Configuration Overview

June 29, 2026 · View on GitHub

Normally, Presets are used to configure a scan. However, there may be cases where you want to change BBOT's global defaults so a certain option is always set, even if it's not specified in a preset.

BBOT has a YAML config at ~/.config/bbot/bbot.yml. This is the first config that BBOT loads, so it's a good place to put default settings like http_proxy, max_threads, or http_user_agent. You can also put any module settings here, including API keys.

For a list of all possible config options, see:

For examples of common config changes, see Tips and Tricks.

Configuration Files

BBOT loads its config from the following files, in this order (last one loaded == highest priority):

  • ~/.config/bbot/bbot.yml <-- Global BBOT config
  • presets (-p) <-- Presets are good for scan-specific settings
  • command line (-c) <-- CLI overrides everything

bbot.yml will be automatically created for you when you first run BBOT.

YAML Config vs Command Line

You can specify config options either via the command line or the config. For example, if you want to proxy your BBOT scan through a local proxy like Burp Suite, you could either do:

# send BBOT traffic through an HTTP proxy
bbot -t evilcorp.com -c http_proxy=http://127.0.0.1:8080

Or, in ~/.config/bbot/bbot.yml:

http_proxy: http://127.0.0.1:8080

These two are equivalent.

Config options specified via the command-line take precedence over all others. You can give BBOT a custom config file with -c myconf.yml, or individual arguments like this: -c modules.shodan_dns.api_key=deadbeef. To display the full and current BBOT config, including any command-line arguments, use bbot -c.

Note that placing the following in bbot.yml:

modules:
  shodan_dns:
    api_key: deadbeef

Is the same as:

bbot -c modules.shodan_dns.api_key=deadbeef

Global Config Options

Below is a full list of the config options supported, along with their defaults.

### BASIC OPTIONS ###

# NOTE: If used in a preset, these options must be nested underneath "config:" like so:
# config:
#   home: ~/.bbot
#   keep_scans: 20
#   scope:
#     strict: true
#   dns:
#     minimal: true

# BBOT working directory
home: ~/.bbot
# How many scan results to keep before cleaning up the older ones
keep_scans: 20
# Interval for displaying status messages
status_frequency: 15
# When system memory exceeds this percentage, ingress is throttled with a per-event sleep
# that scales linearly from 0s at the threshold up to 5s at threshold+5 (capped at 95%).
# Last-ditch effort to give the pipeline a chance to drain before OOM.
max_mem_percent: 90
# Redact secrets (API keys, tokens, etc.) in the saved preset.yml
redact_secrets: true
# Include the raw data of files (i.e. PDFs, web screenshots) as base64 in the event
file_blobs: false
# Include the raw data of directories (i.e. git repos) as tar.gz base64 in the event
folder_blobs: false

### SCOPE ###

scope:
  # strict scope means only exact DNS names are considered in-scope
  # their subdomains are not included unless explicitly added to the target
  strict: false
  # Filter by scope distance which events are displayed in the output
  # 0 == show only in-scope events (affiliates are always shown)
  # 1 == show all events up to distance-1 (1 hop from target)
  report_distance: 0
  # How far out from the main scope to search
  # Do not change this setting unless you know what you're doing
  search_distance: 0

### DNS ###

dns:
  # Completely disable DNS resolution (careful if you have IP targets/blacklists, consider using minimal=true instead)
  disable: false
  # Speed up scan by not creating any new DNS events, and only resolving A and AAAA records
  minimal: false
  # How many threads to use per resolver (best way to increase speed is to put more resolvers in /etc/resolv.conf)
  threads: 10
  # How many DNS records to cache
  cache_size: 100000
  # How many concurrent DNS resolvers to use when brute-forcing
  # (under the hood this is passed through directly to massdns -s)
  brute_threads: 1000
  # nameservers to use for DNS brute-forcing
  # default is updated weekly and contains ~10K high-quality public servers
  brute_nameservers: https://raw.githubusercontent.com/blacklanternsecurity/public-dns-servers/master/nameservers.txt
  # How far away from the main target to explore via DNS resolution (independent of scope.search_distance)
  # This is safe to change
  search_distance: 1
  # Limit how many DNS records can be followed in a row (stop malicious/runaway DNS records)
  runaway_limit: 5
  # DNS query timeout
  timeout: 5
  # How many times to retry DNS queries
  retries: 1
  # Completely disable BBOT's DNS wildcard detection
  wildcard_disable: False
  # Disable BBOT's DNS wildcard detection for select domains
  wildcard_ignore: []
  # How many sanity checks to make when verifying wildcard DNS
  # Increase this value if BBOT's wildcard detection isn't working
  wildcard_tests: 10
  # Skip DNS requests for a certain domain and rdtype after encountering this many timeouts or SERVFAILs
  # This helps prevent faulty DNS servers from hanging up the scan
  abort_threshold: 10
  # Treat hostnames discovered via PTR records as affiliates instead of in-scope
  # This prevents rDNS results (e.g. 1-2-3-4.ptr.example.com) from triggering
  # subdomain enumeration against unrelated domains when scanning IP ranges
  filter_ptrs: true
  # Enable/disable debug messages for DNS queries
  debug: false
  # For performance reasons, always skip these DNS queries
  # Microsoft's DNS infrastructure is misconfigured so that certain queries to mail.protection.outlook.com always time out
  omit_queries:
    - SRV:mail.protection.outlook.com
    - CNAME:mail.protection.outlook.com
    - TXT:mail.protection.outlook.com

