base on The recursive internet scanner for hackers. 🧡 [](https://github.com/blacklanternsecurity/bbot) [](https://www.python.org) [](https://github.com/blacklanternsecurity/bbot/blob/dev/LICENSE) [](https://www.reconvillage.org/talks) [](https://pepy.tech/project/bbot) [](https://github.com/astral-sh/ruff) [](https://github.com/blacklanternsecurity/bbot/actions?query=workflow%3A"tests") [](https://codecov.io/gh/blacklanternsecurity/bbot) [](https://discord.com/invite/PZqkgxu5SA) ### **BEE·bot** is a multipurpose scanner inspired by [Spiderfoot](https://github.com/smicallef/spiderfoot), built to automate your **Recon**, **Bug Bounties**, and **ASM**! https://github.com/blacklanternsecurity/bbot/assets/20261699/e539e89b-92ea-46fa-b893-9cde94eebf81 _A BBOT scan in real-time - visualization with [VivaGraphJS](https://github.com/blacklanternsecurity/bbot-vivagraphjs)_ ## Installation ```bash # stable version pipx install bbot # bleeding edge (dev branch) pipx install --pip-args '\--pre' bbot ``` _For more installation methods, including [Docker](https://hub.docker.com/r/blacklanternsecurity/bbot), see [Getting Started](https://www.blacklanternsecurity.com/bbot/Stable/)_ ## Example Commands ### 1) Subdomain Finder Passive API sources plus a recursive DNS brute-force with target-specific subdomain mutations. ```bash # find subdomains of evilcorp.com bbot -t evilcorp.com -p subdomain-enum # passive sources only bbot -t evilcorp.com -p subdomain-enum -rf passive ``` <!-- BBOT SUBDOMAIN-ENUM PRESET EXPANDABLE --> <details> <summary><b><code>subdomain-enum.yml</code></b></summary> ```yaml description: Enumerate subdomains via APIs, brute-force flags: # enable every module with the subdomain-enum flag - subdomain-enum output_modules: # output unique subdomains to TXT file - subdomains config: dns: threads: 25 brute_threads: 1000 # put your API keys here # modules: # github: # api_key: "" # chaos: # api_key: "" # securitytrails: # api_key: "" ``` </details> <!-- END BBOT SUBDOMAIN-ENUM PRESET EXPANDABLE --> BBOT consistently finds 20-50% more subdomains than other tools. The bigger the domain, the bigger the difference. To learn how this is possible, see [How It Works](https://www.blacklanternsecurity.com/bbot/Dev/how_it_works/).  ### 2) Web Spider ```bash # crawl evilcorp.com, extracting emails and other goodies bbot -t evilcorp.com -p spider ``` <!-- BBOT SPIDER PRESET EXPANDABLE --> <details> <summary><b><code>spider.yml</code></b></summary> ```yaml description: Recursive web spider modules: - httpx blacklist: # Prevent spider from invalidating sessions by logging out - "RE:/.*(sign|log)[_-]?out" config: web: # how many links to follow in a row spider_distance: 2 # don't follow links whose directory depth is higher than 4 spider_depth: 4 # maximum number of links to follow per page spider_links_per_page: 25 ``` </details> <!-- END BBOT SPIDER PRESET EXPANDABLE --> ### 3) Email Gatherer ```bash # quick email enum with free APIs + scraping bbot -t evilcorp.com -p email-enum # pair with subdomain enum + web spider for maximum yield bbot -t evilcorp.com -p email-enum subdomain-enum spider ``` <!-- BBOT EMAIL-ENUM PRESET EXPANDABLE --> <details> <summary><b><code>email-enum.yml</code></b></summary> ```yaml description: Enumerate email addresses from APIs, web crawling, etc. flags: - email-enum output_modules: - emails ``` </details> <!-- END BBOT EMAIL-ENUM PRESET EXPANDABLE --> ### 4) Web Scanner ```bash # run a light web scan against www.evilcorp.com bbot -t www.evilcorp.com -p web-basic # run a heavy web scan against www.evilcorp.com bbot -t www.evilcorp.com -p web-thorough ``` <!