List of Presets

description: Check for subdomain takeovers and other DNS issues.

modules:
  - baddns

config:
  modules:
    baddns:
      enabled_submodules: [CNAME, MX, TXT]
      min_severity: LOW
      min_confidence: MEDIUM

description: Run all baddns modules and submodules.

include:
  - baddns

modules:
  - baddns_zone
  - baddns_direct

config:
  modules:
    baddns:
      enabled_submodules: [CNAME, NS, MX, TXT, references, DMARC, SPF, MTA-STS, WILDCARD]
      min_severity: INFO
      min_confidence: UNKNOWN
    baddns_zone:
      min_severity: INFO
      min_confidence: UNKNOWN
    baddns_direct:
      min_severity: INFO
      min_confidence: UNKNOWN

description: Enumerate cloud resources such as storage buckets, etc.

include:
  - subdomain-enum

flags:
  - cloud-enum

description: Enumerate Git repositories, Docker images, etc.

flags:
  - code-enum

description: Recursive web directory brute-force (aggressive)

include:
  - spider

flags:
  - iis-shortnames

modules:
  - webbrute
  - wayback

config:
  modules:
    iis_shortnames:
      # we exploit the shortnames vulnerability to produce URL_HINTs which are consumed by webbrute_shortnames
      detect_only: False
    webbrute:
      max_depth: 3
      lines: 5000
      extensions:
        - php
        - asp
        - aspx
        - ashx
        - asmx
        - jsp
        - jspx
        - cfm
        - zip
        - conf
        - config
        - xml
        - json
        - yml
        - yaml
    # emit URLs from wayback
    wayback:
      urls: True

description: Basic web directory brute-force (surface-level directories only)

include:
  - iis-shortnames

modules:
  - webbrute

config:
  modules:
    webbrute:
      # wordlist size = 1000
      lines: 1000

description: Comprehensive scan for all IIS/.NET specific modules and module settings


include:
  - iis-shortnames

modules:
  - http
  - badsecrets
  - webbrute_shortnames
  - webbrute
  - telerik
  - ajaxpro
  - dotnetnuke
  - aspnet_bin_exposure

config:
  modules:
    webbrute:
      extensions: asp,aspx,ashx,asmx,ascx
      ignore_case: True
    webbrute_shortnames:
      find_subwords: True
    telerik:
      exploit_RAU_crypto: True
      include_subdirs: True # Run against every directory, not the default first received URL per-host

description: Enumerate email addresses from APIs, web crawling, etc.

flags:
  - email-enum

output_modules:
  - emails

description: Scan only the provided targets as fast as possible - no extra discovery

exclude_modules:
  - excavate

config:
  # only scan the exact targets specified
  scope:
    strict: true
  # speed up dns resolution by doing A/AAAA only - not MX/NS/SRV/etc
  dns:
    minimal: true
  # essential speculation only
  modules:
    speculate:
      essential_only: true

description: Recursively enumerate IIS shortnames

flags:
  - iis-shortnames

config:
  modules:
    iis_shortnames:
      # exploit the vulnerability
      detect_only: false

description: Everything everywhere all at once

include:
  - subdomain-enum
  - cloud-enum
  - code-enum
  - email-enum
  - spider
  - web
  - paramminer
  - dirbust-light
  - web-screenshots
  - baddns-heavy

config:
  modules:
    baddns:
      enable_references: True
    dnsbrute:
      recursive_mutations: true
    dnscommonsrv:
      recursive_mutations: true
    wayback:
      urls: True
      parameters: True
      archive: True

description: "Default fuzzing: all 9 submodules (cmdi, crypto, path, serial, sqli, ssti, xss, esi, ssrf) plus companion modules (badsecrets, hunt, reflected_parameters). POST fuzzing disabled but try_post_as_get enabled, so POST params are retested as GET. Skips confirmed WAFs."

include:
  - lightfuzz-light

modules:
  - badsecrets
  - hunt
  - reflected_parameters

config:
  modules:
    lightfuzz:
      enabled_submodules: [cmdi,crypto,path,serial,sqli,ssti,xss,esi,ssrf]
      try_post_as_get: True

description: "Aggressive fuzzing: everything in lightfuzz, plus paramminer brute-force parameter discovery (headers, GET params, cookies), POST request fuzzing enabled, try_get_as_post enabled (GET params retested as POST), and robots.txt parsing. Still skips confirmed WAFs."