### WEB ###

web:
  # HTTP proxy
  http_proxy:
  # Hosts/CIDRs to exclude from HTTP proxy (NO_PROXY equivalent)
  # Examples: ["localhost", "*.internal.corp", "10.0.0.0/8", "elastic.mycompany.com"]
  http_proxy_exclude: []
  # Web user-agent
  user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.2151.97
  # Suffix to append to user-agent (e.g. for tracking or identification)
  user_agent_suffix:
  # Set the maximum number of HTTP links that can be followed in a row (0 == no spidering allowed)
  spider_distance: 0
  # Set the maximum directory depth for the web spider
  spider_depth: 1
  # Set the maximum number of links that can be followed per page
  spider_links_per_page: 25
  # HTTP timeout for target-directed traffic (probes, crawls, etc.)
  http_timeout: 10
  # HTTP timeout for non-target traffic (APIs, wordlist downloads, etc.)
  http_timeout_infrastructure: 10
  # Custom HTTP headers (e.g. cookies, etc.)
  # in the format { "Header-Key": "header_value" }
  # These are attached to all in-scope HTTP requests
  # Note that some modules (e.g. github) may end up sending these to out-of-scope resources
  http_headers: {}
  # How many times to retry API requests
  # Note that this is a separate mechanism on top of HTTP retries
  # which will retry API requests that don't return a successful status code
  api_retries: 2
  # HTTP retries - try again if the raw connection fails
  http_retries: 1
  # Default sleep interval when rate limited by 429 (and retry-after isn't provided)
  429_sleep_interval: 30
  # Maximum sleep interval when rate limited by 429 (and an excessive retry-after is provided)
  429_max_sleep_interval: 60
  # Enable/disable debug messages for web requests/responses
  debug: false
  # Maximum number of HTTP redirects to follow
  http_max_redirects: 5
  # Whether to verify SSL certificates for target-directed traffic (probes, crawls, etc.)
  ssl_verify_target: false
  # Whether to verify SSL certificates for non-target traffic (APIs, wordlist downloads, etc.)
  ssl_verify_infrastructure: true
  # Maximum HTTP requests per second (0 = unlimited)
  # Applies globally across all blasthttp consumers (http probing, web brute, etc.)
  http_rate_limit: 0
  # HTTP_RESPONSE body disk-spill — keeps body bytes off the Python heap.
  # Bodies are written to ${scan_home}/temp/bodies/{uuid}.body.zst and served
  # from a bounded LRU cache; only cache misses touch disk.
  body_spill:
    # Master switch
    enabled: true
    # In-memory LRU cache budget for hot bodies, in MB
    cache_mb: 512
    # zstd level-1 compression on the way to disk
    compress: true

### ENGINE ###

engine:
  debug: false

# Tool dependencies
deps:
  # How to handle installation of module dependencies
  # Choices are:
  #  - abort_on_failure (default) - if a module dependency fails to install, abort the scan
  #  - retry_failed - try again to install failed dependencies
  #  - ignore_failed - run the scan regardless of what happens with dependency installation
  #  - disable - completely disable BBOT's dependency system (you are responsible for installing tools, pip packages, etc.)
  behavior: abort_on_failure

### ADVANCED OPTIONS ###

# Load BBOT modules from these custom paths
module_dirs: []

# maximum runtime in seconds for each module's handle_event() is 60 minutes
# when the timeout is reached, the offending handle_event() will be cancelled and the module will move on to the next event
module_handle_event_timeout: 3600
# handle_batch() default timeout is 2 hours
module_handle_batch_timeout: 7200

# Infer certain events from others, e.g. IPs from IP ranges, DNS_NAMEs from URLs, etc.
speculate: True
# Passively search event data for URLs, hostnames, emails, etc.
excavate: True
# Summarize activity at the end of a scan
aggregate: True
# DNS resolution, wildcard detection, etc.
dnsresolve: True
# Cloud provider tagging
cloudcheck: True
# Python API event bridge
python: True

# Strip querystring from URLs by default
url_querystring_remove: True
# When query string is retained, by default collapse parameter values down to a single value per parameter
url_querystring_collapse: True

# Completely ignore URLs with these extensions
url_extension_blacklist:
  # images
  - png
  - jpg
  - bmp
  - ico
  - jpeg
  - gif
  - svg
  - webp
  # web/fonts
  - css
  - woff
  - woff2
  - ttf
  - eot
  - sass
  - scss
  # audio
  - mp3
  - m4a
  - wav
  - flac
  # video
  - mp4
  - mkv
  - avi
  - wmv
  - mov
  - flv
  - webm

# URLs with these extensions are not distributed to modules unless the module opts in via `accept_url_special = True`
# They are also excluded from output. If you want to see them in output, remove them from this list.
url_extension_special:
  - js

# These url extensions are almost always static, so we exclude them from modules that fuzz things
url_extension_static:
  - pdf
  - doc
  - docx
  - xls
  - xlsx
  - ppt
  - pptx
  - txt
  - csv
  - xml
  - yaml
  - ini
  - log
  - conf
  - cfg
  - env
  - md
  - rtf
  - tiff
  - bmp
  - jpg
  - jpeg
  - png
  - gif
  - svg
  - ico
  - mp3
  - wav
  - flac
  - mp4
  - mov
  - avi
  - mkv
  - webm
  - zip
  - tar
  - gz
  - bz2
  - 7z
  - rar

parameter_blacklist:
  - __VIEWSTATE
  - __EVENTARGUMENT
  - __EVENTVALIDATION
  - __EVENTTARGET
  - __EVENTARGUMENT
  - __VIEWSTATEGENERATOR
  - __SCROLLPOSITIONY
  - __SCROLLPOSITIONX
  - ASP.NET_SessionId
  - .AspNetCore.Session
  - PHPSESSID
  - sessionid
  - csrftoken
  - XSRF-TOKEN
  - __cf_bm
  - _cfuvid
  - cf_clearance
  - _abck
  - bm_sz
  - bm_sv
  - ak_bmsc
  - f5_cspm
  # CSRF / Anti-Forgery tokens
  - authenticity_token
  - csrfmiddlewaretoken
  - __RequestVerificationToken
  - antiforgerytoken
  - __csrf_magic
  - _wpnonce
  # ASP.NET session/identity cookies
  - .ASPXANONYMOUS
  - .ASPXAUTH
  # PKCE (Proof Key for Code Exchange)
  - code_verifier
  - code_challenge
  # Analytics
  - _ga
  - _gid
  - _gat
  - _gcl_au
  - _fbp
  - _fbc
  - __utma
  - __utmb
  - __utmc
  - __utmz
  - _hjid

parameter_blacklist_prefixes:
  - TS01
  - BIGipServer
  - f5avr
  - incap_
  - visid_incap_
  - nlbi_
  - AWSALB
  - utm_
  - ApplicationGatewayAffinity
  - JSESSIONID
  - ARRAffinity
  - _hjSession
  - _gat_
  - intercom-
  - OAMRequestContext_