-- BBOT WEB-BASIC PRESET EXPANDABLE --> <details> <summary><b><code>web-basic.yml</code></b></summary> ```yaml description: Quick web scan include: - iis-shortnames flags: - web-basic ``` </details> <!-- END BBOT WEB-BASIC PRESET EXPANDABLE --> <!-- BBOT WEB-THOROUGH PRESET EXPANDABLE --> <details> <summary><b><code>web-thorough.yml</code></b></summary> ```yaml description: Aggressive web scan include: # include the web-basic preset - web-basic flags: - web-thorough ``` </details> <!-- END BBOT WEB-THOROUGH PRESET EXPANDABLE --> ### 5) Everything Everywhere All at Once ```bash # everything everywhere all at once bbot -t evilcorp.com -p kitchen-sink --allow-deadly # roughly equivalent to: bbot -t evilcorp.com -p subdomain-enum cloud-enum code-enum email-enum spider web-basic paramminer dirbust-light web-screenshots --allow-deadly ``` <!-- BBOT KITCHEN-SINK PRESET EXPANDABLE --> <details> <summary><b><code>kitchen-sink.yml</code></b></summary> ```yaml description: Everything everywhere all at once include: - subdomain-enum - cloud-enum - code-enum - email-enum - spider - web-basic - paramminer - dirbust-light - web-screenshots - baddns-intense config: modules: baddns: enable_references: True ``` </details> <!-- END BBOT KITCHEN-SINK PRESET EXPANDABLE --> ## How it Works Click the graph below to explore the [inner workings](https://www.blacklanternsecurity.com/bbot/Stable/how_it_works/) of BBOT. [](https://www.blacklanternsecurity.com/bbot/Stable/how_it_works/) ## Output Modules - [Neo4j](docs/scanning/output.md#neo4j) - [Teams](docs/scanning/output.md#teams) - [Discord](docs/scanning/output.md#discord) - [Slack](docs/scanning/output.md#slack) - [Postgres](docs/scanning/output.md#postgres) - [MySQL](docs/scanning/output.md#mysql) - [SQLite](docs/scanning/output.md#sqlite) - [Splunk](docs/scanning/output.md#splunk) - [Elasticsearch](docs/scanning/output.md#elasticsearch) - [CSV](docs/scanning/output.md#csv) - [JSON](docs/scanning/output.md#json) - [HTTP](docs/scanning/output.md#http) - [Websocket](docs/scanning/output.md#websocket) ...and [more](docs/scanning/output.md)! ## BBOT as a Python Library #### Synchronous ```python from bbot.scanner import Scanner if __name__ == "__main__": scan = Scanner("evilcorp.com", presets=["subdomain-enum"]) for event in scan.start(): print(event) ``` #### Asynchronous ```python from bbot.scanner import Scanner async def main(): scan = Scanner("evilcorp.com", presets=["subdomain-enum"]) async for event in scan.async_start(): print(event.json()) if __name__ == "__main__": import asyncio asyncio.run(main()) ``` <details> <summary><b>SEE: This Nefarious Discord Bot</b></summary> A [BBOT Discord Bot](https://www.blacklanternsecurity.com/bbot/Stable/dev/#discord-bot-example) that responds to the `/scan` command. Scan the internet from the comfort of your discord server!  </details> ## Feature Overview - Support for Multiple Targets - Web Screenshots - Suite of Offensive Web Modules - NLP-powered Subdomain Mutations - Native Output to Neo4j (and more) - Automatic dependency install with Ansible - Search entire attack surface with custom YARA rules - Python API + Developer Documentation ## Targets BBOT accepts an unlimited number of targets via `-t`. You can specify targets either directly on the command line or in files (or both!): ```bash bbot -t evilcorp.com evilcorp.org 1.2.3.0/24 -p subdomain-enum ``` Targets