OWASP Amass - Quick Tutorial & Example Usage

Amass is an intelligent tool used for information gathering and enhancement of the attack surface. This open-source tool helps in identifying hidden resource/targets through DNS enumeration and network mapping. Refer other passive reconnaissance and active reconnaissance techniques to understand on reconnaissance methods. Tool support rate-limiting (-max-dns-queries flag), DNS wildcard detection, DNS name alteration etc. In this article, I have covered quick tutorial & example usage on OWASP Amass tool.

Following are the inputs to give output based on enumeration:

  • IP Range (x.x.x.x/24)
  • URL ( *.example.com)
  • Company name ( XYZ)
  • ASN number (AS 12312)

Note: This is not exhaustive list of inputs.

Installation

OWASP Amass can be installed on Linux based OS by using below command:

go get -u http://github.com/OWASP/Amass/…
amass enum –list

For Mac OS,

brew tap caffix/amass
brew install amass
amass enum –list

To check whether amass is installed properly or not,

amass -h
amass -version

Amass Core Modules

amass intelDiscover targets for enumeration
amass enumDNS enumeration and network mapping
amass vizVisual enumeration results
amass trackIdentify differences between output results
amass dbUse graph database

Top Example Usage of OWASP Amass

(1) Basic Command to enum target

amass enum -d <URL>

(2) Mention ports for scan.

amass enum -d <URL> -p 443,8080

(3) Combining different options to get more refined results. -d options enable users to enter multiple URLs and -active options use active recon methods.

amass enum -d <URL1>,<URL2> -active 

(4) Perform brute force by using - brute option for subdomain enumeration. -src option display data sources for the discovered names and -demo option display results in presentable manner

amass enum -brute -src -d <URL> -demo

(5) To do passive reconnaissance

amass enum -passive -d <URL> -src

Additional available options with enum:

(6) Identify domains by using -whois option

amass intel -d <url> -whois

(7) Enable active recon method

amass intel -active -cidr 123.134.0.0/15

(8) Search based on ASN

amass intel -asn 23314,81323

(9) Search string based on AS description information

amass intel -org "google"

Additional available options with intel:

(10) Basic command using track option

amass track -d example.com

(11) Path to a file providing root domain names

amass track -df target.txt

Additional available options with track:

(12) Basic command using viz. -d option enable users to enter multiple URLs and -d3 option output a D3.js v4 force simulation HTML file.

amass viz -d3 -d <URL>

Additional available options with viz:

Conclusion

Amass is powerful tool for enumeration and more you use it, more options you familiar with the tool. I hope you like this article, if I miss anything, let me know in comments.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.