OWASP Amass Network Mapping Tool Cheat Sheet¶
Überblick¶
OWASP Amass ist ein Open-Source-Netzwerk Mapping und externe Asset Discovery-Tool, das hilft, Informationssicherheit Fachleute entdecken Vermögenswerte ihrer Organisation. Es führt DNS-Enumeration, Subdomain-Erkennung und Netzwerk-Erklärung, um eine Organisation Angriffsfläche durch verschiedene Datenquellen und Techniken.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation¶
Zur Installation¶
```bash
Install via Go¶
go install -v github.com/owasp-amass/amass/v4/...@master
Verify installation¶
amass version ```_
Installation des Paketmanagers¶
```bash
Ubuntu/Debian¶
sudo apt update sudo apt install amass
Arch Linux¶
sudo pacman -S amass
macOS with Homebrew¶
brew install amass
Kali Linux (pre-installed)¶
amass -h ```_
Docker Installation¶
```bash
Pull Docker image¶
docker pull caffix/amass
Run with Docker¶
docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -d example.com ```_
Manuelle Installation¶
```bash
Download latest release¶
wget https://github.com/OWASP/Amass/releases/download/v4.2.0/amass_Linux_amd64.zip unzip amass_Linux_amd64.zip sudo mv amass_Linux_amd64/amass /usr/local/bin/
Make executable¶
sudo chmod +x /usr/local/bin/amass ```_
Basisnutzung¶
Befehlsstruktur¶
```bash
Basic syntax¶
amass [subcommand] [options]
Get help¶
amass -h amass [subcommand] -h
Check version¶
amass -version ```_
Verfügbare Unterbefehle¶
| Subcommand | Description |
|---|---|
enum |
Perform DNS enumeration and network mapping |
intel |
Collect intelligence on the target organization |
viz |
Generate visualizations of enumeration results |
track |
Compare results across multiple enumerations |
db |
Manage the graph database |
DNS Aufzählung¶
Grundaufzählung¶
```bash
Basic subdomain enumeration¶
amass enum -d example.com
Multiple domains¶
amass enum -d example.com,target.org
Domain list from file¶
amass enum -df domains.txt
Passive enumeration only¶
amass enum -passive -d example.com
Active enumeration (includes DNS brute force)¶
amass enum -active -d example.com ```_
Erweiterte Enumerationsoptionen¶
```bash
Increase verbosity¶
amass enum -v -d example.com
Set maximum DNS queries per minute¶
amass enum -d example.com -max-dns-queries 1000
Set timeout for DNS queries¶
amass enum -d example.com -timeout 30
Include IP addresses in output¶
amass enum -ip -d example.com
Include CIDR ranges¶
amass enum -cidr 192.168.1.0/24 -d example.com ```_
Ausgabeoptionen¶
```bash
Save results to file¶
amass enum -d example.com -o results.txt
JSON output format¶
amass enum -d example.com -json results.json
Directory for all output files¶
amass enum -d example.com -dir ./amass_output
Log file location¶
amass enum -d example.com -log amass.log ```_
Datenquellen Konfiguration¶
API Keys Konfiguration¶
```bash
Create config file¶
mkdir ~/.config/amass nano ~/.config/amass/config.ini
Example config.ini content:¶
[data_sources] [data_sources.AlienVault] [data_sources.AlienVault.Credentials] apikey = your_api_key_here
[data_sources.Censys] [data_sources.Censys.Credentials] api_id = your_api_id secret = your_secret
[data_sources.Shodan] [data_sources.Shodan.Credentials] apikey = your_shodan_api_key
[data_sources.SecurityTrails] [data_sources.SecurityTrails.Credentials] apikey = your_securitytrails_api_key
[data_sources.VirusTotal] [data_sources.VirusTotal.Credentials] apikey = your_virustotal_api_key ```_
Datenquellenverwaltung¶
```bash
List available data sources¶
amass enum -list
Exclude specific data sources¶
amass enum -d example.com -exclude censys,shodan
Include only specific data sources¶
amass enum -d example.com -include virustotal,securitytrails
Show data source usage¶
amass enum -d example.com -src ```_
Nachrichten sammeln¶
Organisation Intelligenz¶
```bash
Gather intelligence on organization¶
amass intel -org "Example Corporation"
Search by autonomous system number¶
amass intel -asn 12345
Search by IP address¶
amass intel -addr 192.168.1.1
Search by CIDR range¶
amass intel -cidr 192.168.1.0/24
Reverse WHOIS lookup¶
amass intel -whois -d example.com ```_
Erweiterte Nachrichtenoptionen¶
```bash
Include related domains¶
amass intel -org "Example Corporation" -max-depth 3
Active intelligence gathering¶
amass intel -active -org "Example Corporation"
Passive intelligence only¶
amass intel -passive -org "Example Corporation"
Output to file¶
amass intel -org "Example Corporation" -o intel_results.txt ```_
Brute Force und Wordlists¶
DNS Brute Kraft¶
```bash
Enable brute force with default wordlist¶
amass enum -brute -d example.com
Custom wordlist¶
amass enum -brute -w custom_wordlist.txt -d example.com
Multiple wordlists¶
amass enum -brute -w wordlist1.txt,wordlist2.txt -d example.com
Minimum word length for brute force¶
amass enum -brute -min-for-recursive 3 -d example.com ```_
Englische Sprache¶
```bash
Common wordlist locations¶
/usr/share/amass/wordlists/ /usr/share/wordlists/amass/ ~/.config/amass/wordlists/
Create custom wordlist¶
echo -e "api\ndev\ntest\nstaging\nwww\nmail\nftp" > custom_subs.txt
Use SecLists wordlists¶
amass enum -brute -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -d example.com ```_
Netzwerk Mapping und Visualisierung¶
Network Discovery¶
```bash
Discover network infrastructure¶
amass enum -d example.com -ip -cidr 192.168.1.0/24
Include ASN information¶
amass enum -d example.com -asn
Discover related networks¶
amass intel -org "Example Corporation" -cidr 10.0.0.0/8
Map network relationships¶
amass enum -d example.com -ip -asn -cidr 192.168.0.0/16 ```_
Visualisierung¶
```bash
Generate DOT file for Graphviz¶
amass viz -d3 -d example.com
Generate Gephi file¶
amass viz -gephi -d example.com
Generate Maltego file¶
amass viz -maltego -d example.com
Generate visualization from database¶
amass viz -d3 -d example.com -db amass.db ```_
Datenbank-Betriebe¶
```bash
Import previous results¶
amass db -import results.json
Export database results¶
amass db -export results.json -d example.com
Show database statistics¶
amass db -show -d example.com
List domains in database¶
amass db -list
Delete domain from database¶
amass db -delete -d example.com ```_
Erweiterte Techniken¶
Wiederkehrende Zählung¶
```bash
Recursive subdomain discovery¶
amass enum -d example.com -recursive
Set recursion depth¶
amass enum -d example.com -recursive -max-depth 5
Minimum subdomain length for recursion¶
amass enum -d example.com -recursive -min-for-recursive 2 ```_
Grenzwerte und Leistung¶
```bash
Limit DNS queries per minute¶
amass enum -d example.com -max-dns-queries 500
Set number of concurrent goroutines¶
amass enum -d example.com -max-flow 1000
Adjust timing between requests¶
amass enum -d example.com -freq 100ms
Set overall timeout¶
amass enum -d example.com -timeout 60 ```_
Filter und Anwendungsbereich¶
```bash
Include subdomains matching pattern¶
amass enum -d example.com -include "..prod.."
Exclude subdomains matching pattern¶
amass enum -d example.com -exclude "..test.."
Blacklist specific subdomains¶
echo -e "test.example.com\ndev.example.com" > blacklist.txt amass enum -d example.com -blacklist blacklist.txt
Include only specific TLDs¶
amass enum -d example.com -include ".*.com$" ```_
Integration mit anderen Tools¶
Nmap Integration¶
```bash
Export subdomains for Nmap scanning¶
amass enum -d example.com -o subdomains.txt nmap -iL subdomains.txt -p 80,443,8080,8443 --open
Combine with Nmap for service discovery¶
amass enum -d example.com -ip|grep -oE "\b([0-9]\\{1,3\\}.)\\{3\\}[0-9]\\{1,3\\}\b"|sort -u > ips.txt nmap -iL ips.txt -sV -sC ```_
Nucles Integration¶
```bash
Use Amass results with Nuclei¶
amass enum -d example.com -o subdomains.txt nuclei -l subdomains.txt -t /path/to/nuclei-templates/
Combine with httpx for live subdomain detection¶
amass enum -d example.com|httpx -silent|nuclei -t /path/to/nuclei-templates/ ```_
Subfinder Integration¶
```bash
Combine Amass with Subfinder¶
amass enum -passive -d example.com -o amass_results.txt subfinder -d example.com -o subfinder_results.txt cat amass_results.txt subfinder_results.txt|sort -u > combined_results.txt ```_
Automatisierungsskripte¶
Umfassendes Reconnaissance Script¶
```bash
!/bin/bash¶
DOMAIN=\(1 OUTPUT_DIR="amass_recon_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0
mkdir -p $OUTPUT_DIR
echo "[+] Starting comprehensive reconnaissance for $DOMAIN"
Passive enumeration¶
echo "[+] Running passive enumeration..." amass enum -passive -d \(DOMAIN -o "\)OUTPUT_DIR/passive_subdomains.txt"
Active enumeration with brute force¶
echo "[+] Running active enumeration with brute force..." amass enum -active -brute -d \(DOMAIN -o "\)OUTPUT_DIR/active_subdomains.txt"
Intelligence gathering¶
echo "[+] Gathering intelligence..." amass intel -d \(DOMAIN -o "\)OUTPUT_DIR/intelligence.txt"
Combine results¶
echo "[+] Combining results..." cat "\(OUTPUT_DIR/passive_subdomains.txt" "\)OUTPUT_DIR/active_subdomains.txt"|sort -u > "$OUTPUT_DIR/all_subdomains.txt"
Generate visualization¶
echo "[+] Generating visualization..." amass viz -d3 -d \(DOMAIN -o "\)OUTPUT_DIR/visualization.html"
Extract IP addresses¶
echo "[+] Extracting IP addresses..." grep -oE "\b([0-9]\\{1,3\\}.)\\{3\\}[0-9]\\{1,3\\}\b" "\(OUTPUT_DIR/all_subdomains.txt"|sort -u > "\)OUTPUT_DIR/ip_addresses.txt"
echo "[+] Reconnaissance complete. Results saved in $OUTPUT_DIR/" echo "[+] Found \((wc -l ``< "\)OUTPUT_DIR/all_subdomains.txt") unique subdomains" echo "[+] Found \((wc -l < "\)OUTPUT_DIR/ip_addresses.txt") unique IP addresses" ```_
Continuous Monitoring Script¶
```bash
!/bin/bash¶
DOMAIN=\(1 INTERVAL=3600 # 1 hour BASELINE_FILE="baseline_\)DOMAIN.txt" ALERT_EMAIL="security@company.com"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0
Create baseline if it doesn't exist¶
if [ ! -f "$BASELINE_FILE" ]; then echo "[+] Creating baseline for $DOMAIN" amass enum -passive -d $DOMAIN -o $BASELINE_FILE fi
while true; do TIMESTAMP=\((date +%Y%m%d_%H%M%S) CURRENT_FILE="current_\)\\{DOMAIN\\}_$\\{TIMESTAMP\\}.txt"
echo "[+] Running enumeration at $(date)"
amass enum -passive -d $DOMAIN -o $CURRENT_FILE
# Compare with baseline
NEW_SUBDOMAINS=$(comm -13 <(sort $BASELINE_FILE) <(sort $CURRENT_FILE))
if [ ! -z "$NEW_SUBDOMAINS" ]; then
echo "[!] New subdomains discovered:"
echo "$NEW_SUBDOMAINS"
# Send alert email
echo "New subdomains discovered for $DOMAIN: $NEW_SUBDOMAINS"|\
mail -s "Amass Alert: New Subdomains for $DOMAIN" $ALERT_EMAIL
# Update baseline
cat $BASELINE_FILE $CURRENT_FILE|sort -u > temp_baseline.txt
mv temp_baseline.txt $BASELINE_FILE
fi
# Clean up
rm $CURRENT_FILE
echo "[+] Sleeping for $INTERVAL seconds..."
sleep $INTERVAL
done ```_
Multi-Domain-Bewertung¶
```bash
!/bin/bash¶
DOMAINS_FILE=\(1 OUTPUT_BASE="multi_domain_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAINS_FILE" ]; then
echo "Usage: $0
mkdir -p $OUTPUT_BASE
echo "[+] Starting multi-domain assessment"
while read domain; do if [ ! -z "\(domain" ]; then echo "[+] Processing \(domain" domain_dir="\)OUTPUT_BASE/\)domain" mkdir -p "$domain_dir"
# Passive enumeration
amass enum -passive -d $domain -o "$domain_dir/passive.txt"
# Active enumeration
amass enum -active -d $domain -o "$domain_dir/active.txt"
# Intelligence gathering
amass intel -d $domain -o "$domain_dir/intel.txt"
# Combine results
cat "$domain_dir/passive.txt" "$domain_dir/active.txt"|sort -u > "$domain_dir/all_subdomains.txt"
echo "[+] Found $(wc -l < "$domain_dir/all_subdomains.txt") subdomains for $domain"
fi
done < $DOMAINS_FILE
Generate summary report¶
echo "[+] Generating summary report..." echo "Multi-Domain Assessment Summary" > "\(OUTPUT_BASE/summary.txt" echo "===============================" >> "\)OUTPUT_BASE/summary.txt" echo "" >> "$OUTPUT_BASE/summary.txt"
for domain_dir in \(OUTPUT_BASE/*/; do domain=\)(basename "\(domain_dir") if [ -f "\)domain_dir/all_subdomains.txt" ]; then count=\((wc -l < "\)domain_dir/all_subdomains.txt") echo "$domain: \(count subdomains" >> "\)OUTPUT_BASE/summary.txt" fi done
echo "[+] Multi-domain assessment complete. Results in $OUTPUT_BASE/" ```_
Leistungsoptimierung¶
Ressourcenmanagement¶
```bash
Optimize for large-scale enumeration¶
amass enum -d example.com -max-dns-queries 2000 -max-flow 2000
Reduce memory usage¶
amass enum -d example.com -passive -max-dns-queries 500
Optimize for speed¶
amass enum -d example.com -active -brute -max-dns-queries 5000 -timeout 10 ```_
Konfiguration Tuning¶
```bash
Create performance-optimized config¶
cat > ~/.config/amass/config.ini << EOF [scope] [scope.domains] example.com = true
[scope.blacklisted] test.example.com = true
[bruteforce] enabled = true recursive = true min_for_recursive = 1
[alterations] enabled = true minimum = 1
[settings] max_dns_queries = 2000 max_flow = 2000 EOF ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
DNS resolution issues¶
amass enum -d example.com -r 8.8.8.8,1.1.1.1
Rate limiting issues¶
amass enum -d example.com -max-dns-queries 100 -freq 1s
Memory issues¶
amass enum -d example.com -passive -max-flow 500
Timeout issues¶
amass enum -d example.com -timeout 120 ```_
Debug Mode¶
```bash
Enable debug output¶
amass enum -d example.com -debug
Verbose logging¶
amass enum -d example.com -v -log debug.log
Show data sources being used¶
amass enum -d example.com -src -v ```_
Konfigurationsvalidierung¶
```bash
Test configuration file¶
amass enum -config ~/.config/amass/config.ini -list
Validate API keys¶
amass enum -d example.com -src -v|grep -i "api|key|auth"
Check data source availability¶
amass enum -list|grep -E "(Available|Enabled)" ```_
Best Practices¶
Strategie der Aufklärung¶
- **Start mit passiver Aufzählung*: Minimieren Sie das Erkennungsrisiko
- ** Verwenden Sie mehrere Datenquellen*: Kombinieren Sie verschiedene Intelligenzquellen
- Implementierungsquote: Überwältigende Zielinfrastruktur vermeiden
- Regular Monitoring: Kontinuierliche Subdomainüberwachung
- Validate Ergebnisse: Verify entdeckte Vermögenswerte sind legitim
Operationelle Sicherheit¶
```bash
Use VPN or proxy for reconnaissance¶
export HTTP_PROXY=http://proxy:8080 export HTTPS_PROXY=http://proxy:8080 amass enum -d example.com
Rotate API keys¶
Use different API keys for different assessments¶
Implement delays¶
amass enum -d example.com -freq 2s -max-dns-queries 100 ```_
Datenverwaltung¶
```bash
Regular database maintenance¶
amass db -show amass db -delete -d old_domain.com
Backup important results¶
cp ~/.config/amass/amass.db backup_$(date +%Y%m%d).db
Export results in multiple formats¶
amass db -export json_results.json -d example.com amass viz -d3 -d example.com -o visualization.html ```_
Ressourcen¶
- OWASP Amass GitHub Repository
- (LINK_5)
- [OWASP Amass Projektseite](LINK_5__
- [Amass Tutorial Videos](LINK_5
- [Bug Bounty Methodology](LINK_5__
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von OWASP Amass. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung haben, bevor Sie Netzwerk-Erklärung und Asset-Erkennung durchführen. *