A CLI to find in-scope subdomains for bug bounty programs!
sc0pe uses amass, subfinder, and Sublist3r to enumerate subdomains.
npm i sc0pe
This will install Sublist3r as a submodule - you should install amass and subfinder yourself.
@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@@
@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@@
!@@ !@@ @@! @@@@ @@! @@@ @@!
!@! !@! !@! @!@!@ !@! @!@ !@!
!!@@!! !@! @!@ @! !@! @!@@!@! @!!!:!
!!@!!! !!! !@!!! !!! !!@!!! !!!!!:
!:! :!! !!:! !!! !!: !!:
!:! :!: :!: !:! :!: :!:
:::: :: ::: ::: ::::::: :: :: :: ::::
:: : : :: :: : : : : : : : :: ::
Usage: sc0pe [options] <file>
Options:
-V, --version output the version number
-a, --adventurous enumerate subdomains for non-wildcard domains
-p, --parallelism <int> max number of domains to scan in parallel (default: 1)
-q, --quiet don't show banner and info
-h, --help display help for command
sc0pe takes a Burp configuration file as input, deduces in-scope root domains, and performs passive enumeration of subdomains.
By default, sc0pe only explores wildcard domains but you can add the --adventurous flag to discover subdomains for non-wildcard domains.
The --parallelism option controls the maximum number of root domains scanned in parallel. sc0pe reduces the value if the number of root domains is smaller.