OWASP Amass Network Mapping Herramienta Cheat Sheet
"Clase de la hoja" idbutton id="owasp-amass-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="owasp-amass-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
OWASP Amass es una herramienta de mapeo de redes de código abierto y de descubrimiento de activos externos que ayuda a los profesionales de la seguridad de la información a descubrir activos pertenecientes a su organización. Realiza la enumeración DNS, descubrimiento de subdominios y reconocimiento de red para mapear la superficie de ataque de una organización a través de diversas fuentes y técnicas de datos.
NOVEDAD Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usar contra cualquier objetivo.
Instalación
Instalación
# Install via Go
go install -v github.com/owasp-amass/amass/v4/...@master
# Verify installation
amass version
Paquete Manager Instalación
# Ubuntu/Debian
sudo apt update
sudo apt install amass
# Arch Linux
sudo pacman -S amass
# macOS with Homebrew
brew install amass
# Kali Linux (pre-installed)
amass -h
Docker Instalación
# Pull Docker image
docker pull caffix/amass
# Run with Docker
docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -d example.com
Instalación manual
# Download latest release
wget https://github.com/OWASP/Amass/releases/download/v4.2.0/amass_Linux_amd64.zip
unzip amass_Linux_amd64.zip
sudo mv amass_Linux_amd64/amass /usr/local/bin/
# Make executable
sudo chmod +x /usr/local/bin/amass
Uso básico
Estructura del comando
# Basic syntax
amass [subcommand] [options]
# Get help
amass -h
amass [subcommand] -h
# Check version
amass -version
Subcomandantes disponibles
| Subcommand | Description |
|---|---|
enum |
Perform DNS enumeration and network mapping |
intel |
Collect intelligence on the target organization |
viz |
Generate visualizations of enumeration results |
track |
Compare results across multiple enumerations |
db |
Manage the graph database |
DNS Enumeration
Enumeración básica
# Basic subdomain enumeration
amass enum -d example.com
# Multiple domains
amass enum -d example.com,target.org
# Domain list from file
amass enum -df domains.txt
# Passive enumeration only
amass enum -passive -d example.com
# Active enumeration (includes DNS brute force)
amass enum -active -d example.com
Opciones avanzadas de enumeración
# Increase verbosity
amass enum -v -d example.com
# Set maximum DNS queries per minute
amass enum -d example.com -max-dns-queries 1000
# Set timeout for DNS queries
amass enum -d example.com -timeout 30
# Include IP addresses in output
amass enum -ip -d example.com
# Include CIDR ranges
amass enum -cidr 192.168.1.0/24 -d example.com
Opciones de salida
# Save results to file
amass enum -d example.com -o results.txt
# JSON output format
amass enum -d example.com -json results.json
# Directory for all output files
amass enum -d example.com -dir ./amass_output
# Log file location
amass enum -d example.com -log amass.log
Configuración de fuentes de datos
Configuración de claves de API
# Create config file
mkdir ~/.config/amass
nano ~/.config/amass/config.ini
# Example config.ini content:
[data_sources]
[data_sources.AlienVault]
[data_sources.AlienVault.Credentials]
apikey = your_api_key_here
[data_sources.Censys]
[data_sources.Censys.Credentials]
api_id = your_api_id
secret = your_secret
[data_sources.Shodan]
[data_sources.Shodan.Credentials]
apikey = your_shodan_api_key
[data_sources.SecurityTrails]
[data_sources.SecurityTrails.Credentials]
apikey = your_securitytrails_api_key
[data_sources.VirusTotal]
[data_sources.VirusTotal.Credentials]
apikey = your_virustotal_api_key
Gestión de fuentes de datos
# List available data sources
amass enum -list
# Exclude specific data sources
amass enum -d example.com -exclude censys,shodan
# Include only specific data sources
amass enum -d example.com -include virustotal,securitytrails
# Show data source usage
amass enum -d example.com -src
Reunión de inteligencia
Organization Intelligence
# Gather intelligence on organization
amass intel -org "Example Corporation"
# Search by autonomous system number
amass intel -asn 12345
# Search by IP address
amass intel -addr 192.168.1.1
# Search by CIDR range
amass intel -cidr 192.168.1.0/24
# Reverse WHOIS lookup
amass intel -whois -d example.com
