bbot: OSINT automation for hackers
BEE·bot
OSINT automation for hackers.
BBOT is a recursive, modular OSINT framework written in Python.
It is capable of executing the entire OSINT process in a single command, including subdomain enumeration, port scanning, web screenshots (with its gowitness module), vulnerability scanning (with nuclei), and much more.
Features
- Support for Multiple Targets
- Web Screenshots
- Suite of Offensive Web Modules
- NLP-powered Subdomain Mutations
- Native Output to Neo4j (and more)
- Automatic dependency install with Ansible
- Search entire attack surface with custom YARA rules
- Python API + Developer Documentation
BBOT currently has over 50 modules and counting.
Modules
| Module | Needs API Key | Description | Flags | Produced Events |
|---|---|---|---|---|
| aspnet_viewstate | Parse web pages for viewstates and check them against blacklist3r | active, safe, web |
VULNERABILITY | |
| bypass403 | Check 403 pages for common bypasses | active,aggressive,web | FINDING | |
| cookie_brute | Check for common HTTP cookie parameters | active, aggressive, brute-force, slow, web |
FINDING | |
| dnszonetransfer | Attempt DNS zone transfers | active, safe, subdomain-enum |
DNS_NAME | |
| ffuf | A fast web fuzzer written in Go | active, aggressive, brute-force, deadly, web |
URL | |
| ffuf_shortnames | Use ffuf in combination IIS shortnames | active, aggressive, brute-force, web |
URL | |
| generic_ssrf | Check for generic SSRFs | active,aggressive,web | VULNERABILITY | |
| getparam_brute | Check for common HTTP GET parameters | active, aggressive, brute-force, slow, web |
FINDING | |
| gowitness | Take screenshots of webpages | active, safe, web |
SCREENSHOT | |
| header_brute | Check for common HTTP header parameters | active, aggressive, brute-force, slow, web |
FINDING | |
| host_header | Try common HTTP Host header spoofing techniques | active, aggressive, web |
FINDING | |
| httpx | Visit webpages. Many other modules rely on httpx | active,safe,web | HTTP_RESPONSE, URL |
|
| hunt | Watch for commonly-exploitable HTTP parameters | active,safe,web | FINDING | |
| iis_shortnames | Check for IIS shortname vulnerability | active,safe | URL_HINT | |
| naabu | Execute port scans with naabu | active, aggressive, portscan |
OPEN_TCP_PORT | |
| ntlm | Watch for HTTP endpoints that support NTLM authentication | active, safe, web |
DNS_NAME, FINDING |
|
| nuclei | Fast and customisable vulnerability scanner | active, aggressive, deadly,web |
VULNERABILITY | |
| smuggler | Check for HTTP smuggling | active, aggressive, brute-force, slow, web |
FINDING | |
| sslcert | Visit open ports and retrieve SSL certificates | active, email-enum, safe, subdomain-enum |
DNS_NAME, EMAIL_ADDRESS |
|
| telerik | Scan for critical Telerik vulnerabilities | active,aggressive,web | FINDING, VULNERABILITY |
|
| vhost | Fuzz for virtual hosts | active,aggressive,brute-force,deadly,slow,web | DNS_NAME, VHOST |
|
| wappalyzer | Extract technologies from web responses | active,safe,web | TECHNOLOGY | |
| affiliates | Summarize affiliate domains at the end of a scan | passive,report,safe | ||
| asn | Query bgpview.io for ASNs | passive,report,safe,subdomain-enum | ASN | |
| azure_tenant | Query Azure for tenant sister domains | passive,safe,subdomain-enum | DNS_NAME | |
| binaryedge | X | Query the BinaryEdge API | passive,safe,subdomain-enum | DNS_NAME, EMAIL_ADDRESS, IP_ADDRESS, OPEN_PORT, PROTOCOL |
| c99 | X | Query the C99 API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
| censys | X | Query the Censys API | email-enum,passive,safe,subdomain-enum | DNS_NAME, EMAIL_ADDRESS, IP_ADDRESS, OPEN_PORT, PROTOCOL |
| certspotter | Query Certspotter’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME | |
| crobat | Query Project Crobat for subdomains | passive,safe,subdomain-enum | DNS_NAME | |
| crt | Query crt.sh (certificate transparency) for subdomains | passive,safe,subdomain-enum | DNS_NAME | |
| dnscommonsrv | Check for common SRV records | passive,safe,subdomain-enum | DNS_NAME | |
| dnsdumpster | Query dnsdumpster for subdomains | passive,safe,subdomain-enum | DNS_NAME | |
| emailformat | Query email-format.com for email addresses | email-enum,passive,safe | EMAIL_ADDRESS | |
| github | X | Query Github’s API for related repositories | passive,safe,subdomain-enum | URL_UNVERIFIED |
| hackertarget | Query the hackertarget.com API for subdomains | passive,safe,subdomain-enum | DNS_NAME | |
| hunterio | X | Query hunter.io for emails | email-enum,passive,safe,subdomain-enum | DNS_NAME, EMAIL_ADDRESS, URL_UNVERIFIED |
| ipneighbor | Look beside IPs in their surrounding subnet | aggressive,passive,subdomain-enum | IP_ADDRESS | |
| leakix | Query leakix.net for subdomains | passive,safe,subdomain-enum | DNS_NAME | |
| massdns | Brute-force subdomains with massdns (highly effective) | aggressive,brute-force,passive,slow,subdomain-enum | DNS_NAME | |
| passivetotal | X | Query the PassiveTotal API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
| pgp | Query common PGP servers for email addresses | email-enum,passive,safe | EMAIL_ADDRESS | |
| securitytrails | X | Query the SecurityTrails API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
| shodan_dns | X | Query Shodan for subdomains | passive,safe,subdomain-enum | DNS_NAME |
| skymem | Query skymem.info for email addresses | email-enum,passive,safe | EMAIL_ADDRESS | |
| sublist3r | Query sublist3r’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME | |
| threatminer | Query threatminer’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME | |
| urlscan | Query urlscan.io for subdomains | passive,safe,subdomain-enum | DNS_NAME, URL_UNVERIFIED |
|
| viewdns | Query viewdns.info’s reverse whois for related domains | passive,safe,subdomain-enum | DNS_NAME | |
| wayback | Query archive.org’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME, URL_UNVERIFIED |
|
| zoomeye | X | Query ZoomEye’s API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
Install & Usage
Copyright (C) 2022 blacklanternsecurity