# Don't output these types of events (they are still distributed to modules)
omit_event_types:
  - HTTP_RESPONSE
  - RAW_TEXT
  - URL_UNVERIFIED
  - DNS_NAME_UNRESOLVED
  - FILESYSTEM
  - WEB_PARAMETER
  - RAW_DNS_RECORD
  # - IP_ADDRESS

# Custom interactsh server settings
interactsh_server: null
interactsh_token: null
interactsh_disable: false

# API key for bbot.io services (currently used by ASN lookups via the asndb library)
# Can also be set via the BBOT_IO_API_KEY environment variable, which takes precedence.
bbot_io_api_key: null

Module Config Options

Many modules accept their own configuration options. These options have the ability to change their behavior. For example, the portscan module accepts options for ports, rate, etc. Below is a list of all possible module config options.

Universal Module Options

In addition to the stated options for each module, the following universal options are also accepted:

batch_size: The number of events to process in a single batch (only applies to batch modules) module_threads: How many event handlers to run in parallel module_timeout: Max time in seconds to spend handling each event or batch of events

Module Options

Config OptionTypeDescriptionDefault
modules.baddns.custom_nameserverslist[str]Force BadDNS to use a list of custom nameservers[]
modules.baddns.enabled_submoduleslist[str]A list of submodules to enable. Empty list (default) enables CNAME, TXT and MX Only[]
modules.baddns.min_confidenceConfidenceLiteralMinimum confidence to emitMEDIUM
modules.baddns.min_severitySeverityLiteralMinimum severity to emitLOW
modules.baddns_direct.custom_nameserverslistForce BadDNS to use a list of custom nameservers[]
modules.baddns_direct.min_confidenceConfidenceLiteralMinimum confidence to emit (UNKNOWN, LOW, MEDIUM, HIGH, CONFIRMED)MEDIUM
modules.baddns_direct.min_severitySeverityLiteralMinimum severity to emit (INFO, LOW, MEDIUM, HIGH, CRITICAL)LOW
modules.baddns_zone.custom_nameserverslistForce BadDNS to use a list of custom nameservers[]
modules.baddns_zone.min_confidenceConfidenceLiteralMinimum confidence to emit (UNKNOWN, LOW, MEDIUM, HIGH, CONFIRMED)MEDIUM
modules.baddns_zone.min_severitySeverityLiteralMinimum severity to emit (INFO, LOW, MEDIUM, HIGH, CRITICAL)INFO
modules.badsecrets.custom_secretsOptional[str]Include custom secrets loaded from a local fileNone
modules.bucket_amazon.permutationsboolWhether to try permutationsFalse
modules.bucket_digitalocean.permutationsboolWhether to try permutationsFalse
modules.bucket_firebase.permutationsboolWhether to try permutationsFalse
modules.bucket_google.permutationsboolWhether to try permutationsFalse
modules.bucket_hetzner.permutationsboolWhether to try permutationsFalse
modules.bucket_microsoft.permutationsboolWhether to try permutationsFalse
modules.dnsbrute.max_depthintHow many subdomains deep to brute force, i.e. 5.4.3.2.1.evilcorp.com5
modules.dnsbrute.recursive_mutationsboolIf True, brute-force hosts discovered by dnsbrute_mutations. The default (False) skips them because the static wordlist heavily overlaps with the mutation algorithm's own output.False
modules.dnsbrute.wordlistUnion[str, list[str]]Subdomain wordlist URL or file path. Accepts a list of URLs/paths to merge multiple wordlists (duplicates are removed).https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt
modules.dnsbrute_mutations.max_mutationsintMaximum number of target-specific mutations to try per subdomain100
modules.dnscommonsrv.max_depthintThe maximum subdomain depth to brute-force SRV records2
modules.dnscommonsrv.recursive_mutationsboolIf True, brute-force SRV records on hosts discovered by dnsbrute_mutations. Default False skips them.False
modules.filedownload.extensionslist[str]File extensions to download['bak', 'bash', 'bashrc', 'cfg', 'conf', 'crt', 'csv', 'db', 'dll', 'doc', 'docx', 'exe', 'ica', 'indd', 'ini', 'jar', 'json', 'key', 'log', 'markdown', 'md', 'msi', 'odg', 'odp', 'ods', 'odt', 'pdf', 'pem', 'pps', 'ppsx', 'ppt', 'pptx', 'ps1', 'pub', 'raw', 'rdp', 'rsa', 'sh', 'sql', 'sqlite', 'swp', 'sxw', 'tar.gz', 'tgz', 'tar', 'txt', 'vbs', 'war', 'wpd', 'xls', 'xlsx', 'xml', 'yaml', 'yml', 'zip', 'lzma', 'rar', '7z', 'xz', 'bz2']
modules.filedownload.max_filesizestrCancel download if filesize is greater than this size10MB
modules.filedownload.output_folderstrFolder to download files to. If not specified, downloaded files will be deleted when the scan completes, to minimize disk usage.
modules.fingerprintx.skip_common_webboolSkip common web ports such as 80, 443, 8080, 8443, etc.True
modules.fingerprintx.versionstrfingerprintx version1.1.4
modules.generic_ssrf.skip_dns_interactionboolDo not report DNS interactions (only HTTP interaction)False
modules.gitlab_com.api_keystr | list[str]GitLab access token (for gitlab.com/org only)
modules.gitlab_onprem.api_keystr | list[str]GitLab access token (for self-hosted instances only)
modules.gowitness.chrome_pathstrPath to chrome executable
modules.gowitness.idle_timeoutintSkip the current gowitness batch if it stalls for longer than this many seconds1800
modules.gowitness.output_pathstrWhere to save screenshots
modules.gowitness.resolution_xintScreenshot resolution x1440
modules.gowitness.resolution_yintScreenshot resolution y900
modules.gowitness.socialboolWhether to screenshot social media webpagesFalse
modules.gowitness.threadsintHow many gowitness threads to spawn (default is number of CPUs x 2)0
modules.gowitness.timeoutintPreflight check timeout10
modules.gowitness.versionstrGowitness version3.1.1
modules.graphql_introspection.graphql_endpoint_urlslist[str]List of GraphQL endpoint to suffix to the target URL['/', '/graphql', '/v1/graphql']
