BBOT OSINT Automation for Hackers
BBOT OSINT Automation for Hackers

BBOT: OSINT Automation for Hackers

BBOT is a modular, recursive OSINT framework that can execute the entire OSINT workflow in a single command.

BBOT is inspired by Spiderfoot but takes it to the next level with features like multi-target scans, lightning-fast asyncio performance, and NLP-powered subdomain mutations. It offers a wide range of functionality, including subdomain enumeration, port scanning, web screenshots, vulnerability scanning, and much more.

BBOT typically outperforms other subdomain enumeration tools by 20-25%. To learn how this is possible, see How It Works.

Installation (pip)

For more installation methods including Docker, see Installation.

# Prerequisites:
# - Linux (Windows and macOS are *not* supported)
# - Python 3.9 or newer

# stable version
pipx install bbot

# bleeding edge (dev branch)
pipx install --pip-args '\--pre' bbot

bbot --help

Example Commands

Scan output, logs, etc. are saved to ~/.bbot. For more detailed examples and explanations, see Scanning.


# Perform a full subdomain enumeration on
bbot -t -f subdomain-enum

Subdomains (passive only):

# Perform a passive-only subdomain enumeration on
bbot -t -f subdomain-enum -rf passive

Subdomains + port scan + web screenshots:

# Port-scan every subdomain, screenshot every webpage, output to current directory
bbot -t -f subdomain-enum -m nmap gowitness -n my_scan -o .

Subdomains + basic web scan:

# A basic web scan includes wappalyzer, robots.txt, and other non-intrusive web modules
bbot -t -f subdomain-enum web-basic

Web spider:

# Crawl up to a max depth of 2, automatically extracting emails, secrets, etc.
bbot -t -m httpx robots badsecrets secretsdb -c web_spider_distance=2 web_spider_depth=2

Everything everywhere all at once:

# Subdomains, emails, cloud buckets, port scan, basic web, web screenshots, nuclei
bbot -t -f subdomain-enum email-enum cloud-enum web-basic -m nmap gowitness nuclei --allow-deadly


BBOT accepts an unlimited number of targets. You can specify targets either directly on the command line or in files (or both!). Targets can be any of the following:

  • DNS_NAME (
  • IP_RANGE (
  • URL (

For more information, see Targets. To learn how BBOT handles scope, see Scope.

BBOT as a Python library


from bbot.scanner import Scanner

# any number of targets can be specified
scan = Scanner("", "", modules=["nmap", "sslcert"])
for event in scan.start():


from bbot.scanner import Scanner

async def main():
    scan = Scanner("", "", modules=["nmap", "sslcert"])
    async for event in scan.async_start():

import asyncio

Download bbot