Bbot – OSINT Automation For Hackers

Main / Bbot – OSINT Automation For Hackers

Discription

[![](https://blogger.googleusercontent.com/img/a/AVvXsEigqlCD4yz9FHfEw-UZg_NZYyN-t1nu_SBNH8PfDlrmz-r8H8l0VtbDYixHG4ZXR1h7bzfPKWk3_TAXJna2WbMxEFZseU17l0LfZbOwtCbZ-dry4IbW47Idi7BTu9ifn-3HDkFcZmPY6F-LHCfGDihtv6MqJDPtSOdr7V7ukxHp-jsElDeKSF2V02OYBg=w640-h368)]()

# BEEÂ·bot

### OSINT automation for hackers.

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMIjt9vCWJChipmdfNnXKNO23V7UwG_EgvWoKj1aoWhQ2_kv2Uxhoz2NUIONwMPT8Y7VGhhsvITW8CEzHV8LfFtqua6pbMWPwna4uVAJxy2J_cDd0P50zuQKDp__k9wR-alsz7x22wV-kSF2sVHQM5jMGJR9uaXMhf_LB-cae1OJa2dAUVkgDpdBzvdQ/w640-h310/bbot_7.gif)]()

### **BBOT** is a **recursive**, **modular** OSINT framework written in Python.

It is capable of executing the entire OSINT process in a single command, including subdomain enumeration, port scanning, web screenshots (with its `gowitness` module), [vulnerability scanning]( “vulnerability scanning” ) (with `nuclei`), and much more.

BBOT currently has over **50 modules** and counting.

## Installation (pip)

pip install bbot

bbot –help

Prerequisites:

* Linux or WSL
* Python 3.9 or newer

## Installation (docker)

# bleeding edge (dev)
docker run blacklanternsecurity/bbot –help

# stable
docker run blacklanternsecurity/bbot:stable –help

# note: alternatively there is a helper script that will map docker volumes to persist your BBOT scan data:
./bbot-docker.sh –help

If you need help with installation, please refer to the [wiki]( “wiki” ).

## Scanning with BBOT

Note: the `httpx` module is recommended in most scans because it is [used by BBOT to visit webpages]( “used by BBOT to visit webpages” ).

### Examples

# list modules
bbot -l

# subdomain enumeration
bbot –flags subdomain-enum –modules httpx –targets evilcorp.com

# passive modules only
bbot –flags passive –targets evilcorp.com

# web screenshots with gowitness
bbot -m naabu httpx gowitness –name my_scan –output-dir . -t subdomains.txt

# web scan
bbot -f web-basic -t www.evilcorp.com

# web spider (search for emails, etc.)
bbot -m httpx -c web_spider_distance=2 web_spider_depth=2 -t www.evilcorp.com

# everything at once because yes
bbot -f subdomain-enum web-basic -m naabu gowitness -c web_spider_distance=2 web_spider_depth=2 -t evilcorp.com

### Targets

In BBOT, targets are used to seed a scan. You can specify any number of targets, and if you require more granular control over scope, you can also use whitelists and blacklists.

# multiple targets
bbot -t evilcorp.com evilcorp.co.uk 1.2.3.0/24 targets.txt

# seed a scan with two domains, but only consider assets to be in scope if they are inside 1.2.3.0/24
bbot -t evilcorp.com evilcorp.co.uk –whitelist 1.2.3.0/24 –blacklist test.evilcorp.com 1.2.3.4

Visit the wiki for more [tips and tricks]( “tips and tricks” ), including details on how BBOT handles scope, and how to tweak it if you need to.

## Using BBOT as a Python library

from bbot.scanner import Scanner

# any number of targets can be specified
scan = Scanner(“evilcorp.com”, “1.2.3.0/24”, modules=[“naabu”])
for event in scan.start():
print(event)

# Output

BBOT can output to TXT, JSON, CSV, Neo4j, and more with `–output-module`. You can output to multiple formats simultaneously.

# tee to a file
bbot -f subdomain-enum -t evilcorp.com | tee evilcorp.txt

# output to JSON
bbot –output-module json -f subdomain-enum -t evilcorp.com | jq

# output to CSV, TXT, and JSON, in current directory
bbot -o . –output-module human csv json -f subdomain-enum -t evilcorp.com

For every scan, BBOT generates a unique and mildly-entertaining name like `fuzzy_gandalf`. Output for that scan, including the word cloud and any gowitness screenshots, etc., are saved to a folder by that name in `~/.bbot/scans`. The most recent 20 scans are kept, and older ones are removed. You can change the location of BBOT’s output with `–output`, and you can also pick a custom scan name with `–name`.

If you reuse a scan name, it will append to its original output files and leverage the previous word cloud.

# Neo4j

Neo4j is the funnest (and prettiest) way to view and interact with BBOT data.

[]( “OSINT automation for hackers. (12)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEi9XX12fGXLTfj2ChxrZmqXg39OKGHEuhv2YSjVLfQ5PEWoyRIKEmBqzwwbrWPJ77UcMnjd-2I2Ca9U6pD0f70cTi2F-b_W_bMScXCpRinPRkfsZo2hUBMqj6g6_JsyEg12Ddnp9-mPtcEgNpJzVJH9X7q3JBPQ87DUJ50iTuXfAtabeb-ELQLqRfOGPQ=w640-h384)]()

