OWASP Amass - Quick Tutorial & Example Usage

Amass is an intelligent tool used for information gathering and enhancement of the attack surface. This open-source tool helps in identifying hidden resources/targets through DNS enumeration and network mapping. Refer to other passive reconnaissance and active reconnaissance techniques to understand reconnaissance methods. Tool support rate-limiting (-max-dns-queries flag), DNS wildcard detection, DNS name alteration, etc. In this article, I have covered a quick tutorial & example usage of the OWASP Amass tool.

Following are the inputs to give output based on enumeration:

• IP Range (x.x.x.x/24)
• URL ( *.example.com)
• Company name ( XYZ)
• ASN number (AS 12312)

Note: This is not an exhaustive list of inputs.

Installation

OWASP Amass can be installed on Linux-based OS by using the below command:

go get -u http://github.com/OWASP/Amass/…
amass enum –list

For Mac OS,

brew tap caffix/amass
brew install amass
amass enum –list

To check whether amass is installed properly or not,

amass -h

amass -version

Amass Core Modules

amass intel	Discover targets for enumeration
amass enum	DNS enumeration and network mapping
amass viz	Visual enumeration results
amass track	Identify differences between output results
amass db	Use graph database

Top Example Usage of OWASP Amass

(1) Basic Command to enum target

amass enum -d <URL>

(2) Mention ports for the scan

amass enum -d <URL> -p 443,8080

(3) Combining different options to get more refined results. -d options enable users to enter multiple URLs and -active options use active recon methods.

amass enum -d <URL1>,<URL2> -active 

(4) Perform brute force by using - brute option for subdomain enumeration. -src option display data sources for the discovered names and -demo option display results in a presentable manner

amass enum -brute -src -d <URL> -demo

(5) To do passive reconnaissance

amass enum -passive -d <URL> -src

Additional available options with an enum:

(6) Identify domains by using -whois option

amass intel -d <url> -whois

(7) Enable active recon method

amass intel -active -cidr 123.134.0.0/15

(8) Search based on ASN

amass intel -asn 23314,81323

(9) Search string based on AS description information

amass intel -org "google"

Additional available options with intel:

(10) Basic command using track option

amass track -d example.com

(11) Path to a file providing root domain names

amass track -df target.txt

Additional available options with the track:

(12) Basic command using viz. -d option enables users to enter multiple URLs and -d3 option output a D3.js v4 force simulation HTML file.

amass viz -d3 -d <URL>

Additional available options with viz:

Conclusion

Amass is a powerful tool for enumeration and the more you use it, the more options you are familiar with the tool. I hope you like this article, if I miss anything, let me know in the comments.