modules.graphql_introspection.output_folderstrFolder to save the GraphQL schemas to
modules.http.in_scope_onlyboolOnly visit web resources that are in scope.True
modules.http.max_response_sizeintMax response size in bytes5242880
modules.http.store_responsesboolSave raw HTTP responses to scan folderFalse
modules.http.threadsintNumber of concurrent requests50
modules.iis_shortnames.detect_onlyboolOnly detect the vulnerability and do not run the shortname scannerTrue
modules.iis_shortnames.max_node_countintLimit how many nodes to attempt to resolve on any given recursion branch50
modules.iis_shortnames.speculate_magic_urlsboolAttempt to discover iis 'magic' special foldersTrue
modules.legba.concurrencyintNumber of concurrent workers, gets overridden for SSH3
modules.legba.ftp_wordlistUnion[str, list[str]]Wordlist for FTP combined username:password, newline separated. Accepts a URL or local file path, or a list of URLs/paths to merge multiple wordlists (duplicates removed).https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
modules.legba.mssql_wordlistUnion[str, list[str]]Wordlist for MSSQL combined username:password, newline separated. Accepts a URL or local file path, or a list of URLs/paths to merge multiple wordlists (duplicates removed).https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Default-Credentials/mssql-betterdefaultpasslist.txt
modules.legba.mysql_wordlistUnion[str, list[str]]Wordlist for MySQL combined username:password, newline separated. Accepts a URL or local file path, or a list of URLs/paths to merge multiple wordlists (duplicates removed).https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Default-Credentials/mysql-betterdefaultpasslist.txt
modules.legba.postgresql_wordlistUnion[str, list[str]]Wordlist for PostgreSQL combined username:password, newline separated. Accepts a URL or local file path, or a list of URLs/paths to merge multiple wordlists (duplicates removed).https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt
modules.legba.rate_limitintLimit the number of requests per second, gets overridden for SSH3
modules.legba.ssh_wordlistUnion[str, list[str]]Wordlist for SSH combined username:password, newline separated. Accepts a URL or local file path, or a list of URLs/paths to merge multiple wordlists (duplicates removed).https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt
modules.legba.telnet_wordlistUnion[str, list[str]]Wordlist for TELNET combined username:password, newline separated. Accepts a URL or local file path, or a list of URLs/paths to merge multiple wordlists (duplicates removed).https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Default-Credentials/telnet-betterdefaultpasslist.txt
modules.legba.versionstrlegba version1.1.1
modules.legba.vnc_wordlistUnion[str, list[str]]Wordlist for VNC passwords, newline separated. Accepts a URL or local file path, or a list of URLs/paths to merge multiple wordlists (duplicates removed).https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Default-Credentials/vnc-betterdefaultpasslist.txt
modules.lightfuzz.avoid_wafsboolAvoid running against confirmed WAFs, which are likely to block lightfuzz requestsTrue
modules.lightfuzz.disable_postboolDisable processing of POST parameters, avoiding form submissions.False
modules.lightfuzz.emit_baseline_responsesboolEmit canonical baseline responses as HTTP_RESPONSE events so excavate can mine them for new params/URLs.True
modules.lightfuzz.enabled_submoduleslist[str]A list of submodules to enable. Empty list enabled all modules.['sqli', 'cmdi', 'xss', 'path', 'ssti', 'crypto', 'serial', 'esi', 'ssrf']
modules.lightfuzz.force_common_headersboolForce emit commonly exploitable parameters that may be difficult to detectFalse
modules.lightfuzz.try_get_as_postboolFor each GETPARAM, also fuzz it as a POSTPARAM (in addition to normal GET fuzzing).False
modules.lightfuzz.try_post_as_getboolFor each POSTPARAM, also fuzz it as a GETPARAM (in addition to normal POST fuzzing).False
modules.medusa.snmp_versionslist[str]List of SNMP versions to attempt against the SNMP server (default ['1', '2C'])['1', '2C']
modules.medusa.snmp_wordlistUnion[str, list[str]]Wordlist url for SNMP community strings, newline separated (default https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/SNMP/snmp.txt). Accepts a list of URLs/paths to merge multiple wordlists (duplicates are removed).https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/SNMP/common-snmp-community-strings.txt
modules.medusa.threadsintNumber of communities to be tested concurrently (default 5)5
modules.medusa.timeout_sintWait time for the SNMP response(s) once at the end of all attempts (default 5)5
modules.medusa.wait_microsecondsintWait time after every SNMP request in microseconds (default 200)200
modules.ntlm.try_allboolTry every NTLM endpointFalse
modules.nuclei.batch_sizeintNumber of targets to send to Nuclei per batch (default 200)200
modules.nuclei.budgetintUsed in budget mode to set the number of allowed requests per host1
modules.nuclei.concurrencyintmaximum number of templates to be executed in parallel (default 25)25
modules.nuclei.directory_onlyboolFilter out 'file' URL event (default True)True
modules.nuclei.etagsstrtags to exclude from the scan
modules.nuclei.modeLiteral['manual', 'technology', 'severe', 'budget']manual | technology | severe | budget. Technology: Only activate based on technology events that match nuclei tags (nuclei -as mode). Manual (DEFAULT): Fully manual settings. Severe: Only critical and high severity templates without intrusive. Budget: Limit Nuclei to a specified number of HTTP requestsmanual
modules.nuclei.module_timeoutintMax time in seconds to spend handling each batch of events21600
