Essential BBOT Commands for Recon

2025-01-15

BBOT (BEE·bot) is a powerful recursive internet scanner designed for reconnaissance, bug bounties, and attack surface management. Think of it as your all-in-one tool information gathering and security assessment.

I prefer running BBOT through Docker for consistent behavior across environments: 

# BBOT: Automated reconnaissance framework
bbot() {
  docker run --rm -it \
    -v "$HOME/.bbot:/root/.bbot" \
    -v "$HOME/.config/bbot:/root/.config/bbot" \
    blacklanternsecurity/bbot:stable "$@"
}

Add this function to your shell configuration file, and you’re ready to go.

Essential Commands

Here are some BBOT commands I regularly use in my security assessments:

Full Subdomain Enumeration

# Comprehensive subdomain discovery
bbot -t example.com -p subdomain-enum

Perfect for initial reconnaissance of a target domain. This command leverages multiple sources to build a complete picture of the target’s subdomain landscape.

Passive Subdomain Reconnaissance

# Non-intrusive subdomain discovery
bbot -t example.com -p subdomain-enum -rf passive

Ideal for situations requiring stealth or when active scanning isn’t appropriate. This method relies solely on external data sources without directly interacting with the target.

Enhanced Domain Visualization

# Combine subdomain enumeration with port scanning and web screenshots
bbot -t example.com -p subdomain-enum -m portscan gowitness

This command creates a comprehensive visual map of your target’s attack surface, combining port scanning with web interface documentation.

Basic Web Assessment

# Non-intrusive web technology enumeration
bbot -t example.com -p subdomain-enum web-basic

Gathers essential information about web technologies while maintaining a light touch. Includes technology fingerprinting and robots.txt analysis.

Targeted Web Crawling

# Controlled depth web crawling with automated analysis
bbot -t www.example.com \
    -p spider \
    -c web.spider_distance=2 web.spider_depth=2

Efficiently maps web application structure while automatically identifying sensitive information like emails and potential secrets.

Comprehensive Scan

# Full-spectrum reconnaissance
bbot -t example.com -p kitchen-sink

When you need the full picture, this command combines subdomain enumeration, email discovery, cloud bucket identification, port scanning, web analysis, and vulnerability scanning with nuclei.

This post is just scratching the surface. For more detailed information, check out the official BBOT repository and documentation.