloat.

Ready to scan like a pro?

🔗 Get Astra on GitHub

A Comprehensive Guide to Bug Hunting

Bhawesh Chaudhary — Sun, 18 May 2025 06:46:12 +0000

This guide provides a structured, step-by-step approach to bug hunting, focusing on reconnaissance, subdomain enumeration, live domain filtering, vulnerability scanning, and JavaScript analysis.

It incorporates essential tools like SecretFinder, Katana, GetJS, Nuclei, Mantra, Subjs, Grep, and Anew to enhance efficiency and coverage.

1. Initial Reconnaissance

Gather information about the target to identify IP blocks, ASNs, DNS records, and associated domains.

Tools and Techniques:

ARIN WHOIS: Lookup IP blocks and ownership details.
BGP.HE: Retrieve IP blocks, ASNs, and routing information.
ViewDNS.info: Check DNS history and reverse IP lookups.
MXToolbox: Analyze MX records and DNS configurations.
Whoxy: Perform WHOIS lookups for domain ownership.
Who.is: Retrieve domain registration details.
Whois.domaintools: Advanced WHOIS and historical data.
IPAddressGuide: Convert CIDR to IP ranges.
NSLookup: Identify nameservers.
BuiltWith: Discover technologies used on the target website.
Amass: Perform comprehensive information gathering (subdomains, IPs, etc.).
Shodan: Search for exposed devices and services.
Censys.io: Identify hosts and certificates.
Hunter.how: Find email addresses and domain-related data.
ZoomEye: Search for open ports and services.

Steps:

Identify the target domain and associated IP ranges.
Collect WHOIS data for ownership and registration details.
Map out nameservers and DNS records.
Use Amass to enumerate initial subdomains and IPs.
Leverage Shodan, Censys, and ZoomEye to find exposed services.

2. Subdomain Enumeration

Subdomains often expose vulnerabilities. The goal is to discover as many subdomains as possible, including sub-subdomains, and filter live ones.

Tools and Techniques:

Subfinder: Fast subdomain enumeration.
Amass: Advanced subdomain discovery.
Crt.sh: Extract subdomains from certificate transparency logs.
Sublist3r: Enumerate subdomains using multiple sources.
FFUF: Brute-force subdomains.
Chaos: Discover subdomains via ProjectDiscovery’s dataset.
OneForAll: Comprehensive subdomain enumeration.
ShuffleDNS: High-speed subdomain brute-forcing (VPS recommended).
Katana: Crawl websites to extract subdomains and endpoints.
VirusTotal: Find subdomains via passive DNS.
Netcraft: Search DNS records for subdomains.
Anew: Remove duplicate entries from subdomain lists.
Httpx: Filter live subdomains.
EyeWitness: Take screenshots of live subdomains for visual analysis.

Steps:

Run Subfinder, Amass, Sublist3r, and OneForAll to collect subdomains.
Query Crt.sh and Chaos for additional subdomains.
Use FFUF and ShuffleDNS for brute-forcing (on a VPS for speed).
Crawl the target with Katana to extract subdomains from dynamic content.
Combine results into a single file and use Anew to remove duplicates: cat subdomains.txt | anew > unique_subdomains.txt
Filter live subdomains with Httpx: cat unique_subdomains.txt | httpx -silent > live_subdomains.txt
Use EyeWitness to capture screenshots of live subdomains for manual review.

3. Subdomain Takeover Checks

Identify subdomains pointing to unclaimed services (e.g., AWS S3, Azure) that can be taken over.

Tools:

Subzy: Check for subdomain takeover vulnerabilities.
Subjack: Detect takeover opportunities (may be preinstalled in Kali).

Steps:

Run Subzy on the list of subdomains: subzy run --targets live_subdomains.txt
Use Subjack for additional checks: subjack -w live_subdomains.txt -a
Manually verify any flagged subdomains to confirm vulnerabilities.

4. Directory and File Bruteforcing

Search for sensitive files and directories that may expose vulnerabilities.

Tools:

FFUF: High-speed directory brute-forcing.
Dirsearch: Discover hidden directories and files.
Katana: Crawl for endpoints and files.

Steps:

Use FFUF to brute-force directories on live subdomains: ffuf -w wordlist.txt -u https://subdomain.target.com/FUZZ
Run Dirsearch for deeper enumeration: dirsearch -u https://subdomain.target.com -e *
Crawl with Katana to identify additional endpoints: katana -u https://subdomain.target.com -o endpoints.txt

5. JavaScript Analysis

Analyze JavaScript files for sensitive information like API keys, credentials, or hidden endpoints.

Tools:

GetJS: Extract JavaScript file URLs from a target.
Subjs: Identify JavaScript files across subdomains.
Katana: Crawl for JavaScript files and endpoints.
SecretFinder: Search JavaScript files for secrets (API keys, tokens, etc.).
Mantra: Analyze JavaScript for vulnerabilities and misconfigurations.
Grep: Filter specific patterns in JavaScript files.

Steps:

Use Subjs and GetJS to collect JavaScript file URLs: cat live_subdomains.txt | subjs > js_files.txt getjs --url https://subdomain.target.com >> js_files.txt
Crawl with Katana to find additional JavaScript files: katana -u https://subdomain.target.com -o js_endpoints.txt
Download JavaScript files for analysis: wget -i js_files.txt -P js_files/
Run SecretFinder to identify sensitive data: secretfinder -i js_files/ -o secrets.txt
Use Mantra to detect vulnerabilities in JavaScript code: mantra -f js_files/ -o mantra_report.txt
Search for specific patterns (e.g., API keys) with Grep: grep -r "api_key|token" js_files/

6. Vulnerability Scanning

Perform automated scans to identify common vulnerabilities.

Tools:

Nuclei: Fast vulnerability scanner with customizable templates.
Mantra: Detect misconfigurations and vulnerabilities in web assets.

Steps:

Run Nuclei with a comprehensive template set: nuclei -l live_subdomains.txt -t cves/ -t exposures/ -o nuclei_results.txt

Use Mantra to scan for misconfigurations: mantra -u https://subdomain.target.com -o mantra_scan.txt

7. GitHub Reconnaissance

Search for leaked sensitive information in public repositories.

Tools:

GitHub Search: Manually search for target-related repositories.
Grep: Filter repository content for sensitive data.

Steps:

Search GitHub for the target domain or subdomains (e.g., from:target.com).

Clone relevant repositories and use Grep to find secrets: grep -r "api_key|password|secret" repo_folder/

Analyze code for hardcoded credentials or misconfigurations.

8. Next Steps and Analysis

Review EyeWitness screenshots for login pages, outdated software, or misconfigurations.

Analyze Nuclei and Mantra reports for actionable vulnerabilities.
Perform manual testing on promising subdomains (e.g., XSS, SQLi, SSRF).

Document findings and prioritize vulnerabilities based on severity.

Additional Notes

Learning Resources: Complete TryHackMe’s pre-security learning path for foundational knowledge.

Tool Installation:

Install Anew: go install github.com/tomnomnom/anew@latest
Install Subzy: go install github.com/PentestPad/subzy@latest
Install Nuclei: go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
Install Katana: go install github.com/projectdiscovery/katana/cmd/katana@latest
Optimization: Use a VPS for resource-intensive tools like ShuffleDNS and FFUF.
File Management: Organize outputs into separate files (e.g., subdomains.txt, js_files.txt) for clarity.