BBOT: OSINT Automation for Hackers

BBOT is a modular, recursive OSINT framework that can execute the entire OSINT workflow in a single command.

BBOT is inspired by Spiderfoot but takes it to the next level with features like multi-target scans, lightning-fast asyncio performance, and NLP-powered subdomain mutations. It offers a wide range of functionality, including subdomain enumeration, port scanning, web screenshots, vulnerability scanning, and much more.

BBOT typically outperforms other subdomain enumeration tools by 20-25%. To learn how this is possible, see How It Works.

bbot#OSINT automation for hackers.https://t.co/8KtjOhs0aA#cybersecurity #infosec pic.twitter.com/JN9lAjNHNX

— HackGit (@hack_git) July 17, 2023

Installation (pip)

For more installation methods including Docker, see Installation.

# Prerequisites:
# - Linux (Windows and macOS are *not* supported)
# - Python 3.9 or newer

# stable version
pipx install bbot

# bleeding edge (dev branch)
pipx install --pip-args '\--pre' bbot

bbot --help

Example Commands

Scan output, logs, etc. are saved to ~/.bbot. For more detailed examples and explanations, see Scanning.

Subdomains:

# Perform a full subdomain enumeration on evilcorp.com
bbot -t evilcorp.com -f subdomain-enum

Subdomains (passive only):

# Perform a passive-only subdomain enumeration on evilcorp.com
bbot -t evilcorp.com -f subdomain-enum -rf passive

Subdomains + port scan + web screenshots:

# Port-scan every subdomain, screenshot every webpage, output to current directory
bbot -t evilcorp.com -f subdomain-enum -m nmap gowitness -n my_scan -o .

Subdomains + basic web scan:

# A basic web scan includes wappalyzer, robots.txt, and other non-intrusive web modules
bbot -t evilcorp.com -f subdomain-enum web-basic

Web spider:

# Crawl www.evilcorp.com up to a max depth of 2, automatically extracting emails, secrets, etc.
bbot -t www.evilcorp.com -m httpx robots badsecrets secretsdb -c web_spider_distance=2 web_spider_depth=2

Everything everywhere all at once:

# Subdomains, emails, cloud buckets, port scan, basic web, web screenshots, nuclei
bbot -t evilcorp.com -f subdomain-enum email-enum cloud-enum web-basic -m nmap gowitness nuclei --allow-deadly

Targets

BBOT accepts an unlimited number of targets. You can specify targets either directly on the command line or in files (or both!). Targets can be any of the following:

• DNS_NAME (evilcorp.com)
• IP_ADDRESS (1.2.3.4)
• IP_RANGE (1.2.3.0/24)
• OPEN_TCP_PORT (192.168.0.1:80)
• URL (https://www.evilcorp.com)

For more information, see Targets. To learn how BBOT handles scope, see Scope.

BBOT as a Python library

Synchronous

from bbot.scanner import Scanner

# any number of targets can be specified
scan = Scanner("example.com", "scanme.nmap.org", modules=["nmap", "sslcert"])
for event in scan.start():
    print(event.json())

Asynchronous

from bbot.scanner import Scanner

async def main():
    scan = Scanner("example.com", "scanme.nmap.org", modules=["nmap", "sslcert"])
    async for event in scan.async_start():
        print(event.json())

import asyncio
asyncio.run(main())

Download bbot