Bbot - automação OSINT para hackers
Bbot - automação OSINT para hackers
BEE·bot
Automação OSINT para hackers.
BBOT é uma estrutura OSINT recursiva e modular escrita em Python.
Ele é capaz de executar todo o processo OSINT em um único comando, incluindo enumeração de subdomínio, varredura de portas, capturas de tela da Web (com seu gowitnessmódulo), varredura de vulnerabilidades (com nuclei) e muito mais.
Atualmente, o BBOT tem mais de 50 módulos e continua crescendo.
Instalação (pip)
pip install bbot
bbot --helpPré-requisitos:
- Linux ou WSL
- Python 3.9 ou mais recente
Instalação (docker)
# bleeding edge (dev)
docker run blacklanternsecurity/bbot --help
# stable
docker run blacklanternsecurity/bbot:stable --help
# note: alternatively there is a helper script that will map docker volumes to persist your BBOT scan data:
./bbot-docker.sh --helpSe precisar de ajuda com a instalação, consulte o wiki .
Digitalização com BBOT
Nota: o httpxmódulo é recomendado na maioria das varreduras porque é usado pelo BBOT para visitar páginas da web .
Exemplos
# list modules
bbot -l
# subdomain enumeration
bbot --flags subdomain-enum --modules httpx --targets evilcorp.com
# passive modules only
bbot --flags passive --targets evilcorp.com
# web screenshots with gowitness
bbot -m naabu httpx gowitness --name my_scan --output-dir . -t subdomains.txt
# web scan
bbot -f web-basic -t www.evilcorp.com
# web spider (search for emails, etc.)
bbot -m httpx -c web_spider_distance=2 web_spider_depth=2 -t www.evilcorp.com
# everything at once because yes
bbot -f subdomain-enum web-basic -m naabu gowitness -c web_spider_distance=2 web_spider_depth=2 -t evilcorp.comAlvos
No BBOT, os alvos são usados para propagar uma varredura. Você pode especificar qualquer número de alvos e, se precisar de um controle mais granular sobre o escopo, também pode usar listas brancas e listas negras.
# multiple targets
bbot -t evilcorp.com evilcorp.co.uk 1.2.3.0/24 targets.txt
# seed a scan with two domains, but only consider assets to be in scope if they are inside 1.2.3.0/24
bbot -t evilcorp.com evilcorp.co.uk --whitelist 1.2.3.0/24 --blacklist test.evilcorp.com 1.2.3.4Visite o wiki para obter mais dicas e truques , incluindo detalhes sobre como o BBOT lida com o escopo e como ajustá-lo, se necessário.
Usando BBOT como uma biblioteca Python
from bbot.scanner import Scanner
# any number of targets can be specified
scan = Scanner("evilcorp.com", "1.2.3.0/24", modules=["naabu"])
for event in scan.start():
print(event)Saída
O BBOT pode produzir para TXT, JSON, CSV, Neo4j e muito mais com --output-module. Você pode enviar para vários formatos simultaneamente.
# tee to a file
bbot -f subdomain-enum -t evilcorp.com | tee evilcorp.txt
# output to JSON
bbot --output-module json -f subdomain-enum -t evilcorp.com | jq
# output to CSV, TXT, and JSON, in current directory
bbot -o . --output-module human csv json -f subdomain-enum -t evilcorp.comPara cada varredura, o BBOT gera um nome exclusivo e levemente divertido, como fuzzy_gandalf. A saída para essa verificação, incluindo a nuvem de palavras e quaisquer capturas de tela de testemunhas, etc., são salvas em uma pasta com esse nome no formato ~/.bbot/scans. As 20 verificações mais recentes são mantidas e as mais antigas são removidas. Você pode alterar a localização da saída do BBOT com --output, e também pode escolher um nome de varredura personalizado com --name.
Se você reutilizar um nome de digitalização, ele será anexado aos arquivos de saída originais e aproveitará a nuvem de palavras anterior.
Neo4j
O Neo4j é a maneira mais divertida (e bonita) de visualizar e interagir com os dados do BBOT.
- Você pode colocar o Neo4j em funcionamento com um único comando docker:
docker run -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/bbotislife neo4j- Depois disso, execute o bbot com
--output-modules neo4j
bbot -f subdomain-enum -t evilcorp.com --output-modules human neo4j- Navegue pelos dados em http://localhost:7474
Uso
$ bbot --help
usage: bbot [-h] [--help-all] [-t TARGET [TARGET ...]] [-w WHITELIST [WHITELIST ...]] [-b BLACKLIST [BLACKLIST ...]] [--strict-scope] [-n SCAN_NAME] [-m MODULE [MODULE ...]] [-l] [-em MODULE [MODULE ...]]
