OWASP Amass Network Mapping Tool Cheat Sheet
Überblick
OWASP Amass ist ein Open-Source-Netzwerk Mapping und externe Asset Discovery-Tool, das hilft, Informationssicherheit Fachleute entdecken Vermögenswerte ihrer Organisation. Es führt DNS-Enumeration, Subdomain-Erkennung und Netzwerk-Erklärung, um eine Organisation Angriffsfläche durch verschiedene Datenquellen und Techniken.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation
Zur Installation
```bash
Install via Go
go install -v github.com/owasp-amass/amass/v4/...@master
Verify installation
amass version ```_
Installation des Paketmanagers
```bash
Ubuntu/Debian
sudo apt update sudo apt install amass
Arch Linux
sudo pacman -S amass
macOS with Homebrew
brew install amass
Kali Linux (pre-installed)
amass -h ```_
Docker Installation
```bash
Pull Docker image
docker pull caffix/amass
Run with Docker
docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -d example.com ```_
Manuelle Installation
```bash
Download latest release
wget https://github.com/OWASP/Amass/releases/download/v4.2.0/amass_Linux_amd64.zip unzip amass_Linux_amd64.zip sudo mv amass_Linux_amd64/amass /usr/local/bin/
Make executable
sudo chmod +x /usr/local/bin/amass ```_
Basisnutzung
Befehlsstruktur
```bash
Basic syntax
amass [subcommand] [options]
Get help
amass -h amass [subcommand] -h
Check version
amass -version ```_
Verfügbare Unterbefehle
| | Subcommand | Description | |
| --- | --- |
| | enum | Perform DNS enumeration and network mapping | |
| | intel | Collect intelligence on the target organization | |
| | viz | Generate visualizations of enumeration results | |
| | track | Compare results across multiple enumerations | |
| | db | Manage the graph database | |
DNS Aufzählung
Grundaufzählung
```bash
Basic subdomain enumeration
amass enum -d example.com
Multiple domains
amass enum -d example.com,target.org
Domain list from file
amass enum -df domains.txt
Passive enumeration only
amass enum -passive -d example.com
Active enumeration (includes DNS brute force)
amass enum -active -d example.com ```_
Erweiterte Enumerationsoptionen
```bash
Increase verbosity
amass enum -v -d example.com
Set maximum DNS queries per minute
amass enum -d example.com -max-dns-queries 1000
Set timeout for DNS queries
amass enum -d example.com -timeout 30
Include IP addresses in output
amass enum -ip -d example.com
Include CIDR ranges
amass enum -cidr 192.168.1.0/24 -d example.com ```_
Ausgabeoptionen
```bash
Save results to file
amass enum -d example.com -o results.txt
JSON output format
amass enum -d example.com -json results.json
Directory for all output files
amass enum -d example.com -dir ./amass_output
Log file location
amass enum -d example.com -log amass.log ```_
Datenquellen Konfiguration
API Keys Konfiguration
```bash
Create config file
mkdir ~/.config/amass nano ~/.config/amass/config.ini
Example config.ini content:
[data_sources] [data_sources.AlienVault] [data_sources.AlienVault.Credentials] apikey = your_api_key_here
[data_sources.Censys] [data_sources.Censys.Credentials] api_id = your_api_id secret = your_secret
[data_sources.Shodan] [data_sources.Shodan.Credentials] apikey = your_shodan_api_key
[data_sources.SecurityTrails] [data_sources.SecurityTrails.Credentials] apikey = your_securitytrails_api_key
[data_sources.VirusTotal] [data_sources.VirusTotal.Credentials] apikey = your_virustotal_api_key ```_
Datenquellenverwaltung
```bash
List available data sources
amass enum -list
Exclude specific data sources
amass enum -d example.com -exclude censys,shodan
Include only specific data sources
amass enum -d example.com -include virustotal,securitytrails
Show data source usage
amass enum -d example.com -src ```_
Nachrichten sammeln
Organisation Intelligenz
```bash
Gather intelligence on organization
amass intel -org "Example Corporation"
Search by autonomous system number
amass intel -asn 12345
Search by IP address
amass intel -addr 192.168.1.1
Search by CIDR range
amass intel -cidr 192.168.1.0/24
Reverse WHOIS lookup
amass intel -whois -d example.com ```_
Erweiterte Nachrichtenoptionen
```bash
Include related domains
amass intel -org "Example Corporation" -max-depth 3
Active intelligence gathering
amass intel -active -org "Example Corporation"
Passive intelligence only
amass intel -passive -org "Example Corporation"
Output to file
amass intel -org "Example Corporation" -o intel_results.txt ```_
Brute Force und Wordlists
DNS Brute Kraft
```bash
Enable brute force with default wordlist
amass enum -brute -d example.com
Custom wordlist
amass enum -brute -w custom_wordlist.txt -d example.com
Multiple wordlists
amass enum -brute -w wordlist1.txt,wordlist2.txt -d example.com
Minimum word length for brute force
amass enum -brute -min-for-recursive 3 -d example.com ```_
Englische Sprache
```bash
Common wordlist locations
/usr/share/amass/wordlists/ /usr/share/wordlists/amass/ ~/.config/amass/wordlists/
Create custom wordlist
echo -e "api\ndev\ntest\nstaging\nwww\nmail\nftp" > custom_subs.txt
Use SecLists wordlists
amass enum -brute -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -d example.com ```_
Netzwerk Mapping und Visualisierung
Network Discovery
```bash
Discover network infrastructure
amass enum -d example.com -ip -cidr 192.168.1.0/24
Include ASN information
amass enum -d example.com -asn
Discover related networks
amass intel -org "Example Corporation" -cidr 10.0.0.0/8
Map network relationships
amass enum -d example.com -ip -asn -cidr 192.168.0.0/16 ```_
Visualisierung
```bash
Generate DOT file for Graphviz
amass viz -d3 -d example.com
Generate Gephi file
amass viz -gephi -d example.com
Generate Maltego file
amass viz -maltego -d example.com
Generate visualization from database
amass viz -d3 -d example.com -db amass.db ```_
Datenbank-Betriebe
```bash
Import previous results
amass db -import results.json
Export database results
amass db -export results.json -d example.com
Show database statistics
amass db -show -d example.com
List domains in database
amass db -list
Delete domain from database
amass db -delete -d example.com ```_
Erweiterte Techniken
Wiederkehrende Zählung
```bash
Recursive subdomain discovery
amass enum -d example.com -recursive
Set recursion depth
amass enum -d example.com -recursive -max-depth 5
Minimum subdomain length for recursion
amass enum -d example.com -recursive -min-for-recursive 2 ```_
Grenzwerte und Leistung
```bash
Limit DNS queries per minute
amass enum -d example.com -max-dns-queries 500
Set number of concurrent goroutines
amass enum -d example.com -max-flow 1000
Adjust timing between requests
amass enum -d example.com -freq 100ms
Set overall timeout
amass enum -d example.com -timeout 60 ```_
Filter und Anwendungsbereich
```bash
Include subdomains matching pattern
amass enum -d example.com -include "..prod.."
Exclude subdomains matching pattern
amass enum -d example.com -exclude "..test.."
Blacklist specific subdomains
echo -e "test.example.com\ndev.example.com" > blacklist.txt amass enum -d example.com -blacklist blacklist.txt
Include only specific TLDs
amass enum -d example.com -include ".*.com$" ```_
Integration mit anderen Tools
Nmap Integration
```bash
Export subdomains for Nmap scanning
amass enum -d example.com -o subdomains.txt nmap -iL subdomains.txt -p 80,443,8080,8443 --open
Combine with Nmap for service discovery
| amass enum -d example.com -ip | grep -oE "\b([0-9]\\{1,3\\}.)\\{3\\}[0-9]\\{1,3\\}\b" | sort -u > ips.txt | nmap -iL ips.txt -sV -sC ```_
Nucles Integration
```bash
Use Amass results with Nuclei
amass enum -d example.com -o subdomains.txt nuclei -l subdomains.txt -t /path/to/nuclei-templates/
Combine with httpx for live subdomain detection
| amass enum -d example.com | httpx -silent | nuclei -t /path/to/nuclei-templates/ | ```_
Subfinder Integration
```bash
Combine Amass with Subfinder
amass enum -passive -d example.com -o amass_results.txt subfinder -d example.com -o subfinder_results.txt cat amass_results.txt subfinder_results.txt|sort -u > combined_results.txt ```_
Automatisierungsskripte
Umfassendes Reconnaissance Script
```bash
!/bin/bash
DOMAIN=$1 OUTPUT_DIR="amass_recon_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0
mkdir -p $OUTPUT_DIR
echo "[+] Starting comprehensive reconnaissance for $DOMAIN"
Passive enumeration
echo "[+] Running passive enumeration..." amass enum -passive -d $DOMAIN -o "$OUTPUT_DIR/passive_subdomains.txt"
Active enumeration with brute force
echo "[+] Running active enumeration with brute force..." amass enum -active -brute -d $DOMAIN -o "$OUTPUT_DIR/active_subdomains.txt"
Intelligence gathering
echo "[+] Gathering intelligence..." amass intel -d $DOMAIN -o "$OUTPUT_DIR/intelligence.txt"
Combine results
echo "[+] Combining results..." cat "$OUTPUT_DIR/passive_subdomains.txt" "$OUTPUT_DIR/active_subdomains.txt"|sort -u > "$OUTPUT_DIR/all_subdomains.txt"
Generate visualization
echo "[+] Generating visualization..." amass viz -d3 -d $DOMAIN -o "$OUTPUT_DIR/visualization.html"
Extract IP addresses
echo "[+] Extracting IP addresses..." grep -oE "\b([0-9]\\{1,3\\}.)\\{3\\}[0-9]\\{1,3\\}\b" "$OUTPUT_DIR/all_subdomains.txt"|sort -u > "$OUTPUT_DIR/ip_addresses.txt"
echo "[+] Reconnaissance complete. Results saved in $OUTPUT_DIR/" echo "[+] Found $(wc -l ``< "$OUTPUT_DIR/all_subdomains.txt") unique subdomains" echo "[+] Found $(wc -l < "$OUTPUT_DIR/ip_addresses.txt") unique IP addresses" ```_
Continuous Monitoring Script
```bash
!/bin/bash
DOMAIN=$1 INTERVAL=3600 # 1 hour BASELINE_FILE="baseline_$DOMAIN.txt" ALERT_EMAIL="security@company.com"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0
Create baseline if it doesn't exist
if [ ! -f "$BASELINE_FILE" ]; then echo "[+] Creating baseline for $DOMAIN" amass enum -passive -d $DOMAIN -o $BASELINE_FILE fi
while true; do TIMESTAMP=$(date +%Y%m%d_%H%M%S) CURRENT_FILE="current_$\\{DOMAIN\\}_$\\{TIMESTAMP\\}.txt"
echo "[+] Running enumeration at $(date)"
amass enum -passive -d $DOMAIN -o $CURRENT_FILE
# Compare with baseline
NEW_SUBDOMAINS=$(comm -13 <(sort $BASELINE_FILE) <(sort $CURRENT_FILE))
if [ ! -z "$NEW_SUBDOMAINS" ]; then
echo "[!] New subdomains discovered:"
echo "$NEW_SUBDOMAINS"
# Send alert email
echo "New subdomains discovered for $DOMAIN: $NEW_SUBDOMAINS"|\
mail -s "Amass Alert: New Subdomains for $DOMAIN" $ALERT_EMAIL
# Update baseline
cat $BASELINE_FILE $CURRENT_FILE|sort -u > temp_baseline.txt
mv temp_baseline.txt $BASELINE_FILE
fi
# Clean up
rm $CURRENT_FILE
echo "[+] Sleeping for $INTERVAL seconds..."
sleep $INTERVAL
done ```_
Multi-Domain-Bewertung
```bash
!/bin/bash
DOMAINS_FILE=$1 OUTPUT_BASE="multi_domain_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAINS_FILE" ]; then
echo "Usage: $0
mkdir -p $OUTPUT_BASE
echo "[+] Starting multi-domain assessment"
while read domain; do if [ ! -z "$domain" ]; then echo "[+] Processing $domain" domain_dir="$OUTPUT_BASE/$domain" mkdir -p "$domain_dir"
# Passive enumeration
amass enum -passive -d $domain -o "$domain_dir/passive.txt"
# Active enumeration
amass enum -active -d $domain -o "$domain_dir/active.txt"
# Intelligence gathering
amass intel -d $domain -o "$domain_dir/intel.txt"
# Combine results
cat "$domain_dir/passive.txt" "$domain_dir/active.txt"|sort -u > "$domain_dir/all_subdomains.txt"
echo "[+] Found $(wc -l < "$domain_dir/all_subdomains.txt") subdomains for $domain"
fi
done < $DOMAINS_FILE
Generate summary report
echo "[+] Generating summary report..." echo "Multi-Domain Assessment Summary" > "$OUTPUT_BASE/summary.txt" echo "===============================" >> "$OUTPUT_BASE/summary.txt" echo "" >> "$OUTPUT_BASE/summary.txt"
for domain_dir in $OUTPUT_BASE/*/; do domain=$(basename "$domain_dir") if [ -f "$domain_dir/all_subdomains.txt" ]; then count=$(wc -l < "$domain_dir/all_subdomains.txt") echo "$domain: $count subdomains" >> "$OUTPUT_BASE/summary.txt" fi done
echo "[+] Multi-domain assessment complete. Results in $OUTPUT_BASE/" ```_
Leistungsoptimierung
Ressourcenmanagement
```bash
Optimize for large-scale enumeration
amass enum -d example.com -max-dns-queries 2000 -max-flow 2000
Reduce memory usage
amass enum -d example.com -passive -max-dns-queries 500
Optimize for speed
amass enum -d example.com -active -brute -max-dns-queries 5000 -timeout 10 ```_
Konfiguration Tuning
```bash
Create performance-optimized config
cat > ~/.config/amass/config.ini << EOF [scope] [scope.domains] example.com = true
[scope.blacklisted] test.example.com = true
[bruteforce] enabled = true recursive = true min_for_recursive = 1
[alterations] enabled = true minimum = 1
[settings] max_dns_queries = 2000 max_flow = 2000 EOF ```_
Fehlerbehebung
Gemeinsame Themen
```bash
DNS resolution issues
amass enum -d example.com -r 8.8.8.8,1.1.1.1
Rate limiting issues
amass enum -d example.com -max-dns-queries 100 -freq 1s
Memory issues
amass enum -d example.com -passive -max-flow 500
Timeout issues
amass enum -d example.com -timeout 120 ```_
Debug Mode
```bash
Enable debug output
amass enum -d example.com -debug
Verbose logging
amass enum -d example.com -v -log debug.log
Show data sources being used
amass enum -d example.com -src -v ```_
Konfigurationsvalidierung
```bash
Test configuration file
amass enum -config ~/.config/amass/config.ini -list
Validate API keys
| amass enum -d example.com -src -v | grep -i "api\ | key\ | auth" |
Check data source availability
| amass enum -list | grep -E "(Available | Enabled)" | ```_
Best Practices
Strategie der Aufklärung
- *Start mit passiver Aufzählung: Minimieren Sie das Erkennungsrisiko
- ** Verwenden Sie mehrere Datenquellen*: Kombinieren Sie verschiedene Intelligenzquellen
- Implementierungsquote: Überwältigende Zielinfrastruktur vermeiden
- Regular Monitoring: Kontinuierliche Subdomainüberwachung
- Validate Ergebnisse: Verify entdeckte Vermögenswerte sind legitim
Operationelle Sicherheit
```bash
Use VPN or proxy for reconnaissance
export HTTP_PROXY=http://proxy:8080 export HTTPS_PROXY=http://proxy:8080 amass enum -d example.com
Rotate API keys
Use different API keys for different assessments
Implement delays
amass enum -d example.com -freq 2s -max-dns-queries 100 ```_
Datenverwaltung
```bash
Regular database maintenance
amass db -show amass db -delete -d old_domain.com
Backup important results
cp ~/.config/amass/amass.db backup_$(date +%Y%m%d).db
Export results in multiple formats
amass db -export json_results.json -d example.com amass viz -d3 -d example.com -o visualization.html ```_
Ressourcen
- OWASP Amass GitHub Repository
- (LINK_5)
- [OWASP Amass Projektseite](_LINK_5___
- [Amass Tutorial Videos](LINK_5
- [Bug Bounty Methodology](_LINK_5___
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von OWASP Amass. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung haben, bevor Sie Netzwerk-Erklärung und Asset-Erkennung durchführen. *