Added rescope.

README.md

@@ -10,12 +10,14 @@ A scripted pipeline of tools to simplify the bug bounty/penetration test reconna
 ### Scope
 Chomp Scan is a Bash script that chains together the fastest and most effective tools (in my opinion/experience) for doing the long and sometimes tedious process of recon. No more looking for word lists and trying to remember when you started a scan and where the output is. Chomp Scan can focus on a list of potentially interesting subdomains, letting you save time and focus on high-value targets. It can even notify you via Notica when it's done running!
 
-**New** Chomp Scan now integrates [Notica](https://notica.us), which allows you to receive a notification when the script finishes. Simply visit Notica and get a unique URL parameter, e.g. notica.us/?xxxxxxxx. Pass the parameter to Chomp Scan via the `-n` flag, keep the Notica page open in a browser tab on your computer or phone, and you will receive a message when Chomp Scan has finished running. No more constantly checking/forgetting to check those long running scans.
+Chomp Scan now integrates [Notica](https://notica.us), which allows you to receive a notification when the script finishes. Simply visit Notica and get a unique URL parameter, e.g. notica.us/?xxxxxxxx. Pass the parameter to Chomp Scan via the `-n` flag, keep the Notica page open in a browser tab on your computer or phone, and you will receive a message when Chomp Scan has finished running. No more constantly checking/forgetting to check those long running scans.
 
 A list of interesting words is included, such as *dev, test, uat, staging,* etc., and domains containing those terms are flagged. This way you can focus on the interesting domains first if you wish. This list can be customized to suit your own needs, or replaced with a different file via the `-X` flag.
 
 Chomp Scan runs in multiple modes. A new [Configuration File](https://github.com/SolomonSklash/chomp-scan/wiki/Configuration-File) is the recommended way to run scans, as it allows the most granular control of tools and settings. A standard CLI mode is included, which functions the same as any other CLI tool. A guided interactive mode is available, as well as a non-interactive mode, useful if you do not want to lookup parameters or worry about setting multiple arguments.
 
+**New** Chomp Scan now includes [rescope](https://github.com/root4loot/rescope). Rescope will parse all resolved domains discovered by Chomp Scan and generate a JSON scope file that can be imported into Burp Suite. This option can be enabled by setting the `ENABLE_RESCOPE` variable in the configuration file or by passing the `-r` flag via the command line.
+
 Please see the [Wiki](https://github.com/SolomonSklash/chomp-scan/wiki) for detailed documentation.
 