[-f FLAG [FLAG ...]] [-rf FLAG [FLAG ...]] [-ef FLAG [FLAG ...]] [-om MODULE [MODULE ...]] [-o DIR] [-c [CONFIG ...]] [--allow-deadly] [-v] [-d] [-s] [--force] [-y] [--dry-run] [--current-config]
[--save-wordcloud FILE] [--load-wordcloud FILE] [--no-deps | --force-deps | --retry-deps | --ignore-failed-deps | --install-all-deps] [-a] [--version]
Bighuge BLS OSINT Tool
options:
-h, --help show this help message and exit
--help-all Display full help including module config options
-n SCAN_NAME, --name SCAN_NAME
Name of scan (default: random)
-m MODULE [MODULE ...], --modules MODULE [MODULE ...]
Modules to enable. Choices: affiliates,asn,azure_tenant,binaryedge,builtwith,bypass403,c99,censys,certspotter,cookie_brute,crobat,crt,dnscommonsrv,dnsdumpster,dnszonetransfer,emailformat,ffuf,ffuf_shortnames,fullhunt,generic_ssrf,getparam_brute,github,gowitness,hackertarget,header_brute,host_header,httpx,hunt,hunterio,iis_shortnames,ipneighbor,leakix,massdns,naabu,ntlm,nuclei,otx,passivetotal,pgp,rapiddns,riddler,securitytrails,shodan_dns,skymem,smuggler,sslcert,sublist3r,telerik,threatminer,urlscan,vhost,viewdns,virustotal,wappalyzer,wayback,zoomeye
-l, --list-modules List available modules.
-em MODULE [MODULE ...], --exclude-modules MODULE [MODULE ...]
Exclude these modules.
-f FLAG [FLAG ...], --flags FLAG [FLAG ...]
Enable modules by flag. Choices: active,aggressive,brute-force,deadly,email-enum,iis-shortnames,passive,portscan,report,safe,slow,subdomain-enum,web-advanced,web-basic,web-paramminer,web-screenshots
-rf FLAG [FLAG ...], --require-flags FLAG [FLAG ...]
Disable modules that don't have these flags (e.g. --require-flags passive)
-ef FLAG [FLAG ...], --exclude-flags FLAG [FLAG ...]
Disable modules with these flags. (e.g. --exclude-flags brute-force)
-om MODULE [MODULE ...], --output-modules MODULE [MODULE ...]
Output module(s). Choices: csv,http,human,json,neo4j,websocket
-o DIR, --output-dir DIR
-c [CONFIG ...], --config [CONFIG ...]
custom config file, or configuration options in key=value format: 'modules.shodan.api_key=1234'
--allow-deadly Enable the use of highly aggressive modules
-v, --verbose Be more verbose
-d, --debug Enable debugging
-s, --silent Be quiet
--force Run scan even if module setups fail
-y, --yes Skip scan confirmation prompt
--dry-run Abort before executing scan
--current-config Show current config in YAML format
Target:
-t TARGET [TARGET ...], --targets TARGET [TARGET ...]
Targets to seed the scan
-w WHITELIST [WHITELIST ...], --whitelist WHITELIST [WHITELIST ...]
What's considered in-scope (by default it's the same as --targets)
-b BLACKLIST [BLACKLIST ...], --blacklist BLACKLIST [BLACKLIST ...]
Don't touch these things
--strict-scope Don't consider subdomains of target/whitelist to be in-scope
Word cloud:
Save/load wordlist of common words gathered during a scan
--save-wordcloud FILE
Output wordcloud to custom file when the scan completes
--load-wordcloud FILE
Load wordcloud from a custom file
Module dependencies:
Control how modules install their dependencies
--no-deps Don't install module dependencies
--force-deps Force install all module dependencies
--retry-deps Try again to install failed module dependencies
--ignore-failed-deps Run modules even if they have failed dependencies
--install-all-deps Install dependencies for all modules
Agent:
Report back to a central server
-a, --agent-mode Start in agent mode
Misc:
--version show BBOT version and exit
Configuração do BBOT
O BBOT carrega sua configuração desses locais na seguinte ordem:
~/.config/bbot/defaults.yml~/.config/bbot/bbot.yml<-- Use este como sua configuração principal~/.config/bbot/secrets.yml<-- Use este para coisas sensíveis, como chaves de API- linha de comando (via
--config)
Esses arquivos de configuração serão criados automaticamente para você quando você executar o BBOT pela primeira vez.
