Bbot – OSINT Automation For Hackers
Discription

[![](https://blogger.googleusercontent.com/img/a/AVvXsEigqlCD4yz9FHfEw-UZg_NZYyN-t1nu_SBNH8PfDlrmz-r8H8l0VtbDYixHG4ZXR1h7bzfPKWk3_TAXJna2WbMxEFZseU17l0LfZbOwtCbZ-dry4IbW47Idi7BTu9ifn-3HDkFcZmPY6F-LHCfGDihtv6MqJDPtSOdr7V7ukxHp-jsElDeKSF2V02OYBg=w640-h368)]()

# BEE·bot

### OSINT automation for hackers.

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMIjt9vCWJChipmdfNnXKNO23V7UwG_EgvWoKj1aoWhQ2_kv2Uxhoz2NUIONwMPT8Y7VGhhsvITW8CEzHV8LfFtqua6pbMWPwna4uVAJxy2J_cDd0P50zuQKDp__k9wR-alsz7x22wV-kSF2sVHQM5jMGJR9uaXMhf_LB-cae1OJa2dAUVkgDpdBzvdQ/w640-h310/bbot_7.gif)]()

### **BBOT** is a **recursive**, **modular** OSINT framework written in Python.

It is capable of executing the entire OSINT process in a single command, including subdomain enumeration, port scanning, web screenshots (with its `gowitness` module), [vulnerability scanning]( “vulnerability scanning” ) (with `nuclei`), and much more.

BBOT currently has over **50 modules** and counting.

## Installation (pip)

pip install bbot

bbot –help

Prerequisites:

* Linux or WSL
* Python 3.9 or newer

## Installation (docker)

# bleeding edge (dev)
docker run blacklanternsecurity/bbot –help

# stable
docker run blacklanternsecurity/bbot:stable –help

# note: alternatively there is a helper script that will map docker volumes to persist your BBOT scan data:
./bbot-docker.sh –help

If you need help with installation, please refer to the [wiki]( “wiki” ).

## Scanning with BBOT

Note: the `httpx` module is recommended in most scans because it is [used by BBOT to visit webpages]( “used by BBOT to visit webpages” ).

### Examples

# list modules
bbot -l

# subdomain enumeration
bbot –flags subdomain-enum –modules httpx –targets evilcorp.com

# passive modules only
bbot –flags passive –targets evilcorp.com

# web screenshots with gowitness
bbot -m naabu httpx gowitness –name my_scan –output-dir . -t subdomains.txt

# web scan
bbot -f web-basic -t www.evilcorp.com

# web spider (search for emails, etc.)
bbot -m httpx -c web_spider_distance=2 web_spider_depth=2 -t www.evilcorp.com

# everything at once because yes
bbot -f subdomain-enum web-basic -m naabu gowitness -c web_spider_distance=2 web_spider_depth=2 -t evilcorp.com

### Targets

In BBOT, targets are used to seed a scan. You can specify any number of targets, and if you require more granular control over scope, you can also use whitelists and blacklists.

# multiple targets
bbot -t evilcorp.com evilcorp.co.uk 1.2.3.0/24 targets.txt

# seed a scan with two domains, but only consider assets to be in scope if they are inside 1.2.3.0/24
bbot -t evilcorp.com evilcorp.co.uk –whitelist 1.2.3.0/24 –blacklist test.evilcorp.com 1.2.3.4

Visit the wiki for more [tips and tricks]( “tips and tricks” ), including details on how BBOT handles scope, and how to tweak it if you need to.

## Using BBOT as a Python library

from bbot.scanner import Scanner

# any number of targets can be specified
scan = Scanner(“evilcorp.com”, “1.2.3.0/24”, modules=[“naabu”])
for event in scan.start():
print(event)

# Output

BBOT can output to TXT, JSON, CSV, Neo4j, and more with `–output-module`. You can output to multiple formats simultaneously.

