loading
loading
Recon
OSINT automation for hackers.
overview
bbot runs recon as a graph of modules that feed each other. A subdomain a passive module finds becomes input to a DNS module, whose hosts feed a port module, whose services feed a web module, so a single seed target expands into a connected picture of subdomains, IPs, open ports, and exposures.
Flags and presets control how aggressive a scan gets. Enable modules by flag, require or exclude flags such as passive or aggressive, and use whitelist, blacklist, and strict-scope to keep recursion inside the assets you are allowed to touch. Output modules send results to JSON, CSV, and many other sinks.
Use it as a one-shot attack-surface sweep, or scope it tightly and slot it beside focused tools. On Trickest it is a Recon node that takes seed targets and writes a folder of scan data.
use cases
Seed bbot with a domain and let its modules chain from subdomains to hosts to ports to web exposures for a connected surface map.
Require the passive flag for a quiet pass, or allow aggressive and deadly modules for a deeper authorized sweep, all from the flag set.
Use whitelist, blacklist, and strict-scope so module-to-module expansion stays within the assets you are cleared to test.
Turn on JSON output and the relevant output modules so findings land as structured data the rest of a workflow can query and route.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| targets | FILE | --targets | Targets to seed the scan. |
| preset | STRING | --preset | Enable one or more BBOT presets. |
| flags | STRING | --flags | Enable modules by flag. |
| modules | STRING | --modules | Modules to enable. |
| whitelist | STRING | --whitelist | What is considered in scope (defaults to --targets). |
| blacklist | STRING | --blacklist | Targets to never touch. |
| output-modules | STRING | --output-modules | Output modules, e.g. json, csv, subdomains, http, neo4j. |
| json | BOOLEAN | --json | Output scan data in JSON format. |
Showing key inputs. bbot exposes 39 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| json | BOOLEAN | --json | Output scan data in JSON format |
| name | STRING | --name | Name of scan (default: random) |
| brief | BOOLEAN | --brief | Output only the data itself |
| debug | BOOLEAN | --debug | Enable debugging |
| flags | STRING | --flags | Enable modules by flag. |
| force | BOOLEAN | --force | Run scan even if module setups fail |
| proxy | STRING | --proxy | Use this proxy for all HTTP requests |
| config | STRING | --config | configuration options in key=value format: 'modules.shodan.api_key=1234' |
| preset | STRING | --preset | Enable BBOT preset(s) |
| silent | BOOLEAN | --silent | Be quiet |
| dry-run | BOOLEAN | --dry-run | Abort before executing scan |
| modules | STRING | --modules | Modules to enable. |
| no-deps | BOOLEAN | --no-deps | Don't install module dependencies |
| targets | FILE | --targets | Targets to seed the scan |
| verbose | BOOLEAN | --verbose | Be more verbose |
| blacklist | STRING | --blacklist | Don't touch these things |
| whitelist | STRING | --whitelist | What's considered in-scope (by default it's the same as --targets) |
| force-deps | BOOLEAN | --force-deps | Force install all module dependencies |
| list-flags | BOOLEAN | --list-flags | List available flags. |
| retry-deps | BOOLEAN | --retry-deps | Try again to install failed module dependencies |
| user-agent | STRING | --user-agent | Set the user-agent for all HTTP requests |
| event-types | STRING | --event-types | Choose which event types to display |
| exclude-cdn | BOOLEAN | --exclude-cdn | Filter out unwanted open ports on CDNs/WAFs (80,443 only) |
| allow-deadly | BOOLEAN | --allow-deadly | Enable the use of highly aggressive modules |
| list-modules | BOOLEAN | --list-modules | List available modules. |
| list-presets | BOOLEAN | --list-presets | List available presets. |
| strict-scope | BOOLEAN | --strict-scope | Don't consider subdomains of target/whitelist to be in-scope |
| exclude-flags | STRING | --exclude-flags | Disable modules with these flags. (e.g. -ef aggressive) |
| require-flags | STRING | --require-flags | Only enable modules with these flags (e.g. -rf passive) |
| current-preset | BOOLEAN | --current-preset | Show the current preset in YAML format |
| custom-cookies | STRING | --custom-cookies | List of custom cookies as key value pairs (cookie=value). |
| custom-headers | STRING | --custom-headers | List of custom headers as key value pairs (header=value). |
| output-modules | STRING | --output-modules | Output module(s). Choices: asset_inventory,csv,discord,emails,http,json,mysql,neo4j,nmap_xml,postgres,python,slack,splunk,sqlite,stdout,subdomains,teams,txt,web_parameters,web_report,websocket |
| exclude-modules | STRING | --exclude-modules | Exclude these modules. |
| install-all-deps | BOOLEAN | --install-all-deps | Install dependencies for all modules |
| custom-yara-rules | FILE | --custom-yara-rules | Add custom yara rules to excavate |
| ignore-failed-deps | BOOLEAN | --ignore-failed-deps | Run modules even if they have failed dependencies |
| current-preset-full | BOOLEAN | --current-preset-full | Show the current preset in its full form, including defaults |
| list-module-options | BOOLEAN | --list-module-options | Show all module config options |
example
# passive preset against a seed domain, JSON eventsbbot --targets example.com --preset subdomain-enum --require-flags passive --json --name example-scan[INFO] Scan example-scan started against example.com[DNS_NAME] example.com (TARGET)[DNS_NAME] www.example.com[DNS_NAME] api.example.com[DNS_NAME] mail.example.com[DNS_NAME] staging.example.com[OPEN_TCP_PORT] api.example.com:443[URL] https://api.example.com/[TECHNOLOGY] nginx on api.example.com[INFO] Scan finished: 48 eventsguidance
Use bbot when you want one engine to chain many recon modules from a seed target into a connected surface map. It is broad by design, so scope it with whitelist and flags. For a single focused step like passive subdomains, a tool like subfinder is leaner.
Deep OSINT focused on subdomain and infrastructure mapping. bbot chains a wider variety of module types.
Another modular OSINT automation framework. Overlapping goal, different module ecosystem and UI.
Passive subdomain discovery only. Leaner when you need one step, not a full module chain.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A seed target feeds bbot, which chains its OSINT modules to expand the surface and writes the connected scan data as a queryable output folder.
Facts on this page come from the live Trickest tool library.