Ir al contenido
1337skills 1337skills - Hojas de Trucos

Amass

Amass is the OWASP project’s powerful tool for discovering the attack surface of your target organization through subdomain enumeration, passive reconnaissance, and active DNS queries. It integrates with dozens of OSINT data sources and can perform deep ASN enumeration and organization discovery.

Installation

Sección titulada «Installation»

APT (Debian/Ubuntu)

Sección titulada «APT (Debian/Ubuntu)»
apt-get update
apt-get install -y amass

Snap

Sección titulada «Snap»
snap install amass

Homebrew (macOS)

Sección titulada «Homebrew (macOS)»
brew install amass

Go Install

Sección titulada «Go Install»
go install -v github.com/owasp-amass/amass/v4/cmd/amass@latest

Docker

Sección titulada «Docker»
docker pull ghcr.io/owasp-amass/amass:latest
docker run -v "$(pwd):/work" ghcr.io/owasp-amass/amass:latest enum -d example.com -o /work/results.txt

Download from GitHub

Sección titulada «Download from GitHub»

Download the latest release from https://github.com/owasp-amass/amass/releases and extract the binary.

Subcommands Overview

Sección titulada «Subcommands Overview»
SubcommandPurpose
enumMain enumeration command for subdomain discovery
intelOSINT and organization intelligence gathering
dbDatabase operations to query cached results
dnsDNS resolution verification and lookups
trackTrack changes and track differences between enumeration runs

Passive Enumeration

Sección titulada «Passive Enumeration»

Passive enumeration queries OSINT data sources without sending traffic to the target’s DNS servers. No DNS brute-forcing is performed.

Basic Passive Enumeration

Sección titulada «Basic Passive Enumeration»
amass enum -passive -d example.com

Passive Enumeration with Output

Sección titulada «Passive Enumeration with Output»
amass enum -passive -d example.com -o results.txt

Multiple Domains

Sección titulada «Multiple Domains»
amass enum -passive -d example.com -d example.org -d example.net

Data Sources Used in Passive Mode

Sección titulada «Data Sources Used in Passive Mode»

Amass queries dozens of passive data sources including:

  • Certificate Transparency logs (Crt.sh, Google CT logs)
  • DNS records and zone file repositories
  • Search engines (Bing)
  • OSINT databases (Shodan, Censys)
  • DNS history services (SecurityTrails)
  • Archive sites and historical records

Passive with Source Filtering

Sección titulada «Passive with Source Filtering»
# List available data sources
amass enum -list

# Use specific sources
amass enum -passive -d example.com -src "Certspotter,Crtsh,Shodan"

Active Enumeration

Sección titulada «Active Enumeration»

Active enumeration performs DNS resolution and queries against the target’s infrastructure. This sends traffic to the target’s DNS servers.

Basic Active Enumeration

Sección titulada «Basic Active Enumeration»
amass enum -active -d example.com

Active with Zone Transfer Attempts

Sección titulada «Active with Zone Transfer Attempts»
# Zone transfers are attempted automatically during active enumeration
amass enum -active -d example.com

Certificate Grabbing

Sección titulada «Certificate Grabbing»
# Grab certificates during active reconnaissance
amass enum -active -d example.com

Increased Timeout for Slow Networks

Sección titulada «Increased Timeout for Slow Networks»
amass enum -active -d example.com -timeout 30

Brute Force Subdomain Discovery

Sección titulada «Brute Force Subdomain Discovery»

Brute force DNS enumeration tests potential subdomain names against the target’s nameservers.