# tee to a file
bbot -f subdomain-enum -t evilcorp.com | tee evilcorp.txt

# output to JSON
bbot –output-module json -f subdomain-enum -t evilcorp.com | jq

# output to CSV, TXT, and JSON, in current directory
bbot -o . –output-module human csv json -f subdomain-enum -t evilcorp.com

For every scan, BBOT generates a unique and mildly-entertaining name like `fuzzy_gandalf`. Output for that scan, including the word cloud and any gowitness screenshots, etc., are saved to a folder by that name in `~/.bbot/scans`. The most recent 20 scans are kept, and older ones are removed. You can change the location of BBOT’s output with `–output`, and you can also pick a custom scan name with `–name`.

If you reuse a scan name, it will append to its original output files and leverage the previous word cloud.

# Neo4j

Neo4j is the funnest (and prettiest) way to view and interact with BBOT data.

[]( “OSINT automation for hackers. (12)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEi9XX12fGXLTfj2ChxrZmqXg39OKGHEuhv2YSjVLfQ5PEWoyRIKEmBqzwwbrWPJ77UcMnjd-2I2Ca9U6pD0f70cTi2F-b_W_bMScXCpRinPRkfsZo2hUBMqj6g6_JsyEg12Ddnp9-mPtcEgNpJzVJH9X7q3JBPQ87DUJ50iTuXfAtabeb-ELQLqRfOGPQ=w640-h384)]()

* You can get Neo4j up and running with a single docker command:

docker run -p 7687:7687 -p 7474:7474 –env NEO4J_AUTH=neo4j/bbotislife neo4j

* After that, run bbot with `–output-modules neo4j`

bbot -f subdomain-enum -t evilcorp.com –output-modules human neo4j

* Browse data at

# Usage

$ bbot –help
usage: bbot [-h] [–help-all] [-t TARGET [TARGET …]] [-w WHITELIST [WHITELIST …]] [-b BLACKLIST [BLACKLIST …]] [–strict-scope] [-n SCAN_NAME] [-m MODULE [MODULE …]] [-l] [-em MODULE [MODULE …]]
[-f FLAG [FLAG …]] [-rf FLAG [FLAG …]] [-ef FLAG [FLAG …]] [-om MODULE [MODULE …]] [-o DIR] [-c [CONFIG …]] [–allow-deadly] [-v] [-d] [-s] [–force] [-y] [–dry-run] [–current-config]
[–save-wordcloud FILE] [–load-wordcloud FILE] [–no-deps | –force-deps | –retry-deps | –ignore-failed-deps | –install-all-deps] [-a] [–version]

Bighuge BLS OSINT Tool

options:
-h, –help show this help message and exit
–help-all Display full help including module config options
-n SCAN_NAME, –name SCAN_NAME
Name of scan (default: random)
-m MODULE [MODULE …], –modules MODULE [MODULE …]
Modules to enable. Choices: affiliates,asn,azure_tenant,binaryedge,builtwith,bypass403,c99,censys,certspotter,cookie_brute,crobat,crt,dnscommonsrv,dnsdumpster,dnszonetransfer,emailformat,ffuf,ffuf_shortnames,fullhunt,generic_ssrf,getparam_brute,github,gowitness,hackertarget,header_brute,host_header,httpx,hunt,hunterio,iis_shortnames,ipneighbor,leakix,massdns,naabu,ntlm,nuclei,otx,passivetotal,pgp,rapiddns,riddler,securitytrails,shodan_dns,skymem,smuggler,sslcert,sublist3r,telerik,threatminer,urlscan,vhost,viewdns,virustotal,wappalyzer,wayback,zoomeye
-l, –list-modules List available modules.
-em MODULE [MODULE …], –exclude-modules MODULE [MODULE …]
Exclude these modules.
-f FLAG [FLAG …], –flags FLAG [FLAG …]
Enable modules by flag. Choices: active,aggressive,brute-force,deadly,email-enum,iis-shortnames,passive,portscan,report,safe,slow,subdomain-enum,web-advanced,web-basic,web-paramminer,web-screenshots
-rf FLAG [FLAG …], –require-flags FLAG [FLAG …]
Disable modules that don’t have these flags (e.g. –require-flags passive)
-ef FLAG [FLAG …], –exclude-flags FLAG [FLAG …]
Disable modules with these flags. (e.g. –exclude-flags brute-force)
-om MODULE [MODULE …], –output-modules MODULE [MODULE …]
Output module(s). Choices: csv,http,human,json,neo4j,websocket
-o DIR, –output-dir DIR
-c [CONFIG …], –config [CONFIG …]
custom config file, or configuration options in key=value format: ‘modules.shodan.api_key=1234’
–allow-deadly Enable the use of highly aggressive modules
-v, –verbose Be more verbose
-d, –debug Enable debugging
-s, –silent Be quiet
–force Run scan even if module setups fail
-y, –yes Skip scan confirmation prompt
–dry-run Abort before executing scan
–current-config Show current config in YAML format

