BBTrecon is a modular reconnaissance framework built in Python 3.12+ for pentesting, bug bounty workflows, and HTB-style target discovery.
It focuses on a clean, production-style architecture with asynchronous networking, structured outputs, optional integration with external enumeration tools, and a simple CLI that supports running individual phases or the full pipeline.
- Asynchronous recon pipeline powered by
asyncioandaiohttp - Certificate Transparency enumeration through
crt.sh - Wayback Machine CDX enumeration for passive host discovery
- Optional external tooling support for
subfinderandamass - HTTP and HTTPS resolution of discovered subdomains
- Common Crawl harvesting using the latest 3 indexes
- Structured output under
output/<domain>/ - JSON reporting for downstream automation
- Rich terminal output and file-based logging
- Modular codebase with clear separation of concerns
BBTrecon collects subdomains from:
crt.sh- Wayback Machine CDX API
subfinderif installedamassif installed
All results are normalized, deduplicated, and saved to:
output/<domain>/subdomains.txt
BBTrecon probes discovered subdomains over both https:// and http:// using asynchronous requests to identify live endpoints.
Results are saved to:
output/<domain>/alive.txt
BBTrecon queries the latest 3 Common Crawl indexes, collects archived URLs within the target scope, and filters results against currently alive hosts.
Results are saved to:
output/<domain>/urls.txt
Each run produces a JSON report containing metadata, configuration, and artifact locations:
output/<domain>/report.json
BBTrecon/
├── main.py
├── requirements.txt
├── README.md
└── bbtrecon/
├── core/
│ └── orchestrator.py
├── modules/
│ ├── subdomain.py
│ ├── resolver.py
│ └── commoncrawl.py
└── utils/
└── logger.py
- Python 3.12+
pip- Optional:
subfinderamass
Create and activate a virtual environment:
python3 -m venv .venv
source .venv/bin/activateInstall dependencies:
pip install -r requirements.txtpython3 main.py -hpython3 main.py -d example.com --fullpython3 main.py -d example.com --full --no-externalSubdomain enumeration:
python3 main.py -d example.com --enumHTTP resolution:
python3 main.py -d example.com --resolveCommon Crawl harvesting:
python3 main.py -d example.com --crawlpython3 main.py -d example.com --full --concurrency 20 --timeout 20python3 main.py -d example.com --full --verbose-d, --domain Target domain
--enum Run subdomain enumeration
--resolve Run HTTP resolution
--crawl Run Common Crawl harvesting
--full Run the full pipeline
--no-external Disable subfinder/amass execution
--concurrency Maximum concurrent network tasks
--timeout HTTP timeout in seconds
--output-root Base output directory
--verbose Enable debug logging
Example output directory:
output/example.com/
├── alive.txt
├── bbtrecon.log
├── report.json
├── subdomains.txt
└── urls.txt
{
"tool": "BBTrecon",
"domain": "example.com",
"configuration": {
"run_enum": true,
"run_resolve": true,
"run_crawl": true
},
"results": {
"subdomains": {
"count": 42,
"file": "output/example.com/subdomains.txt"
},
"alive_endpoints": {
"count": 18,
"file": "output/example.com/alive.txt"
},
"archived_urls": {
"count": 137,
"file": "output/example.com/urls.txt"
}
}
}--resolveexpectssubdomains.txtto already exist unless you also run--enumor--full.--crawlexpectsalive.txtto already exist unless you also run--resolveor--full.- External tools are used only if they are installed and discoverable in
PATH. - Common Crawl coverage depends on whether archived content exists for the target scope.
Basic syntax validation:
python3 -m compileall main.py bbtreconUse BBTrecon only against systems you own or are explicitly authorized to assess. You are responsible for complying with applicable laws, platform rules, and program scopes.
Add your preferred license here before publishing, for example MIT.