BBot | A Recursive Internet Scanner For Hackers

bbot_banner

BEE·bot

A Recursive Internet Scanner for Hackers.

Python Version License DEF CON Demo Labs 2023 PyPi Downloads Black Tests Codecov Discord

BBOT (Bighuge BLS OSINT Tool) is a recursive internet scanner inspired by Spiderfoot, but designed to be faster, more reliable, and friendlier to pentesters, bug bounty hunters, and developers.

Special features include:

  • Support for Multiple Targets
  • Web Screenshots
  • Suite of Offensive Web Modules
  • AI-powered Subdomain Mutations
  • Native Output to Neo4j (and more)
  • Python API + Developer Documentation

first-bbot-scan.mp4

A BBOT scan in real-time - visualization with VivaGraphJS

Quick Start Guide

Below are some short help sections to get you up and running.

**Installation ( Pip )**Installation ( Docker )

``

Example Usage

``

``

``

``

bbot-discord

Documentation - Table of Contents****Contribution

Comparison to Other Tools

BBOT consistently finds 20-50% more subdomains than other tools. The bigger the domain, the bigger the difference. To learn how this is possible, see How It Works.

subdomain-stats-ebay

BBOT Modules By Flag

For a full list of modules, including the data types consumed and emitted by each one, see List of Modules.

Flag # Modules Description Modules
safe 82 Non-intrusive, safe to run affiliates, aggregate, ajaxpro, anubisdb, asn, azure_realm, azure_tenant, baddns, baddns_zone, badsecrets, bevigil, binaryedge, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, builtwith, c99, censys, certspotter, chaos, code_repository, columbus, credshed, crobat, crt, dehashed, digitorus, dnscommonsrv, dnsdumpster, docker_pull, dockerhub, emailformat, filedownload, fingerprintx, fullhunt, git, git_clone, github_codesearch, github_org, github_workflows, gitlab, gowitness, hackertarget, httpx, hunt, hunterio, iis_shortnames, internetdb, ip2location, ipstack, leakix, myssl, newsletters, ntlm, oauth, otx, passivetotal, pgp, postman, rapiddns, riddler, robots, secretsdb, securitytrails, shodan_dns, sitedossier, skymem, social, sslcert, subdomaincenter, sublist3r, threatminer, trufflehog, urlscan, viewdns, virustotal, wappalyzer, wayback, zoomeye
passive 62 Never connects to target systems affiliates, aggregate, anubisdb, asn, azure_realm, azure_tenant, bevigil, binaryedge, bucket_file_enum, builtwith, c99, censys, certspotter, chaos, code_repository, columbus, credshed, crobat, crt, dehashed, digitorus, dnscommonsrv, dnsdumpster, docker_pull, dockerhub, emailformat, excavate, fullhunt, git_clone, github_codesearch, github_org, github_workflows, hackertarget, hunterio, internetdb, ip2location, ipneighbor, ipstack, leakix, massdns, myssl, otx, passivetotal, pgp, postman, rapiddns, riddler, securitytrails, shodan_dns, sitedossier, skymem, social, speculate, subdomaincenter, sublist3r, threatminer, trufflehog, urlscan, viewdns, virustotal, wayback, zoomeye
subdomain-enum 45 Enumerates subdomains anubisdb, asn, azure_realm, azure_tenant, baddns_zone, bevigil, binaryedge, builtwith, c99, censys, certspotter, chaos, columbus, crt, digitorus, dnscommonsrv, dnsdumpster, fullhunt, github_codesearch, github_org, hackertarget, httpx, hunterio, internetdb, ipneighbor, leakix, massdns, myssl, oauth, otx, passivetotal, postman, rapiddns, riddler, securitytrails, shodan_dns, sitedossier, sslcert, subdomaincenter, subdomains, threatminer, urlscan, virustotal, wayback, zoomeye
active 42 Makes active connections to target systems ajaxpro, baddns, baddns_zone, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, dastardly, dotnetnuke, ffuf, ffuf_shortnames, filedownload, fingerprintx, generic_ssrf, git, gitlab, gowitness, host_header, httpx, hunt, iis_shortnames, masscan, newsletters, nmap, ntlm, nuclei, oauth, paramminer_cookies, paramminer_getparams, paramminer_headers, robots, secretsdb, smuggler, sslcert, telerik, url_manipulation, vhost, wafw00f, wappalyzer
web-thorough 29 More advanced web scanning functionality ajaxpro, azure_realm, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, dastardly, dotnetnuke, ffuf_shortnames, filedownload, generic_ssrf, git, host_header, httpx, hunt, iis_shortnames, nmap, ntlm, oauth, robots, secretsdb, smuggler, sslcert, telerik, url_manipulation, wappalyzer
aggressive 20 Generates a large amount of network traffic bypass403, dastardly, dotnetnuke, ffuf, ffuf_shortnames, generic_ssrf, host_header, ipneighbor, masscan, massdns, nmap, nuclei, paramminer_cookies, paramminer_getparams, paramminer_headers, smuggler, telerik, url_manipulation, vhost, wafw00f
web-basic 17 Basic, non-intrusive web scan functionality azure_realm, baddns, badsecrets, bucket_amazon, bucket_azure, bucket_firebase, bucket_google, filedownload, git, httpx, iis_shortnames, ntlm, oauth, robots, secretsdb, sslcert, wappalyzer
cloud-enum 12 Enumerates cloud resources azure_realm, azure_tenant, baddns, baddns_zone, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, httpx, oauth
slow 10 May take a long time to complete bucket_digitalocean, dastardly, docker_pull, fingerprintx, git_clone, paramminer_cookies, paramminer_getparams, paramminer_headers, smuggler, vhost
affiliates 8 Discovers affiliated hostnames/domains affiliates, azure_realm, azure_tenant, builtwith, oauth, sslcert, viewdns, zoomeye
email-enum 7 Enumerates email addresses dehashed, emailformat, emails, hunterio, pgp, skymem, sslcert
deadly 4 Highly aggressive dastardly, ffuf, nuclei, vhost
portscan 3 Discovers open ports internetdb, masscan, nmap
web-paramminer 3 Discovers HTTP parameters through brute-force paramminer_cookies, paramminer_getparams, paramminer_headers
baddns 2 Runs all modules from the DNS auditing tool BadDNS baddns, baddns_zone
iis-shortnames 2 Scans for IIS Shortname vulnerability ffuf_shortnames, iis_shortnames
report 2 Generates a report at the end of the scan affiliates, asn
social-enum 2 Enumerates social media httpx, social
repo-enum 1 Enumerates code repositories code_repository
service-enum 1 Identifies protocols running on open ports fingerprintx
subdomain-hijack 1 Detects hijackable subdomains baddns
web-screenshots 1 Takes screenshots of web pages gowitness