 **Note: Chomp Scan is in active development, and new/different tools will be added as I come across them. Pull requests and comments welcome!**
@@ -116,6 +118,8 @@ Usage of Chomp Scan:
                  (optional, default) Use only interesting discovered domains for scans, rather than all discovered domains. This cannot be used with -a.
 		-H
                  (optional) Use HTTP for connecting to sites instead of HTTPS.
+		-r
+                 (optional) Enable creation of Burp scope JSON file with rescope.
         -h
                  (optional) Display this help page.
 ```

chomp-scan.sh

@@ -62,6 +62,7 @@ ENABLE_NIKTO=0;
 ENABLE_MASSCAN=0;
 ENABLE_NMAP=0;
 ENABLE_SCREENSHOTS=0;
+ENABLE_RESCOPE=0;
 
 # Other variables
 ALL_IP=all_discovered_ips.txt;
@@ -85,6 +86,7 @@ function set_tool_paths() {
 				INCEPTION=$(command -v inception);
 				WAYBACKURLS=$(command -v waybackurls);
 				GOALTDNS=$(command -v goaltdns);
+				RESCOPE=$(command -v rescope);
 				SUBLIST3R=$TOOL_PATH/Sublist3r/sublist3r.py;
 				DNSCAN=$TOOL_PATH/dnscan/dnscan.py;
 				MASSDNS_BIN=$TOOL_PATH/massdns/bin/massdns;
@@ -151,6 +153,7 @@ function usage() {
 		echo -e "$BLUE""\\t-a \\n\\t\\t$ORANGE (optional) Use all unique discovered domains for scans, rather than interesting domains. This cannot be used with -A.""$NC";
 		echo -e "$BLUE""\\t-A \\n\\t\\t$ORANGE (optional, default) Use only interesting discovered domains for scans, rather than all discovered domains. This cannot be used with -a.""$NC";
 		echo -e "$BLUE""\\t-H \\n\\t\\t$ORANGE (optional) Use HTTP for connecting to sites instead of HTTPS.""$NC";
+		echo -e "$BLUE""\\t-r \\n\\t\\t$ORANGE (optional) Enable creation of Burp scope JSON file with rescope.""$NC";
 		echo -e "$BLUE""\\t-h \\n\\t\\t$ORANGE (optional) Display this help page.""$NC";
 }
 
@@ -261,6 +264,10 @@ function parse_config() {
 				fi
 		fi
 
+		if [[ $(grep '^ENABLE_RESCOPE' "$CONFIG_FILE" | cut -d '=' -f 2) == "YES" ]]; then
+				ENABLE_RESCOPE=1;
+		fi
+
 		# Parse [subdomain enumeration]
 
 		if [[ $(grep '^ENABLE_DNSCAN' "$CONFIG_FILE" | cut -d '=' -f 2) == "YES" ]]; then
@@ -414,7 +421,7 @@ function parse_config() {
 }
 
 # Handle CLI arguments
-while getopts ":hu:d:L:C:sicb:IaADX:po:Hn:P:" opt; do
+while getopts ":hu:d:L:C:sicb:IaADX:po:Hn:P:r" opt; do
 		case ${opt} in
 				h ) # -h help
 						usage;
@@ -584,6 +591,9 @@ while getopts ":hu:d:L:C:sicb:IaADX:po:Hn:P:" opt; do
 				n ) # -n Notica URL parameter
 						NOTICA="$OPTARG";
 						;;
+				r ) # -r run rescope
+						ENABLE_RESCOPE=1;
+						;;
 				\? ) # Invalid option
 						echo -e "$RED""[!] Invalid Option: -$OPTARG" 1>&2;
 						usage;
@@ -714,6 +724,10 @@ function check_paths() {
 				echo -e "$RED""[!] The path or the file specified by the path for amass does not exit.";
 				exit 1;
 		fi
+		if [[ "$RESCOPE" == "" ]] || [[ ! -f "$RESCOPE" ]]; then
+				echo -e "$RED""[!] The path or the file specified by the path for rescope does not exit.";
+				exit 1;
+		fi
 }
 
 function unique() {
@@ -2056,6 +2070,15 @@ function run_notica_sudo() {
 		curl --data "d:Chomp Scan Notification: Your sudo password is needed for masscan." "https://notica.us/?$NOTICA";
 }
 
+function run_rescope() {
+		echo -e "$BLUE""[i] Creating a Burp scope file with rescope.""$NC";
+
+		# Make sure resolved domains exists
+		if [[ $(wc -l "$WORKING_DIR"/"$ALL_RESOLVED" | cut -d ' ' -f 1) -gt 0 ]]; then
+				"$RESCOPE" burp -i "$WORKING_DIR"/"$ALL_RESOLVED" -o "$WORKING_DIR"/burp-scope.json -s;
+		fi
+}
+
 #### Error/path/argument checking before beginning script
 
 # Check that -u domain was passed
@@ -2360,6 +2383,11 @@ if [[ "$CONFIG_FILE" != "" ]]; then
 		get_interesting;
 		list_found;
 
+		# Run rescope
+		if [[ "$ENABLE_RESCOPE" -eq 1 ]]; then
+				run_rescope;
+		fi
+
 		# Calculate scan runtime
 		SCAN_END=$(date +%s);
 		SCAN_DIFF=$(( SCAN_END - SCAN_START ));
@@ -2413,6 +2441,7 @@ if [[ "$DEFAULT_MODE" == 1 ]]; then
 		run_dirsearch "$DOMAIN" "$SMALL" "$WORKING_DIR"/"$ALL_RESOLVED";
 		get_interesting;
 		list_found;
+		run_rescope;
 
 		# Calculate scan runtime
 		SCAN_END=$(date +%s);
@@ -2446,6 +2475,7 @@ if [[ "$INTERACTIVE" == 1 ]]; then
 		run_content_discovery;
 		get_interesting;
 		list_found;
+		run_rescope;
 
 		# Calculate scan runtime
 		SCAN_END=$(date +%s);
@@ -2606,6 +2636,11 @@ fi
 get_interesting;
 list_found;
 
+# -r rescope
+if [[ "$ENABLE_RESCOPE" == 1 ]]; then
+		run_rescope;
+fi
+
 # Calculate scan runtime
 SCAN_END=$(date +%s);
 SCAN_DIFF=$(( SCAN_END - SCAN_START ));

config

@@ -19,6 +19,8 @@ BLACKLIST=
 INTERESTING=
 # Set custom path to tools. This should be a fully qualified path to the directory that contains the downloaded tools from Github
 TOOL_PATH=
+# Enable parsing resolved domains into a Burp-formatted JSON file
+ENABLE_RESCOPE=YES
 
 
 [subdomain enumeration]

installer.sh

@@ -137,6 +137,8 @@ function install_go_tools() {
 		go get github.com/tomnomnom/waybackurls;
 		echo -e "$GREEN""Installing goaltdns from Github.""$NC";
 		go get github.com/subfinder/goaltdns;
+		echo -e "$GREEN""Installing rescope from Github.""$NC";
+		go get github.com/root4loot/rescope;
 }
 
 function install_go() {