Opciones avanzadas de inteligencia
# Include related domains
amass intel -org "Example Corporation" -max-depth 3
# Active intelligence gathering
amass intel -active -org "Example Corporation"
# Passive intelligence only
amass intel -passive -org "Example Corporation"
# Output to file
amass intel -org "Example Corporation" -o intel_results.txt
Fuerza bruta y lista de palabras
DNS Brute Force
# Enable brute force with default wordlist
amass enum -brute -d example.com
# Custom wordlist
amass enum -brute -w custom_wordlist.txt -d example.com
# Multiple wordlists
amass enum -brute -w wordlist1.txt,wordlist2.txt -d example.com
# Minimum word length for brute force
amass enum -brute -min-for-recursive 3 -d example.com
Gestión de Wordlist
# Common wordlist locations
/usr/share/amass/wordlists/
/usr/share/wordlists/amass/
~/.config/amass/wordlists/
# Create custom wordlist
echo -e "api\ndev\ntest\nstaging\nwww\nmail\nftp" > custom_subs.txt
# Use SecLists wordlists
amass enum -brute -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -d example.com
Mapping and Visualization
Network Discovery
# Discover network infrastructure
amass enum -d example.com -ip -cidr 192.168.1.0/24
# Include ASN information
amass enum -d example.com -asn
# Discover related networks
amass intel -org "Example Corporation" -cidr 10.0.0.0/8
# Map network relationships
amass enum -d example.com -ip -asn -cidr 192.168.0.0/16
Visualización
# Generate DOT file for Graphviz
amass viz -d3 -d example.com
# Generate Gephi file
amass viz -gephi -d example.com
# Generate Maltego file
amass viz -maltego -d example.com
# Generate visualization from database
amass viz -d3 -d example.com -db amass.db
Operaciones de base de datos de gráficos
# Import previous results
amass db -import results.json
# Export database results
amass db -export results.json -d example.com
# Show database statistics
amass db -show -d example.com
# List domains in database
amass db -list
# Delete domain from database
amass db -delete -d example.com
Técnicas avanzadas
Enumeración Recursiva
# Recursive subdomain discovery
amass enum -d example.com -recursive
# Set recursion depth
amass enum -d example.com -recursive -max-depth 5
# Minimum subdomain length for recursion
amass enum -d example.com -recursive -min-for-recursive 2
Tasa de limitación y rendimiento
# Limit DNS queries per minute
amass enum -d example.com -max-dns-queries 500
# Set number of concurrent goroutines
amass enum -d example.com -max-flow 1000
# Adjust timing between requests
amass enum -d example.com -freq 100ms
# Set overall timeout
amass enum -d example.com -timeout 60
Filtro y alcance
# Include subdomains matching pattern
amass enum -d example.com -include ".*\.prod\..*"
# Exclude subdomains matching pattern
amass enum -d example.com -exclude ".*\.test\..*"
# Blacklist specific subdomains
echo -e "test.example.com\ndev.example.com" > blacklist.txt
amass enum -d example.com -blacklist blacklist.txt
# Include only specific TLDs
amass enum -d example.com -include ".*\.com$"
Integración con otras herramientas
Integración de Nmap
# Export subdomains for Nmap scanning
amass enum -d example.com -o subdomains.txt
nmap -iL subdomains.txt -p 80,443,8080,8443 --open
# Combine with Nmap for service discovery
amass enum -d example.com -ip|grep -oE "\b([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}\b"|sort -u > ips.txt
nmap -iL ips.txt -sV -sC
Nuclei Integration
# Use Amass results with Nuclei
amass enum -d example.com -o subdomains.txt
nuclei -l subdomains.txt -t /path/to/nuclei-templates/
# Combine with httpx for live subdomain detection
amass enum -d example.com|httpx -silent|nuclei -t /path/to/nuclei-templates/
Subfinder Integration
# Combine Amass with Subfinder
amass enum -passive -d example.com -o amass_results.txt
subfinder -d example.com -o subfinder_results.txt
cat amass_results.txt subfinder_results.txt|sort -u > combined_results.txt
Scripts de automatización
Script de reconocimiento completo
#!/bin/bash
DOMAIN=$1
OUTPUT_DIR="amass_recon_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 <domain>"
exit 1
fi
mkdir -p $OUTPUT_DIR
echo "[+] Starting comprehensive reconnaissance for $DOMAIN"
# Passive enumeration
echo "[+] Running passive enumeration..."
