Amass
In depth DNS Enumeration and network mapping. Amass combines active and passive fingerprinting so being concious about this is really important. It's a assessment tool with reporting features.
Install
Before diving into using Amass, we should make the most of it by adding API keys to it.
1. First, we can see which data sources are available for Amass (paid and free) by running:
2. Next, we will need to create a config file to add our API keys to.
sudo curl https://raw.githubusercontent.com/OWASP/Amass/master/examples/config.ini >~/.config/amass/config.ini
3. Now, see the file ~/.config/amass/config.ini and register in as many services as you can. Once you have obtained your API ID and Secret, edit the config.ini file and add the credentials to the file.
4. Now, edit the file to add the sources. It is recommended to add:
- censys.io: guesswork out of understanding and protecting your organization’s digital footprint.
- https://asnlookup.com: Quickly lookup updated information about specific Autonomous System Number (ASN), Organization, CIDR, or registered IP addresses (IPv4 and IPv6) among other relevant data. We also offer a free and paid API access!
- https://otx.alienvault.com: Quickly identify if your endpoints have been compromised in major cyber attacks using OTX Endpoint Security and many other.
- https://bigdatacloud.com
- https://cloudflare.com
- https://www.digicert.com/tls-ssl/certcentral-tls-ssl-manager:
- https://fullhunt.io
- https://github.com
- https://ipdata.co
- https://leakix.net
- as many more as you can.
5. When ready, we can run amass:
Basic usage
amass enum -active -d crapi.apisec.ai -ip -brute -dir path/to/save/results/
# enum: Perform ACTIVE enumerations and network mapping
# -ip: Show ip addresses of cached subdomais.
# -brute: Perform a brute force dns attack.
amass enum -passive -d crapi.apisec.ai -src -dir path/to/save/results/
# enum: Perform PASSIVE enumerations and network mapping.
# src: display sources of the host domain.
# -dir: Specify a folder to save results.
amass intel -d crapi.apisec.ai
# intel: Discover targets for enumerations. Passive fingerprinting.
Some flags:
-active: Attempt zone transfer and certificate name grabs.
-pasive: Passive fingerprinting.
-bl: Blacklist of subdomain names that will not be investigated
-d: to specify a domain
-ip: Show ip addresses of cached subdomais.
–include-unresolvable: output DNS names that did not resolve.
-o file.txt: To output the result into a file
-w: path to a different wordlist file
Also, to be more precise:
Amass has several useful command-line options. Use the intel command to collect SSL certificates, search reverse Whois records, and find ASN IDs associated with your target. Start by providing the command with target IP addresses
If this scan is successful, it will provide you with domain names. These domains can then be passed to intel with the whois option to perform a reverse Whois lookup:
This could give you a ton of results. Focus on the interesting results that relate to your target organization. Once you have a list of interesting domains, upgrade to the enum subcommand to begin enumerating subdomains. If you specify the -passive option, Amass will refrain from directly interacting with your target:
The active enum scan will perform much of the same scan as the passive one, but it will add domain name resolution, attempt DNS zone transfers, and grab SSL certificate information:
To up your game, add the -brute option to brute-force subdomains, -w to specify the API_superlist wordlist, and then the -dir option to send the output to the directory of your choice:
amass enum -active -brute -w /usr/share/wordlists/API_superlist -d [target domain] -dir [directory name]