modules.nuclei.ratelimitintmaximum number of requests to send per second (default 150)150
modules.nuclei.retriesintnumber of times to retry a failed request (default 0)0
modules.nuclei.severitystrFilter based on severity field available in the template.
modules.nuclei.silentboolDon't display nuclei's banner or status messagesFalse
modules.nuclei.tagsstrexecute a subset of templates that contain the provided tags
modules.nuclei.templatesstrtemplate or template directory paths to include in the scan
modules.nuclei.versionstrnuclei version3.9.0
modules.oauth.try_allboolCheck for OAUTH/IODC on every subdomain and URL.False
modules.paramminer_cookies.recycle_wordsboolAttempt to use words found during the scan on all other endpointsFalse
modules.paramminer_cookies.skip_boring_wordsboolRemove commonly uninteresting words from the wordlistTrue
modules.paramminer_cookies.wordlistUnion[str, list[str]]Define the wordlist to be used to derive cookies. Accepts a list of URLs/paths to merge multiple wordlists (duplicates are removed).
modules.paramminer_getparams.brute_shortboolGenerate every 1-, 2-, and 3-letter [a-z] combination and add to the wordlist. Costs ~18,278 extra requests per host; opt-in for thorough scans.False
modules.paramminer_getparams.mutate_caseboolAlso test case-mutated variants of each entry (camelCase for snake_case/kebab-case, Title case for single words). Skipped on URLs with case-insensitive backend extensions like .aspx/.cfm.False
modules.paramminer_getparams.recycle_wordsboolAttempt to use words found during the scan on all other endpointsFalse
modules.paramminer_getparams.skip_boring_wordsboolRemove commonly uninteresting words from the wordlistTrue
modules.paramminer_getparams.wordlistUnion[str, list[str]]Define the wordlist to be used to derive headers. Accepts a list of URLs/paths to merge multiple wordlists (duplicates are removed).
modules.paramminer_headers.recycle_wordsboolAttempt to use words found during the scan on all other endpointsFalse
modules.paramminer_headers.skip_boring_wordsboolRemove commonly uninteresting words from the wordlistTrue
modules.paramminer_headers.wordlistUnion[str, list[str]]Define the wordlist to be used to derive headers. Accepts a list of URLs/paths to merge multiple wordlists (duplicates are removed).
modules.portscan.adapterstrManually specify a network interface, such as "eth0" or "tun0". If not specified, the first network interface found with a default gateway will be used.
modules.portscan.adapter_ipstrSend packets using this IP address. Not needed unless masscan's autodetection fails
modules.portscan.adapter_macstrSend packets using this as the source MAC address. Not needed unless masscan's autodetection fails
modules.portscan.module_timeoutintMax time in seconds to spend handling each batch of events259200
modules.portscan.ping_firstboolOnly portscan hosts that reply to pingsFalse
modules.portscan.ping_onlyboolPing sweep only, no portscanFalse
modules.portscan.portsstrPorts to scan
modules.portscan.rateintRate in packets per second300
modules.portscan.router_macstrSend packets to this MAC address as the destination. Not needed unless masscan's autodetection fails
modules.portscan.skip_tagsstrComma-separated event tags that will be excluded from scanning (e.g. 'cdn,waf'). speculate will emit assumed-open ports for these instead.
modules.portscan.top_portsintTop ports to scan (default 100) (to override, specify 'ports')100
modules.portscan.waitintSeconds to wait for replies after scan is complete5
modules.retirejs.node_versionstrNode.js version to install locally18.19.1
modules.retirejs.severityLiteral['none', 'low', 'medium', 'high', 'critical']Minimum severity level to report (none, low, medium, high, critical)medium
modules.retirejs.versionstrretire.js version5.3.0
modules.robots.include_allowboolInclude 'Allow' EntriesTrue
modules.robots.include_disallowboolInclude 'Disallow' EntriesTrue
modules.robots.include_sitemapboolInclude 'sitemap' entriesFalse
modules.securitytxt.emailsboolemit EMAIL_ADDRESS eventsTrue
modules.securitytxt.urlsboolemit URL_UNVERIFIED eventsTrue
modules.telerik.exploit_RAU_cryptoboolAttempt to confirm any RAU AXD detections are vulnerableFalse
modules.telerik.include_subdirsboolInclude subdirectories in the scan (off by default)False
modules.url_manipulation.allow_redirectsboolAllowing redirects will sometimes create false positives. Disallowing will sometimes create false negatives. Allowed by default.True
modules.virtualhost.brute_linesintTake only the first N lines from the wordlist when finding directories2000
modules.virtualhost.brute_wordliststrWordlist containing subdomainshttps://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt
modules.virtualhost.certificate_sansboolEnable extraction and testing of Subject Alternative Names from certificatesFalse
modules.virtualhost.force_basehoststrUse a custom base host (e.g. evilcorp.com) instead of the default behavior of using the current URL
modules.virtualhost.max_concurrent_requestsintMaximum number of concurrent virtual host requests80
modules.virtualhost.mutation_checkboolEnable trying mutations of the target hostTrue
modules.virtualhost.report_interesting_default_contentboolReport interesting default contentTrue
modules.virtualhost.require_inaccessibleboolOnly test virtual hosts that are not directly accessible (for discovering hidden content)True
modules.virtualhost.special_hostsboolEnable testing of special virtual host list (localhost, etc.)False
modules.virtualhost.subdomain_bruteboolEnable subdomain brute-force on target hostTrue
modules.virtualhost.wordcloud_checkboolEnable check using scan-wide wordcloud data on target hostFalse