Os argumentos da linha de comando têm precedência sobre todos os outros. Você pode fornecer ao BBOT um arquivo de configuração personalizado com --config myconf.yml, ou argumentos individuais como este: . Para exibir a configuração completa e atual do BBOT, incluindo quaisquer argumentos de linha de comando, use .--config http_proxy=http://127.0.0.1:8080 modules.shodan_dns.api_key=1234bbot --current-config
Para obter explicações sobre as opções de configuração, consulte defaults.ymlou o wiki
Módulos
Observação: você pode encontrar módulos mais divertidos e interessantes no Module Playground . Para obter instruções sobre como instalar esses outros módulos, consulte o wiki .
Para ver uma lista completa das opções de configuração do módulo, use --help-all.
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| Module | Type | Needs | Description | Flags | Produced Events |
| | | API | | | |
| | | Key | | | |
+=================+==========+=========+==========================================+=========================================+==========================================+
| bypass403 | scan | | Check 403 pages for common bypasses | active,aggressive,web-advanced | FINDING |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| cookie_brute | scan | | Check for common HTTP cookie parameters | active,aggressive,brute-force,slow,web- | FINDING |
| | | | | paramminer | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| dnszonetransfer | scan | | Attempt DNS zone transfers | active,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------ ------+-----------------------------------------+------------------------------------------+
| ffuf | scan | | A fast web fuzzer written in Go | active,aggressive,brute- | URL |
| | | | | force,deadly,web-advanced | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| ffuf_shortnames | scan | | Use ffuf in combination IIS shortnames | active,aggressive,brute-force,iis- | URL |
| | | | | shortnames,web-advanced | |
+-----------------+----------+----- ----+------------------------------------------+-----------------------------------------+------------------------------------------+
| generic_ssrf | scan | | Check for generic SSRFs | active,aggressive,web-advanced | VULNERABILITY |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| getparam_brute | scan | | Check for common HTTP GET parameters | active,aggressive,brute-force,slow,web- | FINDING |
| | | | | paramminer | |
+-----------------+----------+---------+------------------- -----------------------+-----------------------------------------+------------------------------------------+
| gowitness | scan | | Take screenshots of webpages | active,safe,web-screenshots | SCREENSHOT |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| header_brute | scan | | Check for common HTTP header parameters | active,aggressive,brute-force,slow,web- | FINDING |
| | | | | paramminer | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| host_header | scan | | Try common HTTP Host header spoofing | active,aggressive,web-advanced | FINDING |
| | | | techniques | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| httpx | scan | | Visit webpages. Many other modules rely | active,safe,web-basic | HTTP_RESPONSE,URL |
| | | | on httpx | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------- -----------------+
| hunt | scan | | Watch for commonly-exploitable HTTP | active,safe,web-advanced | FINDING |
| | | | parameters | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| iis_shortnames | scan | | Check for IIS shortname vulnerability | active,iis-shortnames,safe,web-basic | URL_HINT |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| naabu | scan | | Execute port scans with naabu | active,aggressive,portsca n | OPEN_TCP_PORT |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| ntlm | scan | | Watch for HTTP endpoints that support | active,safe,web-basic | DNS_NAME,FINDING |
| | | | NTLM authentication | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| nuclei | scan | | Fast and customisable vulnerability | active,aggressive,deadly,web-advanced | VULNERABI LITY |
| | | | scanner | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| smuggler | scan | | Check for HTTP smuggling | active,aggressive,brute-force,slow,web- | FINDING |
| | | | | advanced | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| sslcert | scan | | Visit open ports and retrieve SSL | active,ema il-enum,safe,subdomain-enum | DNS_NAME,EMAIL_ADDRESS |
| | | | certificates | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| telerik | scan | | Scan for critical Telerik | active,aggressive,slow,web-basic | FINDING,VULNERABILITY |
| | | | vulnerabilities | | |
+-----------------+----------+---------+------------------------------------------+----------------------------------- ------+------------------------------------------+
| vhost | scan | | Fuzz for virtual hosts | active,aggressive,brute- | DNS_NAME,VHOST |
| | | | | force,deadly,slow,web-advanced | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| wappalyzer | scan | | Extract technologies from web responses | active,safe,web-basic | TECHNOLOGY |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| affiliates | scan | | Summarize affiliate domains at the e nd | passive,report,safe | |
| | | | of a scan | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| asn | scan | | Query bgpview.io for ASNs | passive,report,safe,subdomain-enum | ASN |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| azure_tenant | scan | | Query Azure for tenant sister domains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+------ ---+------------------------------------------+-----------------------------------------+------------------------------------------+
| binaryedge | scan | X | Query the BinaryEdge API | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| builtwith | scan | X | Query Builtwith.com for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| c99 | scan | X | Query the C99 API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| censys | scan | X | Query the Censys API | email-enum,passive,safe,subdomain-enum | DNS_NAME,EMAIL_ADDRESS,IP_ADDRESS,OPEN_P |