Target:
-t TARGET [TARGET …], –targets TARGET [TARGET …]
Targets to seed the scan
-w WHITELIST [WHITELIST …], –whitelist WHITELIST [WHITELIST …]
What’s considered in-scope (by default it’s the same as –targets)
-b BLACKLIST [BLACKLIST …], –blacklist BLACKLIST [BLACKLIST …]
Don’t touch these things
–strict-scope Don’t consider subdomains of target/whitelist to be in-scope

Word cloud:
Save/load wordlist of common words gathered during a scan

–save-wordcloud FILE
Output wordcloud to custom file when the scan completes
–load-wordcloud FILE
Load wordcloud from a custom file

Module dependencies:
Control how modules install their dependencies

–no-deps Don’t install module dependencies
–force-deps Force install all module dependencies
–retry-deps Try again to install failed module dependencies
–ignore-failed-deps Run modules even if they have failed dependencies
–install-all-deps Install dependencies for all modules

Agent:
Report back to a central server

-a, –agent-mode Start in agent mode

Misc:
–version show BBOT version and exit

# BBOT Config

BBOT loads its config from these places in the following order:

* `~/.config/bbot/defaults.yml`
* `~/.config/bbot/bbot.yml` <– Use this one as your main config
* `~/.config/bbot/secrets.yml` <– Use this one for sensitive stuff like API keys
* command line (via `–config`)

These config files will be automatically created for you when you first run BBOT.

Command-line arguments take precedence over all others. You can give BBOT a custom config file with `–config myconf.yml`, or individual arguments like this: `–config http_proxy=https://127.0.0.1:8080 modules.shodan_dns.api_key=1234`. To display the full and current BBOT config, including any command-line arguments, use `bbot –current-config`.

For explanations of config options, see `defaults.yml` or the [wiki]( “wiki” )

# Modules

### Note: You can find more fun and interesting modules at the [Module Playground]( “Module Playground” ). For instructions on how to install these other modules, see the [wiki]( “wiki” ).

To view a full list of module config options, use `–help-all`.