amass enum -passive -d $DOMAIN -o "$OUTPUT_DIR/passive_subdomains.txt"
# Active enumeration with brute force
echo "[+] Running active enumeration with brute force..."
amass enum -active -brute -d $DOMAIN -o "$OUTPUT_DIR/active_subdomains.txt"
# Intelligence gathering
echo "[+] Gathering intelligence..."
amass intel -d $DOMAIN -o "$OUTPUT_DIR/intelligence.txt"
# Combine results
echo "[+] Combining results..."
cat "$OUTPUT_DIR/passive_subdomains.txt" "$OUTPUT_DIR/active_subdomains.txt"|sort -u > "$OUTPUT_DIR/all_subdomains.txt"
# Generate visualization
echo "[+] Generating visualization..."
amass viz -d3 -d $DOMAIN -o "$OUTPUT_DIR/visualization.html"
# Extract IP addresses
echo "[+] Extracting IP addresses..."
grep -oE "\b([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}\b" "$OUTPUT_DIR/all_subdomains.txt"|sort -u > "$OUTPUT_DIR/ip_addresses.txt"
echo "[+] Reconnaissance complete. Results saved in $OUTPUT_DIR/"
echo "[+] Found $(wc -l ``< "$OUTPUT_DIR/all_subdomains.txt") unique subdomains"
echo "[+] Found $(wc -l < "$OUTPUT_DIR/ip_addresses.txt") unique IP addresses"
Script de monitoreo continuo
#!/bin/bash
DOMAIN=$1
INTERVAL=3600 # 1 hour
BASELINE_FILE="baseline_$DOMAIN.txt"
ALERT_EMAIL="security@company.com"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 <domain>``"
exit 1
fi
# Create baseline if it doesn't exist
if [ ! -f "$BASELINE_FILE" ]; then
echo "[+] Creating baseline for $DOMAIN"
amass enum -passive -d $DOMAIN -o $BASELINE_FILE
fi
while true; do
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
CURRENT_FILE="current_$\\\\{DOMAIN\\\\}_$\\\\{TIMESTAMP\\\\}.txt"
echo "[+] Running enumeration at $(date)"
amass enum -passive -d $DOMAIN -o $CURRENT_FILE
# Compare with baseline
NEW_SUBDOMAINS=$(comm -13 <(sort $BASELINE_FILE) <(sort $CURRENT_FILE))
if [ ! -z "$NEW_SUBDOMAINS" ]; then
echo "[!] New subdomains discovered:"
echo "$NEW_SUBDOMAINS"
# Send alert email
echo "New subdomains discovered for $DOMAIN: $NEW_SUBDOMAINS"|\
mail -s "Amass Alert: New Subdomains for $DOMAIN" $ALERT_EMAIL
# Update baseline
cat $BASELINE_FILE $CURRENT_FILE|sort -u > temp_baseline.txt
mv temp_baseline.txt $BASELINE_FILE
fi
# Clean up
rm $CURRENT_FILE
echo "[+] Sleeping for $INTERVAL seconds..."
sleep $INTERVAL
done
Evaluación multidominio
#!/bin/bash
DOMAINS_FILE=$1
OUTPUT_BASE="multi_domain_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAINS_FILE" ]; then
echo "Usage: $0 <domains_file>"
exit 1
fi
mkdir -p $OUTPUT_BASE
echo "[+] Starting multi-domain assessment"
while read domain; do
if [ ! -z "$domain" ]; then
echo "[+] Processing $domain"
domain_dir="$OUTPUT_BASE/$domain"
mkdir -p "$domain_dir"
# Passive enumeration
amass enum -passive -d $domain -o "$domain_dir/passive.txt"
# Active enumeration
amass enum -active -d $domain -o "$domain_dir/active.txt"
# Intelligence gathering
amass intel -d $domain -o "$domain_dir/intel.txt"
# Combine results
cat "$domain_dir/passive.txt" "$domain_dir/active.txt"|sort -u > "$domain_dir/all_subdomains.txt"
echo "[+] Found $(wc -l < "$domain_dir/all_subdomains.txt") subdomains for $domain"
fi
done < $DOMAINS_FILE
# Generate summary report
echo "[+] Generating summary report..."
echo "Multi-Domain Assessment Summary" > "$OUTPUT_BASE/summary.txt"
echo "===============================" >> "$OUTPUT_BASE/summary.txt"
echo "" >> "$OUTPUT_BASE/summary.txt"
for domain_dir in $OUTPUT_BASE/*/; do
domain=$(basename "$domain_dir")
if [ -f "$domain_dir/all_subdomains.txt" ]; then
count=$(wc -l < "$domain_dir/all_subdomains.txt")
echo "$domain: $count subdomains" >> "$OUTPUT_BASE/summary.txt"
fi
done
echo "[+] Multi-domain assessment complete. Results in $OUTPUT_BASE/"
Optimización del rendimiento
Gestión de los recursos
# Optimize for large-scale enumeration
amass enum -d example.com -max-dns-queries 2000 -max-flow 2000
# Reduce memory usage
amass enum -d example.com -passive -max-dns-queries 500
# Optimize for speed
amass enum -d example.com -active -brute -max-dns-queries 5000 -timeout 10
Configuración Tuning
# Create performance-optimized config
cat > ~/.config/amass/config.ini << EOF
[scope]
[scope.domains]
example.com = true
[scope.blacklisted]
test.example.com = true
[bruteforce]
enabled = true
recursive = true
min_for_recursive = 1
[alterations]
enabled = true
minimum = 1
[settings]
max_dns_queries = 2000
max_flow = 2000
EOF
Solución de problemas
Cuestiones comunes
# DNS resolution issues
amass enum -d example.com -r 8.8.8.8,1.1.1.1
# Rate limiting issues
amass enum -d example.com -max-dns-queries 100 -freq 1s
# Memory issues
amass enum -d example.com -passive -max-flow 500
# Timeout issues
amass enum -d example.com -timeout 120
Modo de depuración
# Enable debug output
amass enum -d example.com -debug
# Verbose logging
amass enum -d example.com -v -log debug.log
# Show data sources being used
amass enum -d example.com -src -v
Validación de configuración
# Test configuration file
amass enum -config ~/.config/amass/config.ini -list
# Validate API keys
amass enum -d example.com -src -v|grep -i "api\|key\|auth"
# Check data source availability
amass enum -list|grep -E "(Available|Enabled)"
Buenas prácticas
Estrategia de reconocimiento
- Empieza con la enumeración pasiva: Minimizar el riesgo de detección
- Utilice múltiples fuentes de datos: Combina diferentes fuentes de inteligencia
- Implement rate limiting: Evitar la infraestructura objetivo abrumadora
- ** Supervisión periódica**: Configuración de monitoreo continuo de subdominios
- Resultados válidos: Verificar los activos descubiertos son legítimos
Seguridad operacional
# Use VPN or proxy for reconnaissance
export HTTP_PROXY=http://proxy:8080
export HTTPS_PROXY=http://proxy:8080
amass enum -d example.com
# Rotate API keys
# Use different API keys for different assessments
# Implement delays
amass enum -d example.com -freq 2s -max-dns-queries 100
Gestión de datos
# Regular database maintenance
amass db -show
amass db -delete -d old_domain.com
# Backup important results
cp ~/.config/amass/amass.db backup_$(date +%Y%m%d).db
# Export results in multiple formats
amass db -export json_results.json -d example.com
amass viz -d3 -d example.com -o visualization.html
Recursos
- OWASP Amass GitHub Repository
- Amass Documentation
- OWASP Amass Project Page
- Vídeos Tutoriales de Masa
- Bug Bounty Methodology
-...
*Esta hoja de trampa proporciona una referencia completa para usar OWASP Amass. Siempre asegúrese de tener una autorización adecuada antes de realizar el reconocimiento de red y el descubrimiento de activos. *