Knowledge Base

bbot

4 min read

bbot

The recursive internet scanner for hackers.

  ______  _____   ____ _______
 |  ___ \|  __ \ / __ \__   __|
 | |___) | |__) | |  | | | |
 |  ___ <|  __ <| |  | | | |
 | |___) | |__) | |__| | | |
 |______/|_____/ \____/  |_|
 BIGHUGE BLS OSINT TOOL v2.5.0

Usage

Usage: bbot [options]

As a container:

docker run --rm -it \
  -v "$HOME/.bbot/scans:/root/.bbot/scans" \
  -v "$PWD/my_preset.yml:/my_preset.yml" \
  blacklanternsecurity/bbot -p /my_preset.yml

Options

Target

OptionDescription
-t, --targets TARGET [TARGET ...]Targets to seed the scan
-w, --whitelist WHITELIST [WHITELIST ...]What’s considered in-scope (default same as --targets)
-b, --blacklist BLACKLIST [BLACKLIST ...]Don’t touch these things
--strict-scopeDon’t consider subdomains of target/whitelist to be in-scope

Presets

OptionDescription
-p, --preset [PRESET ...]Enable BBOT preset(s)
-c, --config [CONFIG ...]Custom config options in key=value format (e.g., modules.shodan.api_key=1234)
-lp, --list-presetsList available presets

Modules

OptionDescription
-m, --modules MODULE [MODULE ...]Modules to enable. Choices include: affiliates, ajaxpro, anubisdb, apkpure, asn, azure_realm, azure_tenant, baddns, baddns_direct, baddns_zone, badsecrets, bevigil, binaryedge, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, bufferoverrun, builtwith, bypass403, c99, censys, certspotter, chaos, code_repository, credshed, crt, crt_db, dehashed, digitorus, dnsbimi, dnsbrute, dnsbrute_mutations, dnscaa, dnscommonsrv, dnsdumpster, dnstlsrpt, docker_pull, dockerhub, dotnetnuke, emailformat, extractous, ffuf, ffuf_shortnames, filedownload, fingerprintx, fullhunt, generic_ssrf, git, git_clone, gitdumper, github_codesearch, github_org, github_usersearch, github_workflows, gitlab, google_playstore, gowitness, hackertarget, host_header, httpx, hunt, hunterio, iis_shortnames, ip2location, ipneighbor, ipstack, jadx, leakix, lightfuzz, medusa, myssl, newsletters, ntlm, nuclei, oauth, otx, paramminer_cookies, paramminer_getparams, paramminer_headers, passivetotal, pgp, portfilter, portscan, postman, postman_download, rapiddns, reflected_parameters, robots, securitytrails, securitytxt, shodan_dns, shodan_idb, sitedossier, skymem, smuggler, social, sslcert, subdomaincenter, subdomainradar, telerik, trickest, trufflehog, url_manipulation, urlscan, vhost, viewdns, virustotal, wafw00f, wappalyzer, wayback, wpscan, zoomeye
-l, --list-modulesList available modules
-lmo, --list-module-optionsShow all module config options
-em, --exclude-modules MODULE [MODULE ...]Exclude these modules
-f, --flags FLAG [FLAG ...]Enable modules by flag. Choices include: active, affiliates, aggressive, baddns, cloud-enum, code-enum, deadly, email-enum, iis-shortnames, passive, portscan, safe, service-enum, slow, social-enum, subdomain-enum, subdomain-hijack, web-basic, web-paramminer, web-screenshots, web-thorough
-lf, --list-flagsList available flags
-rf, --require-flags FLAG [FLAG ...]Only enable modules with these flags (e.g. -rf passive)
-ef, --exclude-flags FLAG [FLAG ...]Disable modules with these flags (e.g. -ef aggressive)
--allow-deadlyEnable the use of highly aggressive modules

Scan

OptionDescription
-n, --name SCAN_NAMEName of scan (default: random)
-v, --verboseBe more verbose
-d, --debugEnable debugging
-s, --silentBe quiet
--forceRun scan even in the case of condition violations or failed module setups
-y, --yesSkip scan confirmation prompt
--fast-modeScan only the provided targets as fast as possible, with no extra discovery
--dry-runAbort before executing scan
--current-presetShow the current preset in YAML format
--current-preset-fullShow the current preset in its full form, including defaults
-mh, --module-help MODULEShow help for a specific module

Output

OptionDescription
-o, --output-dir DIRDirectory to output scan results
-om, --output-modules MODULE [MODULE ...]Output module(s). Choices: asset_inventory, csv, discord, emails, http, json, mysql, neo4j, nmap_xml, postgres, python, slack, splunk, sqlite, stdout, subdomains, teams, txt, web_parameters, web_report, websocket
-lo, --list-output-modulesList available output modules
--json, -jOutput scan data in JSON format
--brief, -brOutput only the data itself
--event-types EVENT_TYPES [EVENT_TYPES ...]Choose which event types to display
--exclude-cdn, -ecFilter out unwanted open ports on CDNs/WAFs (80,443 only)

Module dependencies

OptionDescription
--no-depsDon’t install module dependencies
--force-depsForce install all module dependencies
--retry-depsTry again to install failed module dependencies
--ignore-failed-depsRun modules even if they have failed dependencies
--install-all-depsInstall dependencies for all modules

Misc

OptionDescription
--versionShow BBOT version and exit
--proxy HTTP_PROXYUse this proxy for all HTTP requests
-H, --custom-headers CUSTOM_HEADERSList of custom headers as key-value pairs (header=value)
-C, --custom-cookies CUSTOM_COOKIESList of custom cookies as key-value pairs (cookie=value)
--custom-yara-rules, -cy CUSTOM_YARA_RULESAdd custom YARA rules to excavate
--user-agent, -ua USER_AGENTSet the user-agent for all HTTP requests

Examples

Subdomains: bbot -t evilcorp.com -p subdomain-enum

Subdomains (passive only): bbot -t evilcorp.com -p subdomain-enum -rf passive

Subdomains + port scan + web screenshots: bbot -t evilcorp.com -p subdomain-enum -m portscan gowitness -n my_scan -o .

Subdomains + basic web scan: bbot -t evilcorp.com -p subdomain-enum web-basic

Web spider: bbot -t www.evilcorp.com -p spider -c web.spider_distance=2 web.spider_depth=2

Everything everywhere all at once: bbot -t evilcorp.com -p kitchen-sink

List modules: bbot -l

List output modules: bbot -lo

List presets: bbot -lp

List flags: bbot -lf

Show help for a specific module: bbot -mh <module_name>

Graph View

Backlinks