include:
  - lightfuzz

flags:
  - web-paramminer

modules:
  - robots
  - wayback

config:
  modules:
    lightfuzz:
      enabled_submodules: [cmdi,crypto,path,serial,sqli,ssti,xss,esi,ssrf]
      disable_post: False
      try_post_as_get: True
      try_get_as_post: True
    wayback:
      urls: True
      parameters: True

description: "Minimal fuzzing: only path traversal, SQLi, and XSS submodules. No POST requests. No companion modules. Safest option for running alongside larger scans with minimal overhead."

modules:
  - http
  - lightfuzz
  - portfilter

config:
  url_querystring_remove: False # don't strip off the querystring (BBOT normally does this; but lightfuzz needs it)
  url_querystring_collapse: True # in cases where the same parameter has multiple values, collapse them into a single parameter to save on fuzzing attempts
  modules:
    lightfuzz:
      enabled_submodules: [path,sqli,xss] # only look for the most common vulnerabilities
      disable_post: True # don't send POST requests (less aggressive)
      avoid_wafs: True

conditions:
- |
  {% if config.web.spider_distance == 0 %}
    {{ warn("Lightfuzz works much better with spider enabled! Consider adding 'spider' or 'spider-heavy' preset.") }}
  {% endif %}

description: "Maximum fuzzing: everything in lightfuzz-heavy, plus the heavy paramminer variant (1-3 letter brute-force on GET params, case mutation on case-sensitive backends, recycle_words on all paramminer modules), WAF targets are no longer skipped, each unique parameter-value pair is fuzzed individually (no collapsing), common headers like X-Forwarded-For are fuzzed even if not observed, and potential parameters are speculated from JSON/XML response bodies. Significantly increases scan time."

include:
  - lightfuzz-heavy
  - paramminer-heavy

config:
  url_querystring_collapse: False # in cases where the same parameter is observed multiple times, fuzz them individually instead of collapsing them into a single parameter
  modules:
    lightfuzz:
      force_common_headers: True # Fuzz common headers like X-Forwarded-For even if they're not observed on the target
      enabled_submodules: [cmdi,crypto,path,serial,sqli,ssti,xss,esi,ssrf]
      avoid_wafs: False
    excavate:
      speculate_params: True # speculate potential parameters extracted from JSON/XML web responses
    wayback:
      urls: True
      parameters: True
      archive: True

description: "XSS-only: enables only the xss submodule with paramminer_getparams and reflected_parameters. POST disabled, no query string collapsing. Example of a focused single-submodule preset."

modules:
  - http
  - lightfuzz
  - paramminer_getparams
  - reflected_parameters
  - portfilter

config:
  url_querystring_remove: False
  url_querystring_collapse: False
  modules:
    lightfuzz:
      enabled_submodules: [xss]
      disable_post: True

conditions:
  - |
    {% if config.web.spider_distance == 0 %}
      {{ warn("The lightfuzz-xss preset works much better with spider enabled! Consider adding 'spider' or 'spider-heavy' preset.") }}
    {% endif %}

description: Run nuclei scans against all discovered targets

modules:
  - http
  - nuclei
  - portfilter

config:
  modules:
    nuclei:
      directory_only: True # Do not run nuclei on individual non-directory URLs


conditions:
  - |
    {% if config.web.spider_distance != 0 %}
      {{ warn("Running nuclei with spider enabled is generally not recommended. Consider removing 'spider' preset.") }}
    {% endif %}



# Additional Examples:

# Slowing Down Scan

#config:
#  modules:
#    nuclei:
#      ratelimit: 10
#      concurrency: 5

description: Run nuclei scans against all discovered targets, using budget mode to look for low hanging fruit with greatly reduced number of requests

modules:
  - http
  - nuclei
  - portfilter

config:
  modules:
    nuclei:
      mode: budget
      budget: 10
      directory_only: true # Do not run nuclei on individual non-directory URLs

conditions:
  - |
    {% if config.web.spider_distance != 0 %}
      {{ warn("Running nuclei with spider enabled is generally not recommended. Consider removing 'spider' preset.") }}
    {% endif %}

description: Run nuclei scans against all discovered targets, allowing for spidering, against ALL URLs, and with additional discovery modules.

modules:
  - http
  - nuclei
  - robots
  - urlscan
  - portfilter
  - wayback

config:
  modules:
    nuclei:
      directory_only: False # Will run nuclei on ALL discovered URLs - Be careful!
    wayback:
      urls: true

conditions:
  - |
    {% if config.web.spider_distance == 0 and config.modules.nuclei.directory_only == False %}
      {{ warn("The 'nuclei-heavy' preset turns the 'directory_only' limitation off on the nuclei module. To make the best use of this, you may want to enable spidering with 'spider' or 'spider-heavy' preset.") }}
    {% endif %}


# Example for also running a dirbust

#include:
#  - dirbust-light

description: Run nuclei scans against all discovered targets, running templates which match discovered technologies

modules:
  - http
  - nuclei
  - portfilter

config:
  modules:
    nuclei:
      mode: technology
      directory_only: True # Do not run nuclei on individual non-directory URLs. This is less unsafe to disable with technology mode.

conditions:
  - |
    {% if config.web.spider_distance != 0 %}
      {{ warn("Running nuclei with spider enabled is generally not recommended. Consider removing 'spider' preset.") }}
    {% endif %}

# Example for also running a dirbust

#include:
#  - dirbust-light

description: Discover new web parameters via brute-force, and analyze them with additional modules

flags:
  - web-paramminer

modules:
  - http
  - reflected_parameters
  - hunt

conditions:
  - |
    {% if config.web.spider_distance == 0 %}
      {{ warn("The paramminer preset works much better with spider enabled! Consider adding 'spider' or 'spider-heavy' preset.") }}
    {% endif %}

description: "Aggressive paramminer brute-force: enables 1-3 letter combination brute-force on GET parameters and case mutation (camelCase / Title-case variants) on case-sensitive backends. Significantly increases scan time."

include:
  - paramminer

config:
  modules:
    paramminer_getparams:
      brute_short: True
      mutate_case: True
      recycle_words: True
    paramminer_headers:
      recycle_words: True
    paramminer_cookies:
      recycle_words: True

description: Recursive web spider

modules:
  - http

blacklist:
  # Prevent spider from invalidating sessions by logging out
  - "RE:/.*(sign|log)[_-]?out"

config:
  web:
    # how many links to follow in a row
    spider_distance: 2
    # don't follow links whose directory depth is higher than 4
    spider_depth: 4
    # maximum number of links to follow per page
    spider_links_per_page: 25

description: Recursive web spider with more aggressive settings

include:
  - spider

config:
  web:
    # how many links to follow in a row
    spider_distance: 4
    # don't follow links whose directory depth is higher than 6
    spider_depth: 6
    # maximum number of links to follow per page
    spider_links_per_page: 50

description: Enumerate subdomains via APIs, brute-force

flags:
  # enable every module with the subdomain-enum flag
  - subdomain-enum

output_modules:
  # output unique subdomains to TXT file
  - subdomains

config:
  dns:
    threads: 25
    brute_threads: 1000
  # put your API keys here
  # modules:
  #   github:
  #     api_key: ""
  #   chaos:
  #     api_key: ""
  #   securitytrails:
  #     api_key: ""

description: Detect technologies via Nuclei, and FingerprintX

modules:
  - nuclei
  - fingerprintx

config:
  modules:
    nuclei:
      tags: tech

description: Detect technologies via Nuclei, and FingerprintX

modules:
  - nuclei
  - fingerprintx

target:
  - tesasdft.txt

config:
  modules:
    nuclei:
      tags: tech

description: Quick web scan

include:
  - iis-shortnames

flags:
  - web

description: Aggressive web scan

include:
  # include the web preset
  - web

flags:
  - web-heavy

description: Take screenshots of webpages

flags:
  - web-screenshots

config:
  modules:
    gowitness:
      resolution_x: 1440
      resolution_y: 900
      # folder to output web screenshots (default is inside ~/.bbot/scans/scan_name)
      output_path: ""
      # whether to take screenshots of social media pages
      social: True

description: Aggressive web scan

include:
  # include the web-basic preset
  - web-basic

flags:
  - web-thorough

description: Discover URLs and interesting archived files via the Wayback Machine

include:
  - subdomain-enum

modules:
  - wayback

config:
  modules:
    wayback:
      urls: True

description: Full Wayback Machine integration - URL discovery, parameter extraction, archived page retrieval, and interesting file detection

include:
  - subdomain-enum

modules:
  - wayback
  - badsecrets

config:
  modules:
    wayback:
      urls: True
      parameters: True
      archive: True