What is it?
BBOT is a system of modules that interchange data recursively. Okay, but like, what is it?
What It Isn't
BBOT's discovery process does not have "phases", or "stages"; i.e. it does not work like this:
This is a traditional OSINT process, where you start with a target and you work in stages. Each stage gets you a little more data and requires more cleaning/deduplication, until finally you reach the end. The problem with this approach is that it misses things.
Imagine if on the last step of this process, you discovered a new subdomain. Awesome! But wait, shouldn't you go back and check that one the same way you did the others? Shouldn't you port-scan it and SSL-mine it and so on? Maybe you're a thorough, hard-working human, and you take the time to do that. Maybe by doing that, you find another subdomain! Sigh. What about this time? Should you start over again for that one? You see the dilemma.
What It Is
Instead, BBOT works recursively, treating each new individual piece of data as an opportunity to find even more. When it finds something, it feeds it back into the machine and uses it to fuel the discovery process. It continues to churn like this until there is no new data to discover.
In a simple example, we run a BBOT scan with three modules:
httpx. Each of these modules "consume" a certain type of data:
DNS_NAMEs, port-scans them, and outputs
OPEN_TCP_PORTs, grabs certs, and extracts
OPEN_TCP_PORTs and visits any web services, ultimately producing new
graph TD nmap -->|OPEN_TCP_PORT| sslcert; nmap -->|OPEN_TCP_PORT| httpx; sslcert --> |DNS_NAME| nmap; httpx --> |DNS_NAME| nmap;
This allows for some interesting chains of events. Given a single target such as
nmap may start by discovering an
httpx will then visit that port and extract more hostnames, which are in turn scanned by
nmap to produce more open ports which are visited by
httpx, which discover more hostnames, which are again passed to
nmap, and so on...
This is a simple example with only a few modules, but you can being to see how if 30 or 40 modules were enabled, they could feed each other exponentially to produce an immense amount of data. This recursion is exactly how BBOT is able to outperform other tools.
For a full list of event types and which modules consume/produce them, see List of Event Types.