* You can get Neo4j up and running with a single docker command:

docker run -p 7687:7687 -p 7474:7474 –env NEO4J_AUTH=neo4j/bbotislife neo4j

* After that, run bbot with `–output-modules neo4j`

bbot -f subdomain-enum -t evilcorp.com –output-modules human neo4j

* Browse data at

# Usage

$ bbot –help
usage: bbot [-h] [–help-all] [-t TARGET [TARGET …]] [-w WHITELIST [WHITELIST …]] [-b BLACKLIST [BLACKLIST …]] [–strict-scope] [-n SCAN_NAME] [-m MODULE [MODULE …]] [-l] [-em MODULE [MODULE …]]
[-f FLAG [FLAG …]] [-rf FLAG [FLAG …]] [-ef FLAG [FLAG …]] [-om MODULE [MODULE …]] [-o DIR] [-c [CONFIG …]] [–allow-deadly] [-v] [-d] [-s] [–force] [-y] [–dry-run] [–current-config]
[–save-wordcloud FILE] [–load-wordcloud FILE] [–no-deps | –force-deps | –retry-deps | –ignore-failed-deps | –install-all-deps] [-a] [–version]

Bighuge BLS OSINT Tool

options:
-h, –help show this help message and exit
–help-all Display full help including module config options
-n SCAN_NAME, –name SCAN_NAME
Name of scan (default: random)
-m MODULE [MODULE …], –modules MODULE [MODULE …]
Modules to enable. Choices: affiliates,asn,azure_tenant,binaryedge,builtwith,bypass403,c99,censys,certspotter,cookie_brute,crobat,crt,dnscommonsrv,dnsdumpster,dnszonetransfer,emailformat,ffuf,ffuf_shortnames,fullhunt,generic_ssrf,getparam_brute,github,gowitness,hackertarget,header_brute,host_header,httpx,hunt,hunterio,iis_shortnames,ipneighbor,leakix,massdns,naabu,ntlm,nuclei,otx,passivetotal,pgp,rapiddns,riddler,securitytrails,shodan_dns,skymem,smuggler,sslcert,sublist3r,telerik,threatminer,urlscan,vhost,viewdns,virustotal,wappalyzer,wayback,zoomeye
-l, –list-modules List available modules.
-em MODULE [MODULE …], –exclude-modules MODULE [MODULE …]
Exclude these modules.
-f FLAG [FLAG …], –flags FLAG [FLAG …]
Enable modules by flag. Choices: active,aggressive,brute-force,deadly,email-enum,iis-shortnames,passive,portscan,report,safe,slow,subdomain-enum,web-advanced,web-basic,web-paramminer,web-screenshots
-rf FLAG [FLAG …], –require-flags FLAG [FLAG …]
Disable modules that don’t have these flags (e.g. –require-flags passive)
-ef FLAG [FLAG …], –exclude-flags FLAG [FLAG …]
Disable modules with these flags. (e.g. –exclude-flags brute-force)
-om MODULE [MODULE …], –output-modules MODULE [MODULE …]
Output module(s). Choices: csv,http,human,json,neo4j,websocket
-o DIR, –output-dir DIR
-c [CONFIG …], –config [CONFIG …]
custom config file, or configuration options in key=value format: ‘modules.shodan.api_key=1234’
–allow-deadly Enable the use of highly aggressive modules
-v, –verbose Be more verbose
-d, –debug Enable debugging
-s, –silent Be quiet
–force Run scan even if module setups fail
-y, –yes Skip scan confirmation prompt
–dry-run Abort before executing scan
–current-config Show current config in YAML format

Target:
-t TARGET [TARGET …], –targets TARGET [TARGET …]
Targets to seed the scan
-w WHITELIST [WHITELIST …], –whitelist WHITELIST [WHITELIST …]
What’s considered in-scope (by default it’s the same as –targets)
-b BLACKLIST [BLACKLIST …], –blacklist BLACKLIST [BLACKLIST …]
Don’t touch these things
–strict-scope Don’t consider subdomains of target/whitelist to be in-scope

Word cloud:
Save/load wordlist of common words gathered during a scan

–save-wordcloud FILE
Output wordcloud to custom file when the scan completes
–load-wordcloud FILE
Load wordcloud from a custom file

Module dependencies:
Control how modules install their dependencies

–no-deps Don’t install module dependencies
–force-deps Force install all module dependencies
–retry-deps Try again to install failed module dependencies
–ignore-failed-deps Run modules even if they have failed dependencies
–install-all-deps Install dependencies for all modules

Agent:
Report back to a central server

-a, –agent-mode Start in agent mode

Misc:
–version show BBOT version and exit

# BBOT Config

BBOT loads its config from these places in the following order:

* `~/.config/bbot/defaults.yml`
* `~/.config/bbot/bbot.yml` <– Use this one as your main config
* `~/.config/bbot/secrets.yml` <– Use this one for sensitive stuff like API keys
* command line (via `–config`)

These config files will be automatically created for you when you first run BBOT.

Command-line arguments take precedence over all others. You can give BBOT a custom config file with `–config myconf.yml`, or individual arguments like this: `–config http_proxy=https://127.0.0.1:8080 modules.shodan_dns.api_key=1234`. To display the full and current BBOT config, including any command-line arguments, use `bbot –current-config`.

For explanations of config options, see `defaults.yml` or the [wiki]( “wiki” )

# Modules

### Note: You can find more fun and interesting modules at the [Module Playground]( “Module Playground” ). For instructions on how to install these other modules, see the [wiki]( “wiki” ).

To view a full list of module config options, use `–help-all`.

# Credit

BBOT is written by @TheTechromancer. Web hacking in BBOT is made possible by @liquidsec, who wrote most of the web-oriented modules and helpers.

Very special thanks to the following people who made BBOT possible:

* @kerrymilan for his Neo4j and Ansible expertise
* Steve Micallef (@smicallef) for creating Spiderfoot, by which BBOT is heavily inspired
* Aleksei Kornev (@alekseiko) for allowing us ownership of the bbot Pypi repository <3

**[Download Bbot]( “Download Bbot” )**Read More

References

Back to Main

Subscribe for the latest news: