• Stars
    star
    4,389
  • Rank 9,764 (Top 0.2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 2 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A recursive internet scanner for hackers.

bbot_banner

BEEยทbot

OSINT automation for hackers.

pip install bbot

Python Version Black License Tests Codecov

bbot-demo

BBOT is a recursive, modular OSINT framework inspired by Spiderfoot.

BBOT can execute the entire OSINT process in a single command: subdomain enumeration, port scans, web screenshots (with gowitness), vulnerability scanning (with nuclei), and much more. BBOT has over 80 modules and counting.

Read our blog post to find out why BBOT is the most thorough subdomain enumeration tool available.

graphs-small

Installation (pip)

Note: installing in a virtualenv (e.g. via pipx) is recommended

# stable version
pip install bbot

# bleeding edge (dev branch)
pip install --pre bbot

bbot --help

Prerequisites:

  • Linux (Windows and macOS are not supported)
  • Python 3.9 or newer

Installation (Docker)

# bleeding edge (dev)
docker run -it blacklanternsecurity/bbot --help

# stable
docker run -it blacklanternsecurity/bbot:stable --help

# note: alternatively there is a helper script that will map docker volumes to persist your BBOT scan data:
./bbot-docker.sh --help

If you need help with installation, please refer to the wiki.

See also: Release History

Scanning with BBOT

Examples

# subdomains
bbot -t evilcorp.com -f subdomain-enum

# subdomains (passive only)
bbot -t evilcorp.com -f subdomain-enum -rf passive

# subdomains + port scan + web screenshots
bbot -t evilcorp.com -f subdomain-enum -m naabu gowitness -n my_scan -o .

# subdomains + basic web scan (wappalyzer, robots.txt, iis shortnames, etc.)
bbot -t evilcorp.com -f subdomain-enum web-basic

# subdomains + web spider (search for emails, etc.)
bbot -t evilcorp.com -f subdomain-enum -c web_spider_distance=2 web_spider_depth=2

# everything at once because yes
# subdomains + emails + cloud + port scan + non-intrusive web + web screenshots + nuclei
bbot -t evilcorp.com -f subdomain-enum email-enum cloud-enum web-basic -m naabu gowitness nuclei --allow-deadly

# list modules
bbot -l

Targets

Targets seed a scan with initial data. You can specify an unlimited number of targets, either directly on the command line or in files (or both!). Targets can be any of the following:

  • DNS_NAME (evilcorp.com)
  • IP_ADDRESS (1.2.3.4)
  • IP_RANGE (1.2.3.0/24)
  • URL (https://www.evilcorp.com)
  • EMAIL_ADDRESS ([email protected])

For example, the following scan is totally valid:

# multiple targets
bbot -t evilcorp.com evilcorp.co.uk http://www.evilcorp.cn 1.2.3.0/24 other_targets.txt

Whitelists / Blacklists

BBOT's whitelist determines what's considered to be in-scope. By default, the whitelist is simply your target. But if you want more granular scope control, you can override it with --whitelist (or add a --blacklist).

# seed a scan with two domains, but only consider assets to be in scope if they are inside 1.2.3.0/24
bbot -t evilcorp.com evilcorp.co.uk --whitelist 1.2.3.0/24 --blacklist test.evilcorp.com 1.2.3.4 blacklist.txt

Visit the wiki for more tips and tricks.

Using BBOT as a Python library

from bbot.scanner import Scanner

# any number of targets can be specified
scan = Scanner("evilcorp.com", "evilcorp.co.uk", modules=["httpx", "sslcert"])
for event in scan.start():
    print(event.json())

Output

By default, BBOT saves its output in TXT, JSON, and CSV formats. To enable more output modules, you can use --output-module.

# tee to a file
bbot -f subdomain-enum -t evilcorp.com | tee evilcorp.txt

# output to JSON
bbot --output-module json -f subdomain-enum -t evilcorp.com | jq

# output asset inventory in current directory
bbot -o . --output-module asset_inventory -f subdomain-enum -t evilcorp.com

For every scan, BBOT generates a unique and mildly-entertaining name like demonic_jimmy. Output for that scan, including the word cloud and any gowitness screenshots, etc., are saved to a folder by that name in ~/.bbot/scans. The most recent 20 scans are kept, and older ones are removed. You can change the location of BBOT's output with --output, and you can also pick a custom scan name with --name.

