blacklanternsecurity/bbot

BEE·bot is a multipurpose scanner inspired by Spiderfoot, built to automate your Recon, Bug Bounties, and ASM!

https://github.com/blacklanternsecurity/bbot/assets/20261699/e539e89b-92ea-46fa-b893-9cde94eebf81

A BBOT scan in real-time - visualization with VivaGraphJS

Installation

# stable version
pipx install bbot

# bleeding edge (dev branch)
pipx install --pip-args '\--pre' bbot

For more installation methods, including Docker, see Getting Started

Example Commands

1) Subdomain Finder

Passive API sources plus a recursive DNS brute-force with target-specific subdomain mutations.

# find subdomains of evilcorp.com
bbot -t evilcorp.com -p subdomain-enum

# passive sources only
bbot -t evilcorp.com -p subdomain-enum -rf passive

subdomain-enum.yml

```yaml description: Enumerate subdomains via APIs, brute-force flags: # enable every module with the subdomain-enum flag - subdomain-enum output_modules: # output unique subdomains to TXT file - subdomains config: dns: threads: 25 brute_threads: 1000 # put your API keys here # modules: # github: # api_key: "" # chaos: # api_key: "" # securitytrails: # api_key: "" ```

BBOT consistently finds 20-50% more subdomains than other tools. The bigger the domain, the bigger the difference. To learn how this is possible, see How It Works.

subdomain-stats-ebay

2) Web Spider

# crawl evilcorp.com, extracting emails and other goodies
bbot -t evilcorp.com -p spider

spider.yml

```yaml description: Recursive web spider modules: - httpx config: web: # how many links to follow in a row spider_distance: 2 # don't follow links whose directory depth is higher than 4 spider_depth: 4 # maximum number of links to follow per page spider_links_per_page: 25 ```

3) Email Gatherer

# quick email enum with free APIs + scraping
bbot -t evilcorp.com -p email-enum

# pair with subdomain enum + web spider for maximum yield
bbot -t evilcorp.com -p email-enum subdomain-enum spider

email-enum.yml

```yaml description: Enumerate email addresses from APIs, web crawling, etc. flags: - email-enum output_modules: - emails ```

4) Web Scanner

# run a light web scan against www.evilcorp.com
bbot -t www.evilcorp.com -p web-basic

# run a heavy web scan against www.evilcorp.com
bbot -t www.evilcorp.com -p web-thorough

web-basic.yml

```yaml description: Quick web scan include: - iis-shortnames flags: - web-basic ```

web-thorough.yml

```yaml description: Aggressive web scan include: # include the web-basic preset - web-basic flags: - web-thorough ```

5) Everything Everywhere All at Once

# everything everywhere all at once
bbot -t evilcorp.com -p kitchen-sink

# roughly equivalent to:
bbot -t evilcorp.com -p subdomain-enum cloud-enum code-enum email-enum spider web-basic paramminer dirbust-light web-screenshots

kitchen-sink.yml

```yaml description: Everything everywhere all at once include: - subdomain-enum - cloud-enum - code-enum - email-enum - spider - web-basic - paramminer - dirbust-light - web-screenshots - baddns-thorough config: modules: baddns: enable_references: True ```

How it Works

Click the graph below to explore the inner workings of BBOT.

BBOT as a Python Library

Synchronous

from bbot.scanner import Scanner

if __name__ == "__main__":
    scan = Scanner("evilcorp.com", presets=["subdomain-enum"])
    for event in scan.start():
        print(event)

Asynchronous

from bbot.scanner import Scanner

async def main():
    scan = Scanner("evilcorp.com", presets=["subdomain-enum"])
    async for event in scan.async_start():
        print(event.json())

if __name__ == "__main__":
    import asyncio
    asyncio.run(main())

SEE: This Nefarious Discord Bot

A [BBOT Discord Bot](https://www.blacklanternsecurity.com/bbot/Stable/dev/#discord-bot-example) that responds to the `/scan` command. Scan the internet from the comfort of your discord server! ![bbot-discord](https://github.com/blacklanternsecurity/bbot/assets/20261699/22b268a2-0dfd-4c2a-b7c5-548c0f2cc6f9)

Feature Overview

Support for Multiple Targets
Web Screenshots
Suite of Offensive Web Modules
NLP-powered Subdomain Mutations
Native Output to Neo4j (and more)
Automatic dependency install with Ansible
Search entire attack surface with custom YARA rules
Python API + Developer Documentation

Targets

BBOT accepts an unlimited number of targets via -t. You can specify targets either directly on the command line or in files (or both!):

bbot -t evilcorp.com evilcorp.org 1.2.3.0/24 -p subdomain-enum

Targets can be any of the following:

DNS_NAME (evilcorp.com)
IP_ADDRESS (1.2.3.4)
IP_RANGE (1.2.3.0/24)
OPEN_TCP_PORT (192.168.0.1:80)
URL (https://www.evilcorp.com)

For more information, see Targets. To learn how BBOT handles scope, see Scope.

API Keys

Similar to Amass or Subfinder, BBOT supports API keys for various third-party services such as SecurityTrails, etc.

The standard way to do this is to enter your API keys in ~/.config/bbot/bbot.yml. Note that multiple API keys are allowed:

modules:
  shodan_dns:
    api_key: 4f41243847da693a4f356c0486114bc6
  c99:
    # multiple API keys
    api_key:
      - 21a270d5f59c9b05813a72bb41707266
      - ea8f243d9885cf8ce9876a580224fd3c
      - 5bc6ed268ab6488270e496d3183a1a27
  virustotal:
    api_key: dd5f0eee2e4a99b71a939bded450b246
  securitytrails:
    api_key: d9a05c3fd9a514497713c54b4455d0b0

If you like, you can also specify them on the command line:

bbot -c modules.virustotal.api_key=dd5f0eee2e4a99b71a939bded450b246

For details, see Configuration.

Complete Lists of Modules, Flags, etc.

Complete list of Modules.
Complete list of Flags.
Complete list of Presets.
- Complete list of Global Config Options.
- Complete list of Module Config Options.

Documentation

User Manual
- Basics
- Scanning
  - Scanning Overview
  - Presets
    - Overview
    - List of Presets
  - Events
  - Output
  - Tips and Tricks
  - Advanced Usage
  - Configuration
- Modules
- Misc
Developer Manual
- Development Overview
- Setting Up a Dev Environment
- BBOT Internal Architecture
- How to Write a BBOT Module
- Unit Tests
- Discord Bot Example
- Code Reference
  - Scanner
  - Presets
  - Event
  - Target
  - BaseModule
  - BBOTCore
  - Engine
  - Helpers
    - Overview
    - Command
    - DNS
    - Interactsh
    - Miscellaneous
    - Web
    - Word Cloud

Contribution

Some of the best BBOT modules were written by the community. BBOT is being constantly improved; every day it grows more powerful!

We welcome contributions. Not just code, but ideas too! If you have an idea for a new feature, please let us know in Discussions. If you want to get your hands dirty, see Contribution. There you can find setup instructions and a simple tutorial on how to write a BBOT module. We also have extensive Developer Documentation.

Thanks to these amazing people for contributing to BBOT! :heart:

Special thanks to:

@TheTechromancer for creating BBOT
@liquidsec for his extensive work on BBOT's web hacking features, including badsecrets and baddns
Steve Micallef (@smicallef) for creating Spiderfoot
@kerrymilan for his Neo4j and Ansible expertise
@domwhewell-sage for his family of badass code-looting modules
@aconite33 and @amiremami for their ruthless testing
Aleksei Kornev (@alekseiko) for granting us ownership of the bbot Pypi repository <3