+—————–+———-+———+——————————————+—————————————–+——————————————+
| Module | Type | Needs | Description | Flags | Produced Events |
| | | API | | | |
| | | Key | | | |
+=================+==========+=========+==========================================+=========================================+==========================================+
| bypass403 | scan | | Check 403 pages for common bypasses | active,aggressive,web-advanced | FINDING |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| cookie_brute | scan | | Check for common HTTP cookie parameters | active,aggressive,brute-force,slow,web- | FINDING |
| | | | | paramminer | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| dnszonetransfer | scan | | Attempt DNS zone transfers | active,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+———————————— ——+—————————————–+——————————————+
| ffuf | scan | | A fast web fuzzer written in Go | active,aggressive,brute- | URL |
| | | | | force,deadly,web-advanced | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| ffuf_shortnames | scan | | Use ffuf in combination IIS shortnames | active,aggressive,brute-force,iis- | URL |
| | | | | shortnames,web-advanced | |
+—————–+———-+—– —-+——————————————+—————————————–+——————————————+
| generic_ssrf | scan | | Check for generic SSRFs | active,aggressive,web-advanced | VULNERABILITY |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| getparam_brute | scan | | Check for common HTTP [GET parameters]( “GET parameters” ) | active,aggressive,brute-force,slow,web- | FINDING |
| | | | | paramminer | |
+—————–+———-+———+——————- ———————–+—————————————–+——————————————+
| gowitness | scan | | Take screenshots of webpages | active,safe,web-screenshots | SCREENSHOT |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| header_brute | scan | | Check for common HTTP header parameters | active,aggressive,brute-force,slow,web- | FINDING |
| | | | | paramminer | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| host_header | scan | | Try common HTTP Host header spoofing | active,aggressive,web-advanced | FINDING |
| | | | techniques | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| httpx | scan | | Visit webpages. Many other modules rely | active,safe,web-basic | HTTP_RESPONSE,URL |
| | | | on httpx | | |
+—————–+———-+———+——————————————+—————————————–+————————- —————–+
| hunt | scan | | Watch for commonly-exploitable HTTP | active,safe,web-advanced | FINDING |
| | | | parameters | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| iis_shortnames | scan | | Check for IIS shortname vulnerability | active,iis-shortnames,safe,web-basic | URL_HINT |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| naabu | scan | | Execute port scans with naabu | active,aggressive,portsca n | OPEN_TCP_PORT |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| ntlm | scan | | Watch for HTTP endpoints that support | active,safe,web-basic | DNS_NAME,FINDING |
| | | | NTLM [authentication]( “authentication” ) | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| nuclei | scan | | Fast and customisable vulnerability | active,aggressive,deadly,web-advanced | VULNERABI LITY |
| | | | scanner | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| smuggler | scan | | Check for HTTP smuggling | active,aggressive,brute-force,slow,web- | FINDING |
| | | | | advanced | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| sslcert | scan | | Visit open ports and retrieve SSL | active,ema il-enum,safe,subdomain-enum | DNS_NAME,EMAIL_ADDRESS |
| | | | certificates | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| telerik | scan | | Scan for critical Telerik | active,aggressive,slow,web-basic | FINDING,VULNERABILITY |
| | | | [vulnerabilities]( “vulnerabilities” ) | | |
+—————–+———-+———+——————————————+———————————– ——+——————————————+
| vhost | scan | | Fuzz for virtual hosts | active,aggressive,brute- | DNS_NAME,VHOST |
| | | | | force,deadly,slow,web-advanced | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| wappalyzer | scan | | Extract technologies from web responses | active,safe,web-basic | TECHNOLOGY |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| affiliates | scan | | Summarize affiliate domains at the e nd | passive,report,safe | |
| | | | of a scan | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| asn | scan | | Query bgpview.io for ASNs | passive,report,safe,subdomain-enum | ASN |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| azure_tenant | scan | | Query Azure for tenant sister domains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+—— —+——————————————+—————————————–+——————————————+
| binaryedge | scan | X | Query the BinaryEdge API | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| builtwith | scan | X | Query Builtwith.com for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| c99 | scan | X | Query the C99 API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| censys | scan | X | Query the Censys API | email-enum,passive,safe,subdomain-enum | DNS_NAME,EMAIL_ADDRESS,IP_ADDRESS,OPEN_P |
| | | | | | ORT,PROTOCOL |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| certspotter | scan | | Query Certspotter’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+– —————————————-+
| crobat | scan | | Query Project Crobat for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| crt | scan | | Query crt.sh (certificate transparency) | passive,safe,subdomain-enum | DNS_NAME |