can be any of the following: - DNS Name (`evilcorp.com`) - IP Address (`1.2.3.4`) - IP Range (`1.2.3.0/24`) - Open TCP Port (`192.168.0.1:80`) - URL (`https://www.evilcorp.com`) - Email Address (`[email protected]`) - Organization (`ORG:evilcorp`) - Username (`USER:bobsmith`) - Filesystem (`FILESYSTEM:/tmp/asdf`) - Mobile App (`MOBILE_APP:https://play.google.com/store/apps/details?id=com.evilcorp.app`) For more information, see [Targets](https://www.blacklanternsecurity.com/bbot/Stable/scanning/#targets-t). To learn how BBOT handles scope, see [Scope](https://www.blacklanternsecurity.com/bbot/Stable/scanning/#scope). ## API Keys Similar to Amass or Subfinder, BBOT supports API keys for various third-party services such as SecurityTrails, etc. The standard way to do this is to enter your API keys in **`~/.config/bbot/bbot.yml`**. Note that multiple API keys are allowed: ```yaml modules: shodan_dns: api_key: 4f41243847da693a4f356c0486114bc6 c99: # multiple API keys api_key: - 21a270d5f59c9b05813a72bb41707266 - ea8f243d9885cf8ce9876a580224fd3c - 5bc6ed268ab6488270e496d3183a1a27 virustotal: api_key: dd5f0eee2e4a99b71a939bded450b246 securitytrails: api_key: d9a05c3fd9a514497713c54b4455d0b0 ``` If you like, you can also specify them on the command line: ```bash bbot -c modules.virustotal.api_key=dd5f0eee2e4a99b71a939bded450b246 ``` For details, see [Configuration](https://www.blacklanternsecurity.com/bbot/Stable/scanning/configuration/). ## Complete Lists of Modules, Flags, etc. - Complete list of [Modules](https://www.blacklanternsecurity.com/bbot/Stable/modules/list_of_modules/). - Complete list of [Flags](https://www.blacklanternsecurity.com/bbot/Stable/scanning/#list-of-flags). - Complete list of [Presets](https://www.blacklanternsecurity.com/bbot/Stable/scanning/presets_list/). - Complete list of [Global Config Options](https://www.blacklanternsecurity.com/bbot/Stable/scanning/configuration/#global-config-options). - Complete list of [Module Config Options](https://www.blacklanternsecurity.com/bbot/Stable/scanning/configuration/#module-config-options). ## Documentation <!-- BBOT DOCS TOC --> - **User Manual** - **Basics** - [Getting Started](https://www.blacklanternsecurity.com/bbot/Stable/) - [How it Works](https://www.blacklanternsecurity.com/bbot/Stable/how_it_works) - [Comparison to Other Tools](https://www.blacklanternsecurity.com/bbot/Stable/comparison) - **Scanning** - [Scanning Overview](https://www.blacklanternsecurity.com/bbot/Stable/scanning/) - **Presets** - [Overview](https://www.blacklanternsecurity.com/bbot/Stable/scanning/presets) - [List of Presets](https://www.blacklanternsecurity.com/bbot/Stable/scanning/presets_list) - [Events](https://www.blacklanternsecurity.com/bbot/Stable/scanning/events) - [Output](https://www.blacklanternsecurity.com/bbot/Stable/scanning/output) - [Tips and Tricks](https://www.blacklanternsecurity.com/bbot/Stable/scanning/tips_and_tricks) - [Advanced Usage](https://www.blacklanternsecurity.com/bbot/Stable/scanning/advanced) - [Configuration](https://www.blacklanternsecurity.com/bbot/Stable/scanning/configuration) - **Modules** - [List of Modules](https://www.blacklanternsecurity.com/bbot/Stable/modules/list_of_modules) - [Nuclei](https://www.blacklanternsecurity.com/bbot/Stable/modules/nuclei) - [Custom YARA Rules](https://www.blacklanternsecurity.com/bbot/Stable/modules/custom_yara_rules) - [Lightfuzz](https://www.blacklanternsecurity.com/bbot/Stable/modules/lightfuzz) - **Misc** - [Contribution](https://www.blacklanternsecurity.com/bbot/Stable/contribution) - [Release