If you reuse a scan name, it will append to its original output files and leverage the previous word cloud.

Neo4j

Neo4j is the funnest (and prettiest) way to view and interact with BBOT data.

neo4j

  • You can get Neo4j up and running with a single docker command:
docker run -p 7687:7687 -p 7474:7474 -v "$(pwd)/data/:/data/" -e NEO4J_AUTH=neo4j/bbotislife neo4j
  • After that, run bbot with --output-modules neo4j
bbot -f subdomain-enum -t evilcorp.com --output-modules neo4j

Usage

$ bbot --help
usage: bbot [-h] [--help-all] [-t TARGET [TARGET ...]] [-w WHITELIST [WHITELIST ...]] [-b BLACKLIST [BLACKLIST ...]] [--strict-scope] [-n SCAN_NAME] [-m MODULE [MODULE ...]] [-l] [-em MODULE [MODULE ...]]
            [-f FLAG [FLAG ...]] [-rf FLAG [FLAG ...]] [-ef FLAG [FLAG ...]] [-om MODULE [MODULE ...]] [-o DIR] [-c [CONFIG ...]] [--allow-deadly] [-v] [-d] [-s] [--force] [-y] [--dry-run] [--current-config]
            [--save-wordcloud FILE] [--load-wordcloud FILE] [--no-deps | --force-deps | --retry-deps | --ignore-failed-deps | --install-all-deps] [-a] [--version]

Bighuge BLS OSINT Tool

options:
  -h, --help            show this help message and exit
  --help-all            Display full help including module config options
  -n SCAN_NAME, --name SCAN_NAME
                        Name of scan (default: random)
  -m MODULE [MODULE ...], --modules MODULE [MODULE ...]
                        Modules to enable. Choices: affiliates,anubisdb,asn,azure_tenant,badsecrets,bevigil,binaryedge,bucket_aws,bucket_azure,bucket_digitalocean,bucket_firebase,bucket_gcp,builtwith,bypass403,c99,censys,certspotter,crobat,crt,dnscommonsrv,dnsdumpster,dnszonetransfer,emailformat,ffuf,ffuf_shortnames,fingerprintx,fullhunt,generic_ssrf,github,gowitness,hackertarget,host_header,httpx,hunt,hunterio,iis_shortnames,ipneighbor,ipstack,leakix,masscan,massdns,naabu,ntlm,nuclei,otx,paramminer_cookies,paramminer_getparams,paramminer_headers,passivetotal,pgp,rapiddns,riddler,robots,secretsdb,securitytrails,shodan_dns,skymem,smuggler,social,sslcert,subdomain_hijack,sublist3r,telerik,threatminer,url_manipulation,urlscan,vhost,viewdns,virustotal,wafw00f,wappalyzer,wayback,zoomeye
  -l, --list-modules    List available modules.
  -em MODULE [MODULE ...], --exclude-modules MODULE [MODULE ...]
                        Exclude these modules.
  -f FLAG [FLAG ...], --flags FLAG [FLAG ...]
                        Enable modules by flag. Choices: active,affiliates,aggressive,cloud-enum,deadly,email-enum,iis-shortnames,passive,portscan,report,safe,service-enum,slow,social-enum,subdomain-enum,subdomain-hijack,web-basic,web-paramminer,web-screenshots,web-thorough
  -rf FLAG [FLAG ...], --require-flags FLAG [FLAG ...]
                        Disable modules that don't have these flags (e.g. -rf passive)
  -ef FLAG [FLAG ...], --exclude-flags FLAG [FLAG ...]
                        Disable modules with these flags. (e.g. -ef aggressive)
  -om MODULE [MODULE ...], --output-modules MODULE [MODULE ...]
                        Output module(s). Choices: asset_inventory,csv,http,human,json,neo4j,python,web_report,websocket
  -o DIR, --output-dir DIR
  -c [CONFIG ...], --config [CONFIG ...]
                        custom config file, or configuration options in key=value format: 'modules.shodan.api_key=1234'
  --allow-deadly        Enable the use of highly aggressive modules
  -v, --verbose         Be more verbose
  -d, --debug           Enable debugging
  -s, --silent          Be quiet
  --force               Run scan even if module setups fail
  -y, --yes             Skip scan confirmation prompt
  --dry-run             Abort before executing scan
  --current-config      Show current config in YAML format

Target:
  -t TARGET [TARGET ...], --targets TARGET [TARGET ...]
                        Targets to seed the scan
  -w WHITELIST [WHITELIST ...], --whitelist WHITELIST [WHITELIST ...]
                        What's considered in-scope (by default it's the same as --targets)
  -b BLACKLIST [BLACKLIST ...], --blacklist BLACKLIST [BLACKLIST ...]
                        Don't touch these things
  --strict-scope        Don't consider subdomains of target/whitelist to be in-scope

Word cloud:
  Save/load wordlist of common words gathered during a scan

  --save-wordcloud FILE
                        Output wordcloud to custom file when the scan completes
  --load-wordcloud FILE
                        Load wordcloud from a custom file

Module dependencies:
  Control how modules install their dependencies

  --no-deps             Don't install module dependencies
  --force-deps          Force install all module dependencies
  --retry-deps          Try again to install failed module dependencies
  --ignore-failed-deps  Run modules even if they have failed dependencies
  --install-all-deps    Install dependencies for all modules

Agent:
  Report back to a central server

  -a, --agent-mode      Start in agent mode

Misc:
  --version             show BBOT version and exit

BBOT Config

BBOT loads its config from these places in the following order:

  • ~/.config/bbot/bbot.yml <-- Use this one as your main config
  • ~/.config/bbot/secrets.yml <-- Use this one for sensitive stuff like API keys
  • command line (--config)

These config files will be automatically created for you when you first run BBOT.

Command-line arguments take precedence over all others. You can give BBOT a custom config file with --config myconf.yml, or individual arguments like this: --config http_proxy=http://127.0.0.1:8080 modules.shodan_dns.api_key=1234. To display the full and current BBOT config, including any command-line arguments, use bbot --current-config.

Note that placing the following in bbot.yml:

modules:
  shodan:
    api_key: deadbeef

Is the same as:

bbot --config modules.shodan.api_key=deadbeef

For explanations of config options, see defaults.yml or the wiki

Modules

Note: You can find more fun and interesting modules at the Module Playground. For instructions on how to install these other modules, see the wiki.

To see modules' options (how to change wordlists, thread count, etc.), use --help-all.