| | | | | | ORT,PROTOCOL |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| certspotter | scan | | Query Certspotter's API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+-- ----------------------------------------+
| crobat | scan | | Query Project Crobat for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| crt | scan | | Query crt.sh (certificate transparency) | passive,safe,subdomain-enum | DNS_NAME |
| | | | for subdomains | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| dnscommonsrv | scan | | Check for common SRV records | pa ssive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| dnsdumpster | scan | | Query dnsdumpster for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| emailformat | scan | | Query email-format.com for email | email-enum,passive,safe | EMAIL_ADDRESS |
| | | | addresses | | |
+-----------------+----------+---------+----- -------------------------------------+-----------------------------------------+------------------------------------------+
| fullhunt | scan | X | Query the fullhunt.io API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| github | scan | X | Query Github's API for related | passive,safe,subdomain-enum | URL_UNVERIFIED |
| | | | repositories | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| ha ckertarget | scan | | Query the hackertarget.com API for | passive,safe,subdomain-enum | DNS_NAME |
| | | | subdomains | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| hunterio | scan | X | Query hunter.io for emails | email-enum,passive,safe,subdomain-enum | DNS_NAME,EMAIL_ADDRESS,URL_UNVERIFIED |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| ipneighbor | scan | | Look beside IPs in their surrounding | aggressive,passive,subdomain-enum | IP_ADDRESS |
| | | | subnet | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| leakix | scan | | Query leakix.net for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| massdns | scan | | Brute-force subdomains with massdns | aggressive,brute- | DNS_NAME |
| | | | (highly effective) | force,passi ve,slow,subdomain-enum | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| otx | scan | | Query otx.alienvault.com for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| passivetotal | scan | X | Query the PassiveTotal API for | passive,safe,subdomain-enum | DNS_NAME |
| | | | subdomains | | |
+-----------------+----------+---------+-------------- ----------------------------+-----------------------------------------+------------------------------------------+
| pgp | scan | | Query common PGP servers for email | email-enum,passive,safe | EMAIL_ADDRESS |
| | | | addresses | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| rapiddns | scan | | Query rapiddns.io for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| riddler | scan | | Query riddler.io for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| securitytrails | scan | X | Query the SecurityTrails API for | passive,safe,subdomain-enum | DNS_NAME |
| | | | subdomains | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| shodan_dns | scan | X | Query Shodan for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| skymem | scan | | Query skymem.info for email addresses | email-enum,passive,safe | EMAIL_ADDRESS |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| sublist3r | scan | | Query sublist3r's API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| threatminer | scan | | Query threatminer's API for subdomains | passive,safe,subdoma in-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| urlscan | scan | | Query urlscan.io for subdomains | passive,safe,subdomain-enum | DNS_NAME,URL_UNVERIFIED |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| viewdns | scan | | Query viewdns.info's reverse whois for | passive,safe,subdomain-enum | DNS_NAME |
| | | | related domains | | |
+-----------------+----------+---------+----------------------- -------------------+-----------------------------------------+------------------------------------------+
| virustotal | scan | X | Query VirusTotal's API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| wayback | scan | | Query archive.org's API for subdomains | passive,safe,subdomain-enum | DNS_NAME,URL_UNVERIFIED |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| zoomeye | scan | X | Query ZoomEye's API for subdomains | passive,safe,subdomain-enum | DNS_NAME |
+-----------------+--- -------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| csv | output | | Output to CSV | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| http | output | | Output to HTTP | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| human | output | | Output to text | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| json | output | | Output to JSON | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| neo4j | output | | Output to Neo4j | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| websocket | output | | Output to websockets | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| aggregate | internal | | Report on scan statistics | passive,safe | SUMMARY |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
| excavate | internal | | Passively extract juicy tidbits from | passive | URL_UNVERIFIED |
| | | | scan data | | |
+-----------------+----------+---------+-------------------------------- ----------+-----------------------------------------+------------------------------------------+
| speculate | internal | | Derive certain event types from others | passive | DNS_NAME,IP_ADDRESS,OPEN_TCP_PORT |
| | | | by common sense | | |
+-----------------+----------+---------+------------------------------------------+-----------------------------------------+------------------------------------------+
Crédito
BBOT é escrito por @TheTechromancer. O hacking da Web no BBOT é possível graças ao @liquidsec, que escreveu a maioria dos módulos e auxiliares orientados para a Web.
Agradecimentos muito especiais às seguintes pessoas que tornaram o BBOT possível:
- @kerrymilan por sua experiência em Neo4j e Ansible
- Steve Micallef (@smicallef) por criar Spiderfoot, no qual BBOT é fortemente inspirado
- Aleksei Kornev (@alekseiko) por nos permitir a propriedade do repositório bbot Pypi <3
Comentários
Postar um comentário