| | | | for subdomains | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| dnscommonsrv | scan | | Check for common SRV records | pa ssive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| dnsdumpster | scan | | Query dnsdumpster for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| emailformat | scan | | Query email-format.com for email | email-enum,passive,safe | EMAIL_ADDRESS |
| | | | addresses | | |
+—————–+———-+———+—– ————————————-+—————————————–+——————————————+
| fullhunt | scan | X | Query the fullhunt.io API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| github | scan | X | Query Github’s API for related | passive,safe,subdomain-enum | URL_UNVERIFIED |
| | | | repositories | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| ha ckertarget | scan | | Query the hackertarget.com API for | passive,safe,subdomain-enum | DNS_NAME |
| | | | subdomains | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| hunterio | scan | X | Query hunter.io for emails | email-enum,passive,safe,subdomain-enum | DNS_NAME,EMAIL_ADDRESS,URL_UNVERIFIED |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| ipneighbor | scan | | Look beside IPs in their surrounding | aggressive,passive,subdomain-enum | IP_ADDRESS |
| | | | subnet | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| leakix | scan | | Query leakix.net for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| massdns | scan | | Brute-force subdomains with massdns | aggressive,brute- | DNS_NAME |
| | | | (highly effective) | force,passi ve,slow,subdomain-enum | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| otx | scan | | Query otx.alienvault.com for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| passivetotal | scan | X | Query the PassiveTotal API for | passive,safe,subdomain-enum | DNS_NAME |
| | | | subdomains | | |
+—————–+———-+———+————– —————————-+—————————————–+——————————————+
| pgp | scan | | Query common PGP servers for email | email-enum,passive,safe | EMAIL_ADDRESS |
| | | | addresses | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| rapiddns | scan | | Query rapiddns.io for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| riddler | scan | | Query riddler.io for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| securitytrails | scan | X | Query the SecurityTrails API for | passive,safe,subdomain-enum | DNS_NAME |
| | | | subdomains | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| shodan_dns | scan | X | Query Shodan for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| skymem | scan | | Query skymem.info for email addresses | email-enum,passive,safe | EMAIL_ADDRESS |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| sublist3r | scan | | Query sublist3r’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| threatminer | scan | | Query threatminer’s API for subdomains | passive,safe,subdoma in-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| urlscan | scan | | Query urlscan.io for subdomains | passive,safe,subdomain-enum | DNS_NAME,URL_UNVERIFIED |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| viewdns | scan | | Query viewdns.info’s reverse whois for | passive,safe,subdomain-enum | DNS_NAME |
| | | | related domains | | |
+—————–+———-+———+———————– ——————-+—————————————–+——————————————+
| virustotal | scan | X | Query VirusTotal’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| wayback | scan | | Query archive.org’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME,URL_UNVERIFIED |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| zoomeye | scan | X | Query ZoomEye’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+—————–+— ——-+———+——————————————+—————————————–+——————————————+
| csv | output | | Output to CSV | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| http | output | | Output to HTTP | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| human | output | | Output to text | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| json | output | | Output to JSON | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| neo4j | output | | Output to Neo4j | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| websocket | output | | Output to websockets | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| aggregate | internal | | Report on scan statistics | passive,safe | SUMMARY |
+—————–+———-+———+——————————————+—————————————–+——————————————+
| excavate | internal | | Passively extract juicy tidbits from | passive | URL_UNVERIFIED |
| | | | scan data | | |
+—————–+———-+———+——————————– ———-+—————————————–+——————————————+
| speculate | internal | | Derive certain event types from others | passive | DNS_NAME,IP_ADDRESS,OPEN_TCP_PORT |
| | | | by common sense | | |
+—————–+———-+———+——————————————+—————————————–+——————————————+

# Credit

BBOT is written by @TheTechromancer. Web hacking in BBOT is made possible by @liquidsec, who wrote most of the web-oriented modules and helpers.

Very special thanks to the following people who made BBOT possible:

* @kerrymilan for his Neo4j and Ansible expertise
* Steve Micallef (@smicallef) for creating Spiderfoot, by which BBOT is heavily inspired
* Aleksei Kornev (@alekseiko) for allowing us ownership of the bbot Pypi repository <3

**[Download Bbot]( “Download Bbot” )**Read More

Back to Main

Subscribe for the latest news: