Amass Tool Usage Examples
Here are some sample usage scenarios for Amass in a Linux environment, demonstrating its core capabilities for subdomain enumeration, reconnaissance, and network mapping:
1. Basic Subdomain Enumeration
To discover subdomains of a specific domain, use the following command:
amass enum -d example.com- `enum`: This tells Amass to perform enumeration (discovery of subdomains).
- `-d`: Specifies the domain you want to target (
example.comin this case).
This will output a list of discovered subdomains for the target domain.
2. Using Passive Data Sources
Amass also supports passive reconnaissance, which doesn't send direct requests to the target but uses available public data sources. You can run Amass with passive mode using:
amass enum -passive -d example.com- `-passive`: Instructs Amass to use passive techniques only (no active probing of the target).
This mode is useful when you want to gather intelligence while minimizing the risk of alerting the target.
3. Brute Forcing Subdomains
Amass can brute-force subdomains using a wordlist. This is useful for discovering subdomains that might not be found through passive methods:
amass enum -brute -d example.com -src- `-brute`: Enables brute force subdomain enumeration.
- `-src`: Includes the source of each found subdomain, providing more context.
4. Using Multiple Domains
If you want to perform enumeration across multiple domains, you can use the -df flag with a domain list file:
amass enum -df domains.txt- `-df`: Specifies the file containing a list of domains (one per line) to enumerate subdomains for.
5. Visualizing Data
Amass can generate a graphical visualization of the relationship between domains, subdomains, and other network elements. To do this, use the following command:
amass viz -ip -graph -d example.com- `viz`: Generates a visualization of discovered assets.
- `-ip`: Optionally, includes IP addresses in the graph.
- `-graph`: Creates a graphical representation.
This will output a visualization file that can be viewed using tools like Gephi or in a web browser.
6. Active Enumeration with DNS
If you want to perform active subdomain enumeration (sending DNS requests to gather subdomains), use:
amass enum -active -d example.com- `-active`: Instructs Amass to perform active enumeration, including DNS queries to gather subdomains.
7. Scanning for IP Addresses
Amass can also enumerate IP addresses associated with a domain, revealing potentially sensitive assets. Use the following command to gather IP addresses associated with discovered subdomains:
amass enum -ip -d example.com- `-ip`: Includes IP address resolution for the discovered subdomains.
8. Saving the Results to a File
You can save the discovered subdomains to a file for later analysis using the -o flag:
amass enum -d example.com -o output.txt- `-o`: Specifies the output file where the results will be saved.
This will save the results to a file named output.txt.
9. Using API Keys for Enhanced Data Sources
Amass integrates with APIs from third-party services (like VirusTotal, Censys, etc.) to gather additional data. To use an API key, you can configure Amass by setting environment variables or by passing API keys via flags.
export AMASS_VT_API_KEY="your_virustotal_api_key"amass enum -d example.comThis will integrate VirusTotal into the passive enumeration process.
10. Full Reconnaissance with Multiple Techniques
You can combine multiple techniques in one command to gather comprehensive information:
amass enum -d example.com -active -brute -passive -ip -o full_recon_output.txtThis command performs:
- Active enumeration: DNS lookups and other active probing.
- Brute force enumeration: Using a wordlist for discovering hidden subdomains.
- Passive enumeration: Gathering public information from external sources.
- IP resolution: Includes IP addresses associated with subdomains.
- Output to file: Saves everything to
full_recon_output.txt.
0 Comments