Tag: passive-recon

BBOT: The Swiss Army Knife for Recon, Bug Bounties, and ASM
Meet BBOT: Your New Favorite Recon Tool
BBOT (short for Bee·bot) is a powerful, multipurpose Python-based scanner designed to automate recon, bug bounty hunting, and attack surface management (ASM). Inspired by tools like Spiderfoot but modernized for today’s needs, BBOT delivers speed, modularity, and scalability for cybersecurity professionals and hobbyists alike.
With native support for multiple targets, extensive output options, and seamless integration with popular APIs, BBOT is more than a tool-it’s a full-fledged recon framework that adapts to your workflow.
Why BBOT?
Reconnaissance is the foundation of offensive security. BBOT streamlines this critical phase with:
- Subdomain enumeration that consistently outperforms other tools
- Web spidering and email harvesting
- Light and aggressive web scanning presets
- YAML-driven customization with modular architecture
- Support for over a dozen output formats including Neo4j, CSV, JSON, and Splunk
Installation Made Simple
To get started with BBOT, simply run:
```
pipx install bbot
```
For the latest development version:
```
pipx install --pip-args '--pre' bbot
```
Docker images and advanced installation options are available via the official Getting Started guide.
Core Features & Usage Examples
Subdomain Enumeration
Discover subdomains using passive APIs and brute-force techniques:
```
bbot -t evilcorp.com -p subdomain-enum
```
BBOT finds 20-50% more subdomains than other tools, especially on larger domains.
Web Spidering
Extract emails and files by crawling target websites:
```
bbot -t evilcorp.com -p spider
```
Email Harvesting
Scrape email addresses from web content and APIs:
```
bbot -t evilcorp.com -p email-enum
```
Web Scanning
Run lightweight or aggressive web scans:
```
bbot -t www.evilcorp.com -p web-basic
bbot -t www.evilcorp.com -p web-thorough
```
Everything at Once
For comprehensive recon in one go:
```
bbot -t evilcorp.com -p kitchen-sink --allow-deadly
```
Targets and Scope
BBOT accepts a wide range of target types, including:
- Domains (e.g. evilcorp.com)
- IP ranges (e.g. 1.2.3.0/24)
- URLs, emails, organizations, usernames
- Even mobile app package names and file paths
Define scope via command-line or config files to keep scans focused and efficient.
Output Options
BBOT can export scan data to:
- Neo4j, Elasticsearch, and Splunk for advanced querying
- Slack, Discord, and Microsoft Teams for real-time alerts
- SQL databases and CSV/JSON files for storage and analysis
Security and Dependencies
BBOT supports API key configuration for services like Shodan, VirusTotal, and SecurityTrails. Keys can be added to your ~/.config/bbot/bbot.yml file or passed directly via the command line.
All dependencies are auto-installed, and Ansible scripts are provided for streamlined environment setup.
Python API for Developers
Use BBOT as a library for custom applications. Both synchronous and asynchronous scanning are supported:
```
from bbot.scanner import Scanner
scan = Scanner("evilcorp.com", presets=["subdomain-enum"])
```
Community & Contributions
BBOT thrives on community contributions-from module ideas to code enhancements. Check out the developer docs to get involved.
Final Thoughts
BBOT isn’t just another recon tool. It’s a flexible, extensible framework built for modern offensive security workflows. Whether you’re working on bug bounties or managing enterprise attack surfaces, BBOT gives you the power to automate and innovate your reconnaissance efforts.
Ready to scan smarter? Explore BBOT now.
2025-06-02
Subfinder: Fast, Passive Subdomain Enumeration for Bug Bounty and Pentesting
Discover Subdomains the Smart Way with Subfinder
Whether you’re into bug bounty hunting, penetration testing, or just love exploring internet surface area, Subfinder by ProjectDiscovery is a must-have tool in your cybersecurity toolkit. This open-source tool specializes in passive subdomain enumeration, making it ideal for stealthy and efficient reconnaissance.
Purpose and Use Cases
Subfinder is designed to find valid subdomains of target domains using passive online sources. This means it doesn’t send direct queries to the target infrastructure, making it stealthy and low-risk for detection. It’s perfect for:
- Bug bounty hunters identifying attack surfaces
- Penetration testers performing reconnaissance
- Security analysts mapping domain assets
- Red teamers staying under the radar
Installation and Setup
Installing Subfinder is straightforward. Make sure you have Go 1.21 or later installed, then run:
```
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
```
After installation, you can run Subfinder directly. However, to maximize its power, some passive data sources require API keys. Learn more about setting up provider configurations here: Post-Install Configuration.
Core Features
- Blazing fast performance with optimized modules
- Curated passive sources like crt.sh and GitHub for rich subdomain data
- Multiple output formats: JSON, text files, standard output
- Wildcard and DNS resolution support for filtering noise
- STDIN/STDOUT compatibility for smooth automation and scripting
- Recursive subdomain support for deeper discovery
Example Commands
Run Subfinder on a single domain:
```
subfinder -d example.com
```
Scan a list of domains:
```
subfinder -dL domains.txt
```
Use all sources (slow but comprehensive):
```
subfinder -d example.com -all
```
Exclude noisy or unreliable sources:
```
subfinder -d example.com -es alienvault,zoomeyeapi
```
Output results to a file:
```
subfinder -d example.com -o results.txt
```
Security Considerations
Since Subfinder performs only passive reconnaissance, it’s inherently safe and doesn’t alert targets. However, be cautious when integrating it with active tools or APIs that may log access or trigger alerts.
Technical Terms Explained
- Passive Enumeration: Gathering data from third-party sources without direct interaction with the target system.
- Wildcard Domains: DNS records that match multiple subdomains; filtering these reduces false positives.
- Resolvers: DNS servers used to resolve domain names into IP addresses, used in validation steps.
- STDIN/STDOUT: Standard input/output – useful for chaining Subfinder with other tools in shell pipelines.
Library Use for Developers
Subfinder can also be integrated into Go applications as a library. Minimal examples of SDK usage are available in the Subfinder GitHub examples directory.
Join the Community
Connect with like-minded hackers and researchers on the ProjectDiscovery Discord to share tips, get help, and stay updated.
Conclusion
Subfinder is a lightweight, high-speed subdomain enumerator that fits seamlessly into any recon workflow. Built for passive recon, it respects API limits, stays stealthy, and delivers results that matter. If you’re serious about asset discovery and mapping attack surfaces, Subfinder should be one of your go-to tools.
Learn more and download it here: Subfinder on GitHub
2025-05-21

Tag: passive-recon

BBOT: The Swiss Army Knife for Recon, Bug Bounties, and ASM

Meet BBOT: Your New Favorite Recon Tool

Why BBOT?

Installation Made Simple

Core Features & Usage Examples

Subdomain Enumeration

Web Spidering

Email Harvesting

Web Scanning

Everything at Once

Targets and Scope

Output Options

Security and Dependencies

Python API for Developers

Community & Contributions

Final Thoughts

Subfinder: Fast, Passive Subdomain Enumeration for Bug Bounty and Pentesting

Discover Subdomains the Smart Way with Subfinder

Purpose and Use Cases

Installation and Setup

Core Features

Example Commands

Security Considerations

Technical Terms Explained

Library Use for Developers

Join the Community

Conclusion