+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| Module               | Type     | Needs   | Description                              | Flags                                    | Produced Events                          |
|                      |          | API     |                                          |                                          |                                          |
|                      |          | Key     |                                          |                                          |                                          |
+======================+==========+=========+==========================================+==========================================+==========================================+
| badsecrets           | scan     |         | Library for detecting known or weak      | active,safe,web-basic,web-thorough       | FINDING,VULNERABILITY                    |
|                      |          |         | secrets across many web frameworks       |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| bucket_aws           | scan     |         | Check for S3 buckets related to target   | active,cloud-enum,safe,web-basic,web-    | FINDING,STORAGE_BUCKET                   |
|                      |          |         |                                          | thorough                                 |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| bucket_azure         | scan     |         | Check for Azure storage blobs related to | active,cloud-enum,safe,web-basic,web-    | FINDING,STORAGE_BUCKET                   |
|                      |          |         | target                                   | thorough                                 |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| bucket_digitalocean  | scan     |         | Check for DigitalOcean spaces related to | active,cloud-enum,safe,slow,web-thorough | FINDING,STORAGE_BUCKET                   |
|                      |          |         | target                                   |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| bucket_firebase      | scan     |         | Check for open Firebase databases        | active,cloud-enum,safe,web-basic,web-    | FINDING,STORAGE_BUCKET                   |
|                      |          |         | related to target                        | thorough                                 |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| bucket_gcp           | scan     |         | Check for Google object storage related  | active,cloud-enum,safe,web-basic,web-    | FINDING,STORAGE_BUCKET                   |
|                      |          |         | to target                                | thorough                                 |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| bypass403            | scan     |         | Check 403 pages for common bypasses      | active,aggressive,web-thorough           | FINDING                                  |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| dnszonetransfer      | scan     |         | Attempt DNS zone transfers               | active,safe,subdomain-enum               | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| ffuf                 | scan     |         | A fast web fuzzer written in Go          | active,aggressive,deadly                 | URL_UNVERIFIED                           |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| ffuf_shortnames      | scan     |         | Use ffuf in combination IIS shortnames   | active,aggressive,iis-shortnames,web-    | URL_UNVERIFIED                           |
|                      |          |         |                                          | thorough                                 |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| fingerprintx         | scan     |         | Fingerprint exposed services like RDP,   | active,safe,service-enum,slow            | PROTOCOL                                 |
|                      |          |         | SSH, MySQL, etc.                         |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| generic_ssrf         | scan     |         | Check for generic SSRFs                  | active,aggressive,web-thorough           | VULNERABILITY                            |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| gowitness            | scan     |         | Take screenshots of webpages             | active,safe,web-screenshots              | TECHNOLOGY,URL,URL_UNVERIFIED,WEBSCREENS |
|                      |          |         |                                          |                                          | HOT                                      |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| host_header          | scan     |         | Try common HTTP Host header spoofing     | active,aggressive,web-thorough           | FINDING                                  |
|                      |          |         | techniques                               |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| httpx                | scan     |         | Visit webpages. Many other modules rely  | active,cloud-enum,safe,social-           | HTTP_RESPONSE,URL                        |
|                      |          |         | on httpx                                 | enum,subdomain-enum,web-basic,web-       |                                          |
|                      |          |         |                                          | thorough                                 |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| hunt                 | scan     |         | Watch for commonly-exploitable HTTP      | active,safe,web-basic,web-thorough       | FINDING                                  |
|                      |          |         | parameters                               |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| iis_shortnames       | scan     |         | Check for IIS shortname vulnerability    | active,iis-shortnames,safe,web-          | URL_HINT                                 |
|                      |          |         |                                          | basic,web-thorough                       |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| masscan              | scan     |         | Port scan IP subnets with masscan        | active,aggressive,portscan               | OPEN_TCP_PORT                            |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| naabu                | scan     |         | Execute port scans with naabu            | active,aggressive,portscan,web-thorough  | OPEN_TCP_PORT                            |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| ntlm                 | scan     |         | Watch for HTTP endpoints that support    | active,safe,web-basic,web-thorough       | DNS_NAME,FINDING                         |
|                      |          |         | NTLM authentication                      |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| nuclei               | scan     |         | Fast and customisable vulnerability      | active,aggressive,deadly                 | FINDING,VULNERABILITY                    |
|                      |          |         | scanner                                  |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| paramminer_cookies   | scan     |         | Smart brute-force to check for common    | active,aggressive,slow,web-paramminer    | FINDING                                  |
|                      |          |         | HTTP cookie parameters                   |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| paramminer_getparams | scan     |         | Use smart brute-force to check for       | active,aggressive,slow,web-paramminer    | FINDING                                  |
|                      |          |         | common HTTP GET parameters               |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| paramminer_headers   | scan     |         | Use smart brute-force to check for       | active,aggressive,slow,web-paramminer    | FINDING                                  |
|                      |          |         | common HTTP header parameters            |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| robots               | scan     |         | Look for and parse robots.txt            | active,safe,web-basic,web-thorough       | URL_UNVERIFIED                           |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| secretsdb            | scan     |         | Detect common secrets with secrets-      | active,safe,web-basic,web-thorough       | FINDING                                  |
|                      |          |         | patterns-db                              |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| smuggler             | scan     |         | Check for HTTP smuggling                 | active,aggressive,slow,web-thorough      | FINDING                                  |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| social               | scan     |         | Look for social media links in webpages  | active,safe,social-enum                  | SOCIAL                                   |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| sslcert              | scan     |         | Visit open ports and retrieve SSL        | active,affiliates,email-                 | DNS_NAME,EMAIL_ADDRESS                   |
|                      |          |         | certificates                             | enum,safe,subdomain-enum,web-basic,web-  |                                          |
|                      |          |         |                                          | thorough                                 |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| subdomain_hijack     | scan     |         | Detect hijackable subdomains             | active,cloud-enum,safe,subdomain-        | FINDING                                  |
|                      |          |         |                                          | enum,subdomain-hijack,web-basic,web-     |                                          |
|                      |          |         |                                          | thorough                                 |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| telerik              | scan     |         | Scan for critical Telerik                | active,aggressive,slow,web-thorough      | FINDING,VULNERABILITY                    |
|                      |          |         | vulnerabilities                          |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| url_manipulation     | scan     |         | Attempt to identify URL parsing/routing  | active,aggressive,web-thorough           | FINDING                                  |
|                      |          |         | based vulnerabilities                    |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| vhost                | scan     |         | Fuzz for virtual hosts                   | active,aggressive,deadly,slow            | DNS_NAME,VHOST                           |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| wafw00f              | scan     |         | Web Application Firewall Fingerprinting  | active,aggressive                        | WAF                                      |
|                      |          |         | Tool                                     |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| wappalyzer           | scan     |         | Extract technologies from web responses  | active,safe,web-basic,web-thorough       | TECHNOLOGY                               |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| affiliates           | scan     |         | Summarize affiliate domains at the end   | passive,report,safe                      |                                          |
|                      |          |         | of a scan                                |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| anubisdb             | scan     |         | Query jldc.me's database for subdomains  | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| asn                  | scan     |         | Query ripe and bgpview.io for ASNs       | passive,report,safe,subdomain-enum       | ASN                                      |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| azure_tenant         | scan     |         | Query Azure for tenant sister domains    | affiliates,passive,safe,subdomain-enum   | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| bevigil              | scan     | X       | Retrieve OSINT data from mobile          | passive,safe,subdomain-enum              | DNS_NAME,URL_UNVERIFIED                  |
|                      |          |         | applications using BeVigil               |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| binaryedge           | scan     | X       | Query the BinaryEdge API                 | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| builtwith            | scan     | X       | Query Builtwith.com for subdomains       | affiliates,passive,safe,subdomain-enum   | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| c99                  | scan     | X       | Query the C99 API for subdomains         | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| censys               | scan     | X       | Query the Censys API                     | email-enum,passive,safe,subdomain-enum   | DNS_NAME,EMAIL_ADDRESS,IP_ADDRESS,OPEN_P |
|                      |          |         |                                          |                                          | ORT,PROTOCOL                             |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| certspotter          | scan     |         | Query Certspotter's API for subdomains   | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| crobat               | scan     |         | Query Project Crobat for subdomains      | passive,safe                             | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| crt                  | scan     |         | Query crt.sh (certificate transparency)  | passive,safe,subdomain-enum              | DNS_NAME                                 |
|                      |          |         | for subdomains                           |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| dnscommonsrv         | scan     |         | Check for common SRV records             | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| dnsdumpster          | scan     |         | Query dnsdumpster for subdomains         | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| emailformat          | scan     |         | Query email-format.com for email         | email-enum,passive,safe                  | EMAIL_ADDRESS                            |
|                      |          |         | addresses                                |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| fullhunt             | scan     | X       | Query the fullhunt.io API for subdomains | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| github               | scan     | X       | Query Github's API for related           | passive,safe,subdomain-enum              | URL_UNVERIFIED                           |
|                      |          |         | repositories                             |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| hackertarget         | scan     |         | Query the hackertarget.com API for       | passive,safe,subdomain-enum              | DNS_NAME                                 |
|                      |          |         | subdomains                               |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| hunterio             | scan     | X       | Query hunter.io for emails               | email-enum,passive,safe,subdomain-enum   | DNS_NAME,EMAIL_ADDRESS,URL_UNVERIFIED    |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| ipneighbor           | scan     |         | Look beside IPs in their surrounding     | aggressive,passive,subdomain-enum        | IP_ADDRESS                               |
|                      |          |         | subnet                                   |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| ipstack              | scan     | X       | Query IPStack's API for GeoIP            | passive,safe                             | GEOLOCATION                              |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| leakix               | scan     |         | Query leakix.net for subdomains          | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| massdns              | scan     |         | Brute-force subdomains with massdns      | aggressive,passive,slow,subdomain-enum   | DNS_NAME                                 |
|                      |          |         | (highly effective)                       |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| otx                  | scan     |         | Query otx.alienvault.com for subdomains  | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| passivetotal         | scan     | X       | Query the PassiveTotal API for           | passive,safe,subdomain-enum              | DNS_NAME                                 |
|                      |          |         | subdomains                               |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| pgp                  | scan     |         | Query common PGP servers for email       | email-enum,passive,safe                  | EMAIL_ADDRESS                            |
|                      |          |         | addresses                                |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| rapiddns             | scan     |         | Query rapiddns.io for subdomains         | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| riddler              | scan     |         | Query riddler.io for subdomains          | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| securitytrails       | scan     | X       | Query the SecurityTrails API for         | passive,safe,subdomain-enum              | DNS_NAME                                 |
|                      |          |         | subdomains                               |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| shodan_dns           | scan     | X       | Query Shodan for subdomains              | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| skymem               | scan     |         | Query skymem.info for email addresses    | email-enum,passive,safe                  | EMAIL_ADDRESS                            |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| sublist3r            | scan     |         | Query sublist3r's API for subdomains     | passive,safe                             | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| threatminer          | scan     |         | Query threatminer's API for subdomains   | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| urlscan              | scan     |         | Query urlscan.io for subdomains          | passive,safe,subdomain-enum              | DNS_NAME,URL_UNVERIFIED                  |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| viewdns              | scan     |         | Query viewdns.info's reverse whois for   | affiliates,passive,safe                  | DNS_NAME                                 |
|                      |          |         | related domains                          |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| virustotal           | scan     | X       | Query VirusTotal's API for subdomains    | passive,safe,subdomain-enum              | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| wayback              | scan     |         | Query archive.org's API for subdomains   | passive,safe,subdomain-enum              | DNS_NAME,URL_UNVERIFIED                  |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| zoomeye              | scan     | X       | Query ZoomEye's API for subdomains       | affiliates,passive,safe,subdomain-enum   | DNS_NAME                                 |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| asset_inventory      | output   |         | Output to an asset inventory style       |                                          |                                          |
|                      |          |         | flattened CSV file                       |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| csv                  | output   |         | Output to CSV                            |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| http                 | output   |         | Send every event to a custom URL via a   |                                          |                                          |
|                      |          |         | web request                              |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| human                | output   |         | Output to text                           |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| json                 | output   |         | Output to JSON                           |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| neo4j                | output   |         | Output to Neo4j                          |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| python               | output   |         | Output via Python API                    |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| web_report           | output   |         | Create a markdown report with web assets |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| websocket            | output   |         | Output to websockets                     |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| aggregate            | internal |         | Summarize statistics at the end of a     | passive,safe                             |                                          |
|                      |          |         | scan                                     |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| excavate             | internal |         | Passively extract juicy tidbits from     | passive                                  | URL_UNVERIFIED                           |
|                      |          |         | scan data                                |                                          |                                          |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+
| speculate            | internal |         | Derive certain event types from others   | passive                                  | DNS_NAME,FINDING,IP_ADDRESS,OPEN_TCP_POR |
|                      |          |         | by common sense                          |                                          | T                                        |
+----------------------+----------+---------+------------------------------------------+------------------------------------------+------------------------------------------+

Credit

BBOT is written by @TheTechromancer. Web hacking in BBOT is made possible by @liquidsec, who wrote most of the web modules and helpers.

Very special thanks to the following people who made BBOT possible:

  • @kerrymilan for his Neo4j and Ansible expertise
  • Steve Micallef (@smicallef) for creating Spiderfoot
  • Aleksei Kornev (@alekseiko) for allowing us ownership of the bbot Pypi repository <3

More Repositories

1

writehat

A pentest reporting tool written in Python. Free yourself from Microsoft Word.
Python
1,260
star
2

TREVORspray

TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more!
Python
1,016
star
3

MANSPIDER

Spider entire networks for juicy files sitting on SMB shares. Search filenames or file content - regex supported!
Python
974
star
4

badsecrets

A library for detecting known secrets across many web frameworks
Python
471
star
5

TREVORproxy

A SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!
Python
315
star
6

offensive-azure

Collection of offensive tools targeting Microsoft Azure
Python
164
star
7

kali-setup-script

Bash script which prepares Kali for a pentest by enabling session logging, installing tools, and making common configuration changes
Shell
136
star
8

baddns

Check subdomains for subdomain takeovers and other DNS tomfoolery
Python
94
star
9

spiderfoot-neo4j

Import, visualize, and analyze SpiderFoot scans in Neo4j, a graph database
Python
65
star
10

credshed

credshed - a scalable database for credential leaks. Written in Python, it can easily ingest poorly-formatted files or entire directories into a searchable database. MongoDB is used in the backend.
Python
53
star
11

cloudcheck

Check whether an IP address or hostname belongs to popular cloud providers
Python
45
star
12

dp_cryptomg

Another tool for exploiting CVE-2017-9248, a cryptographic weakness in Telerik UI for ASP.NET AJAX dialog handler.
Python
43
star
13

KCMTicketFormatter

Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems
Python
35
star
14

Convert-Invoke-Kerberoast

Converts the output from Invoke-Kerberoast into hashcat format.
Python
32
star
15

fulcrom

A web shell for pivoting and lateral movement
Python
32
star
16

evilginx-setup-script

A quick-and-easy bash script installing and launching EvilGinx2, a phishing reverse-proxy
Shell
24
star
17

bls-bible

BLS-Bible is a knowledge-base application that houses a collection of guides and write-ups that BLS uses for our various operations.
Python
24
star
18

zmap-asset-inventory

Python script which takes internal asset inventory at scale using zmap. Outputs to CSV.
Python
20
star
19

public-dns-servers

A CI/CD-verified list of the internet's known-good public DNS servers (from public-dns.info) Updated weekly!
Python
20
star
20

enter_the_matrix

ETM enables the creation of detailed attack graphs and figures while calculating the risk associated with your attack narratives. ETM was built keeping NIST recommendations on threat matrices in mind. Features an API to interact on your data to act as a living database of your executed threat models.
C#
20
star
21

bbot-vivagraphjs

Visualize BBOT scans in realtime with VivaGraphJS
HTML
19
star
22

webspray

Fuzz for hidden proxies, vhosts, and URLs
Python
16
star
23

sigma-rules

A collection of Sigma rules organized by MITRE ATT&CK technique
13
star
24

bbot-module-playground

A proving grounds for young and aspiring BBOT modules
Python
13
star
25

nmappalyzer

A lightweight Python 3 Nmap wrapper that doesn't try too hard. Gracefully handles any Nmap command, providing access to all output types (normal, greppable, xml), plus JSON!
Python
12
star
26

mklnk

Create a lnk shortcut file for Windows
Python
8
star
27

parse-crackmapexec

Generates statistics based on output from CrackMapExec. Ideal for enumeration of host-based controls.
Python
8
star
28

credshed-api

REST API for Credshed
Python
6
star
29

credshed-gui

Vue.js frontend for credshed
SCSS
6
star
30

Cisco-7937G-PoCs

Proofs of concept for three vulnerabilities affecting the Cisco 7937G Conference Station
Python
5
star
31

JSDiagrammer

Simple javascript library that will aid in creating simple diagrams with pictures for nodes and arrows for the edges connecting nodes.
JavaScript
5
star
32

blue-resources

A collection of helpful blue team resources
4
star
33

radixtarget

RadixTarget is a performant radix implementation designed for quick lookups of IP addresses/networks and DNS hostnames.
Python
4
star
34

filter-qualys-csv

Cut down on the size of Qualys' scan results by filtering based on severity, keywords, etc. Written in Python.
Python
3
star
35

BLSPyUtils

Repo for small functions used often in Python.
Python
3
star
36

ASM_BBOT_Training

HCL
2
star