bbot: OSINT automation for hackers

BEE·bot

OSINT automation for hackers.

BBOT is a recursivemodular OSINT framework written in Python.

It is capable of executing the entire OSINT process in a single command, including subdomain enumeration, port scanning, web screenshots (with its gowitness module), vulnerability scanning (with nuclei), and much more.

Features

  • Support for Multiple Targets
  • Web Screenshots
  • Suite of Offensive Web Modules
  • NLP-powered Subdomain Mutations
  • Native Output to Neo4j (and more)
  • Automatic dependency install with Ansible
  • Search entire attack surface with custom YARA rules
  • Python API + Developer Documentation

BBOT currently has over 50 modules and counting.

Modules

Module Needs API Key Description Flags Produced Events
aspnet_viewstate Parse web pages for viewstates and check them against blacklist3r active,
safe,
web
VULNERABILITY
bypass403 Check 403 pages for common bypasses active,aggressive,web FINDING
cookie_brute Check for common HTTP cookie parameters active,
aggressive,
brute-force,
slow,
web
FINDING
dnszonetransfer Attempt DNS zone transfers active,
safe,
subdomain-enum
DNS_NAME
ffuf A fast web fuzzer written in Go active,
aggressive,
brute-force,
deadly,
web
URL
ffuf_shortnames Use ffuf in combination IIS shortnames active,
aggressive,
brute-force,
web
URL
generic_ssrf Check for generic SSRFs active,aggressive,web VULNERABILITY
getparam_brute Check for common HTTP GET parameters active,
aggressive,
brute-force,
slow,
web
FINDING
gowitness Take screenshots of webpages active,
safe,
web
SCREENSHOT
header_brute Check for common HTTP header parameters active,
aggressive,
brute-force,
slow,
web
FINDING
host_header Try common HTTP Host header spoofing techniques active,
aggressive,
web
FINDING
httpx Visit webpages. Many other modules rely on httpx active,safe,web HTTP_RESPONSE,
URL
hunt Watch for commonly-exploitable HTTP parameters active,safe,web FINDING
iis_shortnames Check for IIS shortname vulnerability active,safe URL_HINT
naabu Execute port scans with naabu active,
aggressive,
portscan
OPEN_TCP_PORT
ntlm Watch for HTTP endpoints that support NTLM authentication active,
safe,
web
DNS_NAME,
FINDING
nuclei Fast and customisable vulnerability scanner active,
aggressive,
deadly,web
VULNERABILITY
smuggler Check for HTTP smuggling active,
aggressive,
brute-force,
slow,
web
FINDING
sslcert Visit open ports and retrieve SSL certificates active,
email-enum,
safe,
subdomain-enum
DNS_NAME,
EMAIL_ADDRESS
telerik Scan for critical Telerik vulnerabilities active,aggressive,web FINDING,
VULNERABILITY
vhost Fuzz for virtual hosts active,aggressive,brute-force,deadly,slow,web DNS_NAME,
VHOST
wappalyzer Extract technologies from web responses active,safe,web TECHNOLOGY
affiliates Summarize affiliate domains at the end of a scan passive,report,safe
asn Query bgpview.io for ASNs passive,report,safe,subdomain-enum ASN
azure_tenant Query Azure for tenant sister domains passive,safe,subdomain-enum DNS_NAME
binaryedge X Query the BinaryEdge API passive,safe,subdomain-enum DNS_NAME,
EMAIL_ADDRESS,
IP_ADDRESS,
OPEN_PORT,
PROTOCOL
c99 X Query the C99 API for subdomains passive,safe,subdomain-enum DNS_NAME
censys X Query the Censys API email-enum,passive,safe,subdomain-enum DNS_NAME,
EMAIL_ADDRESS,
IP_ADDRESS,
OPEN_PORT,
PROTOCOL
certspotter Query Certspotter’s API for subdomains passive,safe,subdomain-enum DNS_NAME
crobat Query Project Crobat for subdomains passive,safe,subdomain-enum DNS_NAME
crt Query crt.sh (certificate transparency) for subdomains passive,safe,subdomain-enum DNS_NAME
dnscommonsrv Check for common SRV records passive,safe,subdomain-enum DNS_NAME
dnsdumpster Query dnsdumpster for subdomains passive,safe,subdomain-enum DNS_NAME
emailformat Query email-format.com for email addresses email-enum,passive,safe EMAIL_ADDRESS
github X Query Github’s API for related repositories passive,safe,subdomain-enum URL_UNVERIFIED
hackertarget Query the hackertarget.com API for subdomains passive,safe,subdomain-enum DNS_NAME
hunterio X Query hunter.io for emails email-enum,passive,safe,subdomain-enum DNS_NAME,
EMAIL_ADDRESS,
URL_UNVERIFIED
ipneighbor Look beside IPs in their surrounding subnet aggressive,passive,subdomain-enum IP_ADDRESS
leakix Query leakix.net for subdomains passive,safe,subdomain-enum DNS_NAME
massdns Brute-force subdomains with massdns (highly effective) aggressive,brute-force,passive,slow,subdomain-enum DNS_NAME
passivetotal X Query the PassiveTotal API for subdomains passive,safe,subdomain-enum DNS_NAME
pgp Query common PGP servers for email addresses email-enum,passive,safe EMAIL_ADDRESS
securitytrails X Query the SecurityTrails API for subdomains passive,safe,subdomain-enum DNS_NAME
shodan_dns X Query Shodan for subdomains passive,safe,subdomain-enum DNS_NAME
skymem Query skymem.info for email addresses email-enum,passive,safe EMAIL_ADDRESS
sublist3r Query sublist3r’s API for subdomains passive,safe,subdomain-enum DNS_NAME
threatminer Query threatminer’s API for subdomains passive,safe,subdomain-enum DNS_NAME
urlscan Query urlscan.io for subdomains passive,safe,subdomain-enum DNS_NAME,
URL_UNVERIFIED
viewdns Query viewdns.info’s reverse whois for related domains passive,safe,subdomain-enum DNS_NAME
wayback Query archive.org’s API for subdomains passive,safe,subdomain-enum DNS_NAME,
URL_UNVERIFIED
zoomeye X Query ZoomEye’s API for subdomains passive,safe,subdomain-enum DNS_NAME

Install & Usage

Copyright (C) 2022 blacklanternsecurity