BBOT Output Modules

BBOT can save its data to TXT, CSV, JSON, and tons of other destinations including Neo4j, Splunk, and Discord. For instructions on how to use these, see Output Modules.

Module Type Needs API Key Description Flags Consumed Events Produced Events
asset_inventory output No Merge hosts, open ports, technologies, findings, etc. into a single asset inventory CSV DNS_NAME, FINDING, HTTP_RESPONSE, IP_ADDRESS, OPEN_TCP_PORT, TECHNOLOGY, URL, VULNERABILITY, WAF IP_ADDRESS, OPEN_TCP_PORT
csv output No Output to CSV *
discord output No Message a Discord channel when certain events are encountered *
emails output No Output any email addresses found belonging to the target domain email-enum EMAIL_ADDRESS
http output No Send every event to a custom URL via a web request *
human output No Output to text *
json output No Output to Newline-Delimited JSON (NDJSON) *
neo4j output No Output to Neo4j *
python output No Output via Python API *
slack output No Message a Slack channel when certain events are encountered *
splunk output No Send every event to a splunk instance through HTTP Event Collector *
subdomains output No Output only resolved, in-scope subdomains subdomain-enum DNS_NAME, DNS_NAME_UNRESOLVED
teams output No Message a Teams channel when certain events are encountered *
web_report output No Create a markdown report with web assets FINDING, TECHNOLOGY, URL, VHOST, VULNERABILITY
websocket output No Output to websockets *

GitHub:

3 Likes