Basic Brute Force

Sección titulada «Basic Brute Force»
amass enum -brute -d example.com

Brute Force with Custom Wordlist

Sección titulada «Brute Force with Custom Wordlist»
amass enum -brute -d example.com -w /path/to/wordlist.txt

Brute Force with Wordlist Mutations

Sección titulada «Brute Force with Wordlist Mutations»
# Apply mutations to wordlist entries
amass enum -brute -d example.com -w /path/to/wordlist.txt -wm

Limit DNS Name Length

Sección titulada «Limit DNS Name Length»
# Minimum length of 3, maximum length of 25 characters
amass enum -brute -d example.com -min-for-recursive 3 -max-dns-names 25

Performance Tuning

Sección titulada «Performance Tuning»
# Maximum concurrent DNS queries (default: 10000)
amass enum -brute -d example.com -max-dns-queries 5000

# Set timeout for DNS responses
amass enum -brute -d example.com -timeout 15

Brute Force Specific Nameservers

Sección titulada «Brute Force Specific Nameservers»
amass enum -brute -d example.com -ns 8.8.8.8 -ns 1.1.1.1

Intel Subcommand

Sección titulada «Intel Subcommand»

The intel subcommand gathers organizational intelligence through WHOIS, ASN discovery, and reverse lookups.

Sección titulada «Domain Organization Search»
amass intel -d example.com

Reverse WHOIS Lookup

Sección titulada «Reverse WHOIS Lookup»
# Find all domains registered to an organization
amass intel -d example.com -whois
Sección titulada «Organization-Based Search»
# Enumerate all domains for an organization
amass intel -org "Example Corporation"

ASN Enumeration

Sección titulada «ASN Enumeration»
# Find ASNs associated with the domain
amass intel -d example.com -asn

# Enumerate all domains in an ASN
amass intel -asn 12345

Combined Intel Operations

Sección titulada «Combined Intel Operations»
amass intel -d example.com -whois -asn -o intel_results.txt

DNS Subcommand

Sección titulada «DNS Subcommand»

The dns subcommand verifies DNS resolution and performs DNS-specific operations.

DNS Resolution Verification

Sección titulada «DNS Resolution Verification»
amass dns -d example.com

Resolve a Specific Subdomain

Sección titulada «Resolve a Specific Subdomain»
amass dns -d sub.example.com

Custom Nameservers

Sección titulada «Custom Nameservers»
amass dns -d example.com -ns 8.8.8.8 -ns 1.1.1.1

Output DNS Records

Sección titulada «Output DNS Records»
amass dns -d example.com -o dns_records.txt

Track Subcommand

Sección titulada «Track Subcommand»

Track changes between enumeration runs to identify newly discovered subdomains.

Track Enumeration Changes

Sección titulada «Track Enumeration Changes»
amass track -d example.com

Track with Previous Database

Sección titulada «Track with Previous Database»
# Compare against previous enumeration stored in database
amass track -d example.com

View Tracked Changes

Sección titulada «View Tracked Changes»
amass track -d example.com -show

Database Subcommand

Sección titulada «Database Subcommand»

Query and manage results stored in Amass’s local database from previous enumerations.

Show All Results for Domain

Sección titulada «Show All Results for Domain»
amass db -show -d example.com

List All Discovered Names

Sección titulada «List All Discovered Names»
amass db -show -d example.com -names

List All Discovered IPs

Sección titulada «List All Discovered IPs»
amass db -show -d example.com -ip

Summary Statistics

Sección titulada «Summary Statistics»
amass db -show -d example.com -summary

Export from Database

Sección titulada «Export from Database»
amass db -show -d example.com -o exported_results.txt

Database Location

Sección titulada «Database Location»

By default, the database is stored in the user’s home directory at ~/.config/amass/.

Configuration File

Sección titulada «Configuration File»

Create a config.yaml file to persist settings and API credentials for data sources.

Basic Configuration Structure

Sección titulada «Basic Configuration Structure»
# Data source API keys
datasources:
  credentials:
    - name: shodan
      keys:
        - "YOUR_SHODAN_API_KEY"
    - name: censys
      keys:
        - "YOUR_CENSYS_API_KEY"
    - name: securitytrails
      keys:
        - "YOUR_SECURITYTRAILS_API_KEY"

# Scope definition
scope:
  domains:
    - example.com
    - example.org

# Brute forcing settings
brute_forcing:
  enabled: true
  wordlist: /path/to/wordlist.txt
  minimum_for_recursive: 3

# DNS alterations and mutations
alterations:
  enabled: true
  flip_words: true
  flip_numbers: true
  add_words: true
  add_numbers: true

# Performance settings
max_dns_queries: 10000

Using the Configuration File

Sección titulada «Using the Configuration File»
amass enum -config /path/to/config.yaml

Data Source Configuration

Sección titulada «Data Source Configuration»

Amass supports integration with multiple OSINT data sources via API keys. Configure these in your config file or environment.

Shodan API Key

Sección titulada «Shodan API Key»
datasources:
  credentials:
    - name: shodan
      keys:
        - "YOUR_SHODAN_API_KEY"

Censys API Key

Sección titulada «Censys API Key»
datasources:
  credentials:
    - name: censys
      keys:
        - "YOUR_CENSYS_API_KEY"

SecurityTrails API Key

Sección titulada «SecurityTrails API Key»
datasources:
  credentials:
    - name: securitytrails
      keys:
        - "YOUR_SECURITYTRAILS_API_KEY"

VirusTotal API Key

Sección titulada «VirusTotal API Key»
datasources:
  credentials:
    - name: virustotal
      keys:
        - "YOUR_VIRUSTOTAL_API_KEY"

PassiveTotal API Key

Sección titulada «PassiveTotal API Key»
datasources:
  credentials:
    - name: passivetotal
      keys:
        - "YOUR_PASSIVETOTAL_API_KEY"

Adding Multiple API Keys

Sección titulada «Adding Multiple API Keys»
datasources:
  credentials:
    - name: shodan
      keys:
        - "API_KEY_1"
        - "API_KEY_2"
        - "API_KEY_3"

Output Options

Sección titulada «Output Options»

Control how Amass outputs and saves discovered results.

Output to Text File

Sección titulada «Output to Text File»
amass enum -passive -d example.com -o results.txt

JSON Output

Sección titulada «JSON Output»
amass enum -passive -d example.com -json -o results.json

Output Directory (Multiple Formats)

Sección titulada «Output Directory (Multiple Formats)»
amass enum -passive -d example.com -dir ./output/

All Output Formats

Sección titulada «All Output Formats»
# Saves results in all available formats
amass enum -passive -d example.com -oA results

Verbose Output

Sección titulada «Verbose Output»
amass enum -passive -d example.com -v

Very Verbose (Debug)

Sección titulada «Very Verbose (Debug)»
amass enum -passive -d example.com -vv

Scripting Engine

Sección titulada «Scripting Engine»

Amass supports custom data source scripts written in Lua for extending functionality.

Script Location

Sección titulada «Script Location»

Place custom scripts in ~/.config/amass/scripts/.

Basic Lua Script Template

Sección titulada «Basic Lua Script Template»
name = "CustomSource"
type = "api"

function vertical(ctx, domain)
  -- Your custom enumeration logic here
  return {}
end

Using Custom Scripts

Sección titulada «Using Custom Scripts»
amass enum -passive -d example.com

Custom scripts are automatically loaded and executed alongside built-in data sources.

Scope Management

Sección titulada «Scope Management»

Define and control the scope of your enumeration to include or exclude specific targets.

Include Unresolvable Names

Sección titulada «Include Unresolvable Names»
amass enum -passive -d example.com -include-unresolvable

Filter by IP Address Range

Sección titulada «Filter by IP Address Range»
amass enum -passive -d example.com -ip 192.168.0.0/16

Specify CIDR Ranges

Sección titulada «Specify CIDR Ranges»
amass enum -passive -d example.com -cidr 10.0.0.0/8

Blacklist Domains

Sección titulada «Blacklist Domains»
amass enum -passive -d example.com -bl example-test.com -bl test-env.com

Blacklist from File

Sección titulada «Blacklist from File»
# Create a file with one domain per line
amass enum -passive -d example.com -blf /path/to/blacklist.txt

Whitelist Domains

Sección titulada «Whitelist Domains»
amass enum -passive -d example.com -include example.com -include app.example.com

Performance Optimization

Sección titulada «Performance Optimization»

Tune Amass performance based on network conditions and target infrastructure.

Maximum DNS Queries

Sección titulada «Maximum DNS Queries»
# Limit concurrent DNS queries (default: 10000)
amass enum -brute -d example.com -max-dns-queries 5000

DNS Query Timeout

Sección titulada «DNS Query Timeout»
# Timeout in seconds for DNS responses
amass enum -brute -d example.com -timeout 30

Active Concurrency

Sección titulada «Active Concurrency»
# Control concurrent requests during active enumeration
amass enum -active -d example.com

Memory-Constrained Environments

Sección titulada «Memory-Constrained Environments»
# Use fewer concurrent operations
amass enum -passive -d example.com -max-dns-queries 500

Distributed Enumeration

Sección titulada «Distributed Enumeration»
# Run multiple instances with different wordlist portions
amass enum -brute -d example.com -w wordlist_part1.txt
amass enum -brute -d example.com -w wordlist_part2.txt

Troubleshooting

Sección titulada «Troubleshooting»

DNS Resolution Issues

Sección titulada «DNS Resolution Issues»
# Test with custom nameservers
amass enum -passive -d example.com -ns 8.8.8.8

API Key Problems

Sección titulada «API Key Problems»

Check that your API keys are correctly set in the config file and have appropriate permissions. Run Amass with verbose output to see which sources are failing.

Rate Limiting

Sección titulada «Rate Limiting»

If you encounter rate limiting, reduce the number of concurrent queries and increase timeouts:

amass enum -brute -d example.com -max-dns-queries 1000 -timeout 30

Memory Issues

Sección titulada «Memory Issues»

For large-scale enumerations, reduce data source use or split the enumeration across multiple runs.

Database Corruption

Sección titulada «Database Corruption»

Clear the database and start fresh:

rm -rf ~/.config/amass/
amass enum -passive -d example.com

Best Practices

Sección titulada «Best Practices»

  1. Start with Passive Enumeration: Always begin with passive techniques to avoid detection. Add active DNS queries only when needed for validation.

  2. Use Configuration Files: Store API credentials and scope definitions in a configuration file to maintain consistency across runs and avoid command-line credential exposure.

  3. Combine Multiple Data Sources: Leverage multiple OSINT sources (Shodan, Censys, SecurityTrails) to maximize coverage. Each source often reveals different subdomains.

  4. Track Changes Over Time: Use the track subcommand to identify newly discovered subdomains and monitor your attack surface changes.

  5. Implement Scope Management: Use blacklists and whitelists to focus enumeration on relevant targets and avoid noise from unrelated domains.

  6. Validate Actively: After passive enumeration, use active DNS resolution to confirm that discovered subdomains actually resolve to IP addresses.

  7. Export for Further Analysis: Export results in JSON format for parsing and further processing with other tools or scripts.

  8. Monitor Rate Limits: Be aware of API rate limits from data sources. Use API keys when available to increase quotas.

  9. Schedule Regular Enumerations: Run periodic enumerations to detect newly registered subdomains and changes in your attack surface.

  10. Combine with Other Tools: Use Amass output as input for vulnerability scanning, port scanning, or further reconnaissance with tools like Nmap.

Sección titulada «Related Tools»
ToolPurpose
SubfinderFast passive subdomain enumeration using multiple sources
SecurityTrailsOnline OSINT database for domain and subdomain history
DNSReconDNS reconnaissance and enumeration tool
FierceDNS scanning tool for discovering non-contiguous IP space
Sublist3rSubdomain enumeration using multiple search engines
NmapNetwork mapping and port scanning
ShodanSearch engine for internet-connected devices
CensysSearch engine for internet scanning and certificate data