OWASP outil de cartographie du réseau de masse feuille de chaleur
Aperçu général
OWASP Amass est un outil de cartographie de réseau et de découverte externe qui aide les professionnels de la sécurité de l'information à découvrir les actifs de leur organisation. Il effectue le dénombrement DNS, la découverte sous-domaine et la reconnaissance réseau pour cartographier la surface d'attaque d'une organisation à travers diverses sources de données et techniques.
C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser contre toute cible.
Installation
Aller à l'installation
# Install via Go
go install -v github.com/owasp-amass/amass/v4/...@master
# Verify installation
amass version
Installation du gestionnaire de paquets
# Ubuntu/Debian
sudo apt update
sudo apt install amass
# Arch Linux
sudo pacman -S amass
# macOS with Homebrew
brew install amass
# Kali Linux (pre-installed)
amass -h
```_
### Installation Docker
```bash
# Pull Docker image
docker pull caffix/amass
# Run with Docker
docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -d example.com
```_
### Installation manuelle
```bash
# Download latest release
wget https://github.com/OWASP/Amass/releases/download/v4.2.0/amass_Linux_amd64.zip
unzip amass_Linux_amd64.zip
sudo mv amass_Linux_amd64/amass /usr/local/bin/
# Make executable
sudo chmod +x /usr/local/bin/amass
Utilisation de base
Structure de commandement
# Basic syntax
amass [subcommand] [options]
# Get help
amass -h
amass [subcommand] -h
# Check version
amass -version
Sous-commandes disponibles
| Subcommand | Description |
|---|---|
enum |
Perform DNS enumeration and network mapping |
intel |
Collect intelligence on the target organization |
viz |
Generate visualizations of enumeration results |
track |
Compare results across multiple enumerations |
db |
Manage the graph database |
Énumération DNS
Énumération de base
# Basic subdomain enumeration
amass enum -d example.com
# Multiple domains
amass enum -d example.com,target.org
# Domain list from file
amass enum -df domains.txt
# Passive enumeration only
amass enum -passive -d example.com
# Active enumeration (includes DNS brute force)
amass enum -active -d example.com
Options avancées de dénombrement
# Increase verbosity
amass enum -v -d example.com
# Set maximum DNS queries per minute
amass enum -d example.com -max-dns-queries 1000
# Set timeout for DNS queries
amass enum -d example.com -timeout 30
# Include IP addresses in output
amass enum -ip -d example.com
# Include CIDR ranges
amass enum -cidr 192.168.1.0/24 -d example.com
Options de sortie
# Save results to file
amass enum -d example.com -o results.txt
# JSON output format
amass enum -d example.com -json results.json
# Directory for all output files
amass enum -d example.com -dir ./amass_output
# Log file location
amass enum -d example.com -log amass.log
Configuration des sources de données
Configuration des touches d'API
# Create config file
mkdir ~/.config/amass
nano ~/.config/amass/config.ini
# Example config.ini content:
[data_sources]
[data_sources.AlienVault]
[data_sources.AlienVault.Credentials]
apikey = your_api_key_here
[data_sources.Censys]
[data_sources.Censys.Credentials]
api_id = your_api_id
secret = your_secret
[data_sources.Shodan]
[data_sources.Shodan.Credentials]
apikey = your_shodan_api_key
[data_sources.SecurityTrails]
[data_sources.SecurityTrails.Credentials]
apikey = your_securitytrails_api_key
[data_sources.VirusTotal]
[data_sources.VirusTotal.Credentials]
apikey = your_virustotal_api_key
Gestion des sources de données
# List available data sources
amass enum -list
# Exclude specific data sources
amass enum -d example.com -exclude censys,shodan
# Include only specific data sources
amass enum -d example.com -include virustotal,securitytrails
# Show data source usage
amass enum -d example.com -src
Collecte de renseignements
Organisme de renseignement
# Gather intelligence on organization
amass intel -org "Example Corporation"
# Search by autonomous system number
amass intel -asn 12345
# Search by IP address
amass intel -addr 192.168.1.1
# Search by CIDR range
amass intel -cidr 192.168.1.0/24
# Reverse WHOIS lookup
amass intel -whois -d example.com
Options avancées en matière de renseignement
# Include related domains
amass intel -org "Example Corporation" -max-depth 3
# Active intelligence gathering
amass intel -active -org "Example Corporation"
# Passive intelligence only
amass intel -passive -org "Example Corporation"
# Output to file
amass intel -org "Example Corporation" -o intel_results.txt
Force brute et listes de mots
DNS Force brute
# Enable brute force with default wordlist
amass enum -brute -d example.com
# Custom wordlist
amass enum -brute -w custom_wordlist.txt -d example.com
# Multiple wordlists
amass enum -brute -w wordlist1.txt,wordlist2.txt -d example.com
# Minimum word length for brute force
amass enum -brute -min-for-recursive 3 -d example.com
Gestion des listes de mots
# Common wordlist locations
/usr/share/amass/wordlists/
/usr/share/wordlists/amass/
~/.config/amass/wordlists/
# Create custom wordlist
echo -e "api\ndev\ntest\nstaging\nwww\nmail\nftp" > custom_subs.txt
# Use