modules.waf_bypass.neighbor_cidrintCIDR mask (24-31) used for neighbor enumeration when search_ip_neighbors is true24
modules.waf_bypass.search_ip_neighborsboolAlso check IP neighbors of the target domainTrue
modules.waf_bypass.similarity_thresholdfloatSimilarity threshold for content matching0.9
modules.wafw00f.generic_detectboolWhen no specific WAF detections are made, try to perform a generic detectTrue
modules.webbrute.avoid_wafsboolAvoid running against confirmed WAFs, which are likely to block brute-force requestsTrue
modules.webbrute.concurrencyintNumber of concurrent requests per URL being fuzzed50
modules.webbrute.extensionsUnion[str, list[str]]Optionally include a list of extensions to extend the keyword with (comma separated or YAML list)
modules.webbrute.ignore_caseboolOnly put lowercase words into the wordlistFalse
modules.webbrute.linesinttake only the first N lines from the wordlist when finding directories5000
modules.webbrute.max_depthintthe maximum directory depth to attempt to solve0
modules.webbrute.rateintMaximum requests per second (0 = unlimited)0
modules.webbrute.wordlistUnion[str, list[str]]Specify wordlist to use when finding directories. Accepts a list of URLs/paths to merge multiple wordlists (duplicates are removed).https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-small-directories.txt
modules.webbrute_shortnames.extensionsstrOptionally include a list of extensions to extend the keyword with (comma separated)
modules.webbrute_shortnames.find_common_prefixesboolAttempt to automatically detect common prefixes and make additional runs against themFalse
modules.webbrute_shortnames.find_delimitersboolAttempt to detect common delimiters and make additional runs against themTrue
modules.webbrute_shortnames.find_subwordsboolAttempt to detect subwords and make additional runs against themFalse
modules.webbrute_shortnames.max_depthintthe maximum directory depth to attempt to solve1
modules.webbrute_shortnames.max_predictionsintThe maximum number of predictions to generate per shortname prefix250
modules.webbrute_shortnames.rateintRate of requests per second (default: 0)0
modules.webbrute_shortnames.wordlist_extensionsUnion[str, list[str]]Specify wordlist to use when making extension lists. Accepts a list of URLs/paths to merge multiple wordlists (duplicates are removed).
modules.anubisdb.limitintLimit the number of subdomains returned per query (increasing this may slow the scan due to garbage results from this API)1000
modules.apkpure.output_folderstrFolder to download APKs to. If not specified, downloaded APKs will be deleted when the scan completes, to minimize disk usage.
modules.bevigil.api_keystr | list[str]BeVigil OSINT API Key
modules.bevigil.urlsboolEmit URLs in addition to DNS_NAMEsFalse
modules.bucket_file_enum.file_limitintLimit the number of files downloaded per bucket50
modules.bufferoverrun.api_keystr | list[str]BufferOverrun API key
modules.bufferoverrun.commercialboolUse commercial APIFalse
modules.builtwith.api_keystr | list[str]Builtwith API key
modules.builtwith.redirectsboolAlso look up inbound and outbound redirectsTrue
modules.c99.api_keystr | list[str]c99.nl API key
modules.censys_dns.api_keystr | list[str]Censys.io API Key in the format of 'key:secret'
modules.censys_dns.max_pagesintMaximum number of pages to fetch (100 results per page)5
modules.censys_ip.api_keystr | list[str]Censys.io API Key in the format of 'key:secret'
modules.censys_ip.dns_names_limitintMaximum number of DNS names to extract from dns.names (default 100)100
modules.censys_ip.in_scope_onlyboolOnly query in-scope IPs. If False, will query up to distance 1.True
modules.certspotter.api_keystrSSLMate API key (enables pagination and higher rate limits)
modules.chaos.api_keystr | list[str]Chaos API key
modules.credshed.credshed_urlstrURL of credshed server
modules.credshed.passwordstrCredshed password
modules.credshed.usernamestrCredshed username
modules.dehashed.api_keystr | list[str]DeHashed API Key
modules.dnsbimi.emit_raw_dns_recordsboolEmit RAW_DNS_RECORD eventsFalse
modules.dnsbimi.emit_urlsboolEmit URL_UNVERIFIED eventsTrue
modules.dnsbimi.selectorsstrCSV list of BIMI selectors to checkdefault,email,mail,bimi
modules.dnscaa.dns_namesboolemit DNS_NAME eventsTrue
modules.dnscaa.emailsboolemit EMAIL_ADDRESS eventsTrue
modules.dnscaa.in_scope_onlyboolOnly check in-scope domainsTrue
modules.dnscaa.urlsboolemit URL_UNVERIFIED eventsTrue
modules.dnstlsrpt.emit_emailsboolEmit EMAIL_ADDRESS eventsTrue
modules.dnstlsrpt.emit_raw_dns_recordsboolEmit RAW_DNS_RECORD eventsFalse
modules.dnstlsrpt.emit_urlsboolEmit URL_UNVERIFIED eventsTrue
modules.docker_pull.all_tagsboolDownload all tags from each registry (Default False)False
modules.docker_pull.output_folderstrFolder to download docker repositories to. If not specified, downloaded docker images will be deleted when the scan completes, to minimize disk usage.
modules.fullhunt.api_keystr | list[str]FullHunt API Key
modules.git_clone.api_keystr | list[str]Github token
modules.git_clone.output_folderstrFolder to clone repositories to. If not specified, cloned repositories will be deleted when the scan completes, to minimize disk usage.
modules.gitdumper.fuzz_tagsboolFuzz for common git tag names (v0.0.1, 0.0.2, etc.) up to the max_semanic_versionFalse
modules.gitdumper.max_semanic_versionintMaximum version number to fuzz for (default < v10.10.10) 10
modules.gitdumper.output_folderstrFolder to download repositories to. If not specified, downloaded repositories will be deleted when the scan completes, to minimize disk usage.
modules.github_codesearch.api_keystr | list[str]Github token
modules.github_codesearch.limitintLimit code search to this many results100
modules.github_org.api_keystr | list[str]Github token
modules.github_org.include_member_reposboolAlso enumerate organization members' repositoriesFalse
modules.github_org.include_membersboolEnumerate organization membersTrue
modules.github_usersearch.api_keystr | list[str]Github token
modules.github_workflows.api_keystr | list[str]Github token
modules.github_workflows.num_logsintFor each workflow fetch the last N successful runs logs (max 100)1
modules.github_workflows.output_folderstrFolder to download workflow logs and artifacts to
modules.hunterio.api_keystr | list[str]Hunter.IO API key
modules.ip2location.api_keystr | list[str]IP2location.io API Key
modules.ip2location.langstrTranslation information(ISO639-1). The translation is only applicable for continent, country, region and city name.
modules.ipneighbor.num_bitsintNetmask size (in CIDR notation) to check. Default is 4 bits (16 hosts)4
modules.ipstack.api_keystr | list[str]IPStack GeoIP API Key
modules.jadx.threadsintMaximum jadx threads for extracting apk's, default: 44
modules.kreuzberg.extensionslist[str]File extensions to parse['bak', 'bash', 'bashrc', 'conf', 'cfg', 'crt', 'csv', 'db', 'sqlite', 'doc', 'docx', 'ica', 'indd', 'ini', 'json', 'key', 'pub', 'log', 'markdown', 'md', 'odg', 'odp', 'ods', 'odt', 'pdf', 'pem', 'pps', 'ppsx', 'ppt', 'pptx', 'ps1', 'rdp', 'rsa', 'sh', 'sql', 'swp', 'sxw', 'txt', 'vbs', 'wpd', 'xls', 'xlsx', 'xml', 'yml', 'yaml']
modules.leakix.api_keystr | list[str]LeakIX API Key
modules.otx.api_keystr | list[str]OTX API key
modules.pgp.search_urlslist[str]PGP key servers to search['https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=vindex&search=<query>', 'http://the.earth.li:11371/pks/lookup?fingerprint=on&op=vindex&search=<query>', 'https://pgpkeys.eu/pks/lookup?search=<query>&op=index', 'https://pgp.mit.edu/pks/lookup?search=<query>&op=index']
modules.portfilter.allowed_cdn_portsstrComma-separated list of ports that are allowed to be scanned for CDNs80,443
modules.portfilter.cdn_tagsstrComma-separated list of tags to skip, e.g. 'cdn,waf'cdn,waf
modules.postman.api_keystr | list[str]Postman API Key
modules.postman_download.api_keystr | list[str]Postman API Key
modules.postman_download.output_folderstrFolder to download postman workspaces to. If not specified, downloaded workspaces will be deleted when the scan completes, to minimize disk usage.
modules.securitytrails.api_keystr | list[str]SecurityTrails API key
modules.shodan_dns.api_keystr | list[str]Shodan API key
modules.shodan_enterprise.api_keystr | list[str]Shodan API Key
modules.shodan_enterprise.in_scope_onlyboolOnly query in-scope IPs. If False, will query up to distance 1.True
modules.shodan_idb.retriesOptional[int]How many times to retry API requests (e.g. after a 429 error). Overrides the global web.api_retries setting.None
modules.subdomainradar.api_keystr | list[str]SubDomainRadar.io API key
modules.subdomainradar.groupLiteral['fast', 'medium', 'deep']The enumeration group to use. Choose from fast, medium, deepfast
modules.subdomainradar.timeoutintTimeout in seconds120
modules.trajan.ado_tokenstrAzure DevOps Personal Access Token (PAT)
modules.trajan.github_tokenstrGitHub API token for rate-limiting and private repo access
modules.trajan.gitlab_tokenstrGitLab API token for private repo access
modules.trajan.jenkins_passwordstrJenkins password for basic auth
modules.trajan.jenkins_tokenstrJenkins API token
modules.trajan.jenkins_usernamestrJenkins username for basic auth
modules.trajan.jfrog_tokenstrJFrog API token
modules.trajan.versionstrTrajan version to download and use1.0.0
modules.trickest.api_keystr | list[str]Trickest API key
modules.trufflehog.concurrencyintNumber of concurrent workers8
modules.trufflehog.configstrFile path or URL to YAML trufflehog config
modules.trufflehog.deleted_forksboolScan for deleted github forks. WARNING: This is SLOW. For a smaller repository, this process can take 20 minutes. For a larger repository, it could take hours.False
modules.trufflehog.only_verifiedboolOnly report credentials that have been verifiedTrue
modules.trufflehog.versionstrtrufflehog version3.95.5
modules.urlscan.urlsboolEmit URLs in addition to DNS_NAMEsFalse
modules.virustotal.api_keystr | list[str]VirusTotal API Key
modules.wayback.archiveboolfetch archived versions of dead URLs from the Wayback Machine and emit HTTP_RESPONSE events (requires urls=true)False
modules.wayback.garbage_thresholdintDedupe similar urls if they are in a group of this size or higher (lower values == less garbage data)10
modules.wayback.max_recordsintMaximum number of URLs to fetch from the CDX API100000
modules.wayback.parametersboolemit WEB_PARAMETER events for query parameters discovered in archived URLs (requires urls=true)False
modules.wayback.urlsboolemit URLs in addition to DNS_NAMEsFalse
modules.asset_inventory.output_filestrSet a custom output file
modules.asset_inventory.recheckboolWhen use_previous=True, don't retain past details like open ports or findings. Instead, allow them to be rediscovered by the new scanFalse
modules.asset_inventory.summary_netmaskintSubnet mask to use when summarizing IP addresses at end of scan16
modules.asset_inventory.use_previousboolEmit previous asset inventory as new events (use in conjunction with -n <old_scan_name>) False
modules.csv.output_filestrOutput to CSV file
modules.discord.event_typeslist[str]Types of events to send['FINDING']
modules.discord.min_severitystrOnly allow FINDING events of this severity or higherLOW
modules.discord.retriesintNumber of times to retry sending the message before skipping the event10
modules.discord.webhook_urlstrDiscord webhook URL
modules.elastic.passwordstrElastic passwordbbotislife
modules.elastic.timeoutintHTTP timeout10
modules.elastic.urlstrElastic URL (e.g. https://localhost:9200/<your_index>/_doc) https://localhost:9200/bbot_events/_doc
modules.elastic.usernamestrElastic usernameelastic
modules.emails.output_filestrOutput to file
modules.json.output_filestrOutput to file
modules.kafka.bootstrap_serversstrA comma-separated list of Kafka server addresseslocalhost:9092
modules.kafka.topicstrThe Kafka topic to publish events tobbot_events
modules.mongo.collection_prefixstrPrefix the name of each collection with this string
modules.mongo.databasestrThe name of the database to usebbot
modules.mongo.passwordstrThe password to use to connect to the database
modules.mongo.uristrThe URI of the MongoDB servermongodb://localhost:27017
modules.mongo.usernamestrThe username to use to connect to the database
modules.mysql.databasestrThe database name to connect tobbot
modules.mysql.hoststrThe server running MySQLlocalhost
modules.mysql.passwordstrThe password to connect to MySQLbbotislife
modules.mysql.portintThe port to connect to MySQL3306
modules.mysql.retriesintNumber of times to retry connecting to the database (1 second between retries)10
modules.mysql.usernamestrThe username to connect to MySQLroot
modules.nats.serverslistA list of NATS server addresses[]
modules.nats.subjectstrThe NATS subject to publish events tobbot_events
modules.neo4j.passwordstrNeo4j passwordbbotislife
modules.neo4j.uristrNeo4j server + portbolt://localhost:7687
modules.neo4j.usernamestrNeo4j usernameneo4j
modules.postgres.databasestrThe database name to connect tobbot
modules.postgres.hoststrThe server running Postgreslocalhost
modules.postgres.passwordstrThe password to connect to Postgresbbotislife
modules.postgres.portintThe port to connect to Postgres5432
modules.postgres.retriesintNumber of times to retry connecting to the database (1 second between retries)10
modules.postgres.usernamestrThe username to connect to Postgrespostgres
modules.rabbitmq.queuestrThe RabbitMQ queue to publish events tobbot_events
modules.rabbitmq.urlstrThe RabbitMQ connection URLamqp://guest:guest@localhost/
modules.slack.event_typeslist[str]Types of events to send['FINDING']
modules.slack.min_severitystrOnly allow FINDING events of this severity or higherLOW
modules.slack.retriesintNumber of times to retry sending the message before skipping the event10
modules.slack.webhook_urlstrSlack webhook URL
modules.splunk.hectokenstrHEC Token
modules.splunk.indexstrIndex to send data to
modules.splunk.sourcestrSource path to be added to the metadata
modules.splunk.timeoutintHTTP timeout10
modules.splunk.urlstrWeb URL
modules.sqlite.databasestrThe path to the sqlite database file
modules.sqlite.retriesintNumber of times to retry connecting to the database (1 second between retries)10
modules.stdout.accept_dupesboolWhether to show duplicate events, default TrueTrue
modules.stdout.event_fieldslistWhich event fields to display[]
modules.stdout.event_typeslistWhich events to display, default all event types[]
modules.stdout.formatLiteral['text', 'json']Which text format to display, choices: text,jsontext
modules.stdout.in_scope_onlyboolWhether to only show in-scope eventsFalse
modules.subdomains.include_unresolvedboolInclude unresolved subdomains in outputFalse
modules.subdomains.output_filestrOutput to file
modules.teams.event_typeslist[str]Types of events to send['FINDING']
modules.teams.min_severitystrOnly allow FINDING events of this severity or higherLOW
modules.teams.retriesintNumber of times to retry sending the message before skipping the event10
modules.teams.webhook_urlstrTeams webhook URL
modules.txt.output_filestrOutput to file
modules.web_parameters.include_countboolInclude the count of each parameter in the outputFalse
modules.web_parameters.output_filestrOutput to file
modules.web_report.css_theme_filestrCSS theme URL for HTML outputhttps://cdnjs.cloudflare.com/ajax/libs/github-markdown-css/5.1.0/github-markdown.min.css
modules.web_report.output_filestrOutput to file
modules.webhook.bearerstrAuthorization Bearer token
modules.webhook.headersdictAdditional headers to send with the request{}
modules.webhook.methodstrHTTP methodPOST
modules.webhook.passwordstrPassword (basic auth)
modules.webhook.timeoutintHTTP timeout10
modules.webhook.urlstrWeb URL
modules.webhook.usernamestrUsername (basic auth)
modules.websocket.ignore_sslboolIgnores all Websocket SSL related errors (like Self-Signed Certificates, etc.)False
modules.websocket.preserve_graphboolPreserve full chains of events in the graph (prevents orphans)True
modules.websocket.tokenstrAuthorization Bearer token
modules.websocket.urlstrWeb URL
modules.zeromq.zmq_addressstrThe ZeroMQ socket address to publish events to (e.g. tcp://localhost:5555)
modules.excavate.custom_yara_rulesstrInclude custom Yara rules
modules.excavate.max_form_bytesintMaximum byte slice of the response body searched for a single <form> body. YARA only locates form openings; the bounded slice is what the Python re-based extractor scans for fields. Caps worst-case extraction work per form match. 262144
modules.excavate.speculate_paramsboolEnable speculative parameter extraction from JSON and XML contentFalse
modules.excavate.yara_max_match_dataintSets the maximum amount of text that can extracted from a YARA regex2000
modules.speculate.essential_onlyboolOnly enable essential speculate features (no extra discovery)False
modules.speculate.ip_range_max_hostsintMax number of hosts an IP_RANGE can contain to allow conversion into IP_ADDRESS events65536
modules.speculate.portsstrThe set of ports to speculate on80,443