History](https://www.blacklanternsecurity.com/bbot/Stable/release_history) - [Troubleshooting](https://www.blacklanternsecurity.com/bbot/Stable/troubleshooting) - **Developer Manual** - [Development Overview](https://www.blacklanternsecurity.com/bbot/Stable/dev/) - [Setting Up a Dev Environment](https://www.blacklanternsecurity.com/bbot/Stable/dev/dev_environment) - [BBOT Internal Architecture](https://www.blacklanternsecurity.com/bbot/Stable/dev/architecture) - [How to Write a BBOT Module](https://www.blacklanternsecurity.com/bbot/Stable/dev/module_howto) - [Unit Tests](https://www.blacklanternsecurity.com/bbot/Stable/dev/tests) - [Discord Bot Example](https://www.blacklanternsecurity.com/bbot/Stable/dev/discord_bot) - **Code Reference** - [Scanner](https://www.blacklanternsecurity.com/bbot/Stable/dev/scanner) - [Presets](https://www.blacklanternsecurity.com/bbot/Stable/dev/presets) - [Event](https://www.blacklanternsecurity.com/bbot/Stable/dev/event) - [Target](https://www.blacklanternsecurity.com/bbot/Stable/dev/target) - [BaseModule](https://www.blacklanternsecurity.com/bbot/Stable/dev/basemodule) - [BBOTCore](https://www.blacklanternsecurity.com/bbot/Stable/dev/core) - [Engine](https://www.blacklanternsecurity.com/bbot/Stable/dev/engine) - **Helpers** - [Overview](https://www.blacklanternsecurity.com/bbot/Stable/dev/helpers/) - [Command](https://www.blacklanternsecurity.com/bbot/Stable/dev/helpers/command) - [DNS](https://www.blacklanternsecurity.com/bbot/Stable/dev/helpers/dns) - [Interactsh](https://www.blacklanternsecurity.com/bbot/Stable/dev/helpers/interactsh) - [Miscellaneous](https://www.blacklanternsecurity.com/bbot/Stable/dev/helpers/misc) - [Web](https://www.blacklanternsecurity.com/bbot/Stable/dev/helpers/web) - [Word Cloud](https://www.blacklanternsecurity.com/bbot/Stable/dev/helpers/wordcloud) <!-- END BBOT DOCS TOC --> ## Contribution Some of the best BBOT modules were written by the community. BBOT is being constantly improved; every day it grows more powerful! We welcome contributions. Not just code, but ideas too! If you have an idea for a new feature, please let us know in [Discussions](https://github.com/blacklanternsecurity/bbot/discussions). If you want to get your hands dirty, see [Contribution](https://www.blacklanternsecurity.com/bbot/Stable/contribution/). There you can find setup instructions and a simple tutorial on how to write a BBOT module. We also have extensive [Developer Documentation](https://www.blacklanternsecurity.com/bbot/Stable/dev/). Thanks to these amazing people for contributing to BBOT! :heart: <p align="center"> <a href="https://github.com/blacklanternsecurity/bbot/graphs/contributors"> <img src="https://contrib.rocks/image?repo=blacklanternsecurity/bbot&max=500"> </a> </p> Special thanks to: - @TheTechromancer for creating BBOT - @liquidsec for his extensive work on BBOT's web hacking features, including [badsecrets](https://github.com/blacklanternsecurity/badsecrets) and [baddns](https://github.com/blacklanternsecurity/baddns) - Steve Micallef (@smicallef) for creating Spiderfoot - @kerrymilan for his Neo4j and Ansible expertise - @domwhewell-sage for his family of badass code-looting modules - @aconite33 and @amiremami for their ruthless testing - Aleksei Kornev (@alekseiko) for granting us ownership of the bbot Pypi repository <3 ", Assign "at most 3 tags" to the expected json: {"id":"7836","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"