sc0pe

A CLI to find in-scope subdomains for bug bounty programs!

Usage no npm install needed!

<script type="module">
  import sc0pe from 'https://cdn.skypack.dev/sc0pe';
</script>

README

sc0pe

A CLI to find in-scope subdomains for bug bounty programs!

sc0pe uses amass, subfinder, and Sublist3r to enumerate subdomains.

Install

npm i sc0pe

This will install Sublist3r as a submodule - you should install amass and subfinder yourself.

Usage

 @@@@@@    @@@@@@@   @@@@@@@@   @@@@@@@   @@@@@@@@
@@@@@@@   @@@@@@@@  @@@@@@@@@@  @@@@@@@@  @@@@@@@@
!@@       !@@       @@!   @@@@  @@!  @@@  @@!
!@!       !@!       !@!  @!@!@  !@!  @!@  !@!
!!@@!!    !@!       @!@ @! !@!  @!@@!@!   @!!!:!
 !!@!!!   !!!       !@!!!  !!!  !!@!!!    !!!!!:
     !:!  :!!       !!:!   !!!  !!:       !!:
    !:!   :!:       :!:    !:!  :!:       :!:
:::: ::    ::: :::  ::::::: ::   ::        :: ::::
:: : :     :: :: :   : : :  :    :        : :: ::


Usage: sc0pe [options] <file>

Options:
  -V, --version            output the version number
  -a, --adventurous        enumerate subdomains for non-wildcard domains
  -p, --parallelism <int>  max number of domains to scan in parallel (default: 1)
  -q, --quiet              don't show banner and info
  -h, --help               display help for command

sc0pe takes a Burp configuration file as input, deduces in-scope root domains, and performs passive enumeration of subdomains.

By default, sc0pe only explores wildcard domains but you can add the --adventurous flag to discover subdomains for non-wildcard domains.

The --parallelism option controls the maximum number of root domains scanned in parallel. sc0pe reduces the value if the number of root domains is smaller.