BBOT Pentesting Workflow for HackTheBox

Issue: BBOT Portscan Limitations

BBOT's portscan module uses masscan, which can miss ports on heavily filtered targets like HTB machines and Active Directory Domain Controllers. Masscan is optimized for speed, not accuracy on filtered hosts.

Symptoms: - Portscan completes in ~8 seconds (too fast) - 0 ports found despite host being alive - Nmap finds ports but BBOT doesn't

Recommended HTB Workflow

Option 1: Nmap First, Then BBOT (RECOMMENDED for HTB)

# Step 1: Use nmap for reliable port discovery
sudo nmap -sV -p- --min-rate 1000 TARGET_IP -oG ports.txt

# Step 2: Extract discovered ports
PORTS=$(grep -oP '\d+/open' ports.txt | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')

# Step 3: Run BBOT enumeration with discovered ports
bbot-sudo -t TARGET_IP \
  -m portscan,fingerprintx,httpx,sslcert,ntlm,wappalyzer \
  -c modules.portscan.ports="$PORTS" \
  -n htb_enum -o /tmp/bbot_scans -y

Option 2: BBOT for Web Targets (Skip Portscan)

If you know the target has web services:

# Direct web enumeration (bypasses portscan)
bbot-sudo -t http://TARGET_IP https://TARGET_IP \
  -p web-thorough \
  -n htb_web -o /tmp/bbot_scans -y

# Or with specific modules
bbot-sudo -t http://TARGET_IP \
  -m httpx,wappalyzer,sslcert,ntlm,badsecrets,nuclei \
  -n htb_web_scan -o /tmp/bbot_scans -y

Option 3: Subdomain Enumeration (BBOT's Strength)

BBOT excels at subdomain discovery and passive reconnaissance:

# Subdomain enumeration with your API keys
bbot -t target.htb \
  -p subdomain-enum \
  -n domain_enum -o /tmp/bbot_scans -y

# Add DNS to /etc/hosts first if needed
echo "10.129.232.168 frizz.htb" | sudo tee -a /etc/hosts

# Then enumerate subdomains
bbot -t frizz.htb \
  -p subdomain-enum \
  -n frizz_domains -o /tmp/bbot_scans -y

HTB-Specific BBOT Config

Your config (~/.config/bbot/bbot.yml) has been tuned for HTB:

modules:
  portscan:
    top_ports: 2000
    rate: 500              # Lower for VPN stability
    wait: 15               # Higher for filtered targets
    adapter: "tun0"        # Explicit VPN interface

Common HTB Scenarios

Scenario 1: Windows AD Domain Controller (like frizz.htb)

# 1. Nmap for ports
sudo nmap -sV -p- --min-rate 1000 10.129.232.168 -oN frizz_ports.txt

# 2. BBOT for web/service enum on discovered ports
bbot-sudo -t 10.129.232.168 \
  -m httpx,sslcert,ntlm,wappalyzer,nuclei \
  -c modules.portscan.ports="$(grep -oP '\d+/open' frizz_ports.txt | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')" \
  -n frizz_enum -o /tmp/bbot_scans -y

# 3. Check for subdomains/vhosts
bbot -t frizz.htb -p subdomain-enum -n frizz_subdomains -o /tmp/bbot_scans -y

Scenario 2: Web Application Target

# Direct HTTP enumeration
bbot -t http://10.129.232.168 -p web-thorough -n webapp_scan -o /tmp/bbot_scans -y

# With nuclei scanning
bbot -t http://10.129.232.168 -p nuclei -n vuln_scan -o /tmp/bbot_scans -y

Scenario 3: Cloud/Subdomain Discovery

# Full subdomain + cloud enum (uses your API keys)
bbot -t target.htb -p subdomain-enum,cloud-enum -n full_recon -o /tmp/bbot_scans -y

Useful BBOT Presets for Pentesting

# List all available presets
bbot -lp

# Web application testing
bbot -t TARGET -p web-thorough -o /tmp/bbot_scans -y

# Subdomain discovery
bbot -t domain.com -p subdomain-enum -o /tmp/bbot_scans -y

# Nuclei vulnerability scanning
bbot -t http://TARGET -p nuclei -o /tmp/bbot_scans -y

# Technology detection
bbot -t TARGET -p tech-detect -o /tmp/bbot_scans -y

# Cloud resource enumeration
bbot -t company.com -p cloud-enum -o /tmp/bbot_scans -y

Quick Reference: Common Commands

# Helper script for sudo access
bbot-sudo [args]  # Wrapper for: sudo env "PATH=$PATH" bbot [args]

# Check scan results
cat /tmp/bbot_scans/SCAN_NAME/output.txt

# View discovered URLs
grep "URL" /tmp/bbot_scans/SCAN_NAME/output.txt

# View discovered subdomains
grep "DNS_NAME" /tmp/bbot_scans/SCAN_NAME/output.txt

# Check scan logs
cat /tmp/bbot_scans/SCAN_NAME/scan.log

Troubleshooting

Portscan finds 0 ports

Problem: Masscan is too fast for filtered HTB targets Solution: Use nmap first, then feed ports to BBOT

"Command not found" when using sudo bbot

Problem: sudo uses different PATH Solution: Use bbot-sudo wrapper or sudo env "PATH=$PATH" bbot

API modules not working

Problem: API keys not configured Solution: Edit ~/.config/bbot/bbot.yml or ~/.config/bbot/secrets.yml

Sources

• Masscan GitHub Issues - Port Detection Problems
• BBOT Masscan Scanning Issue #900
• Masscan vs Nmap Accuracy Discussion

---

Key Takeaway: For HTB and heavily filtered targets, use nmap for port discovery and BBOT for enumeration/reconnaissance on discovered services. BBOT excels at subdomain enumeration, web application testing, and leveraging multiple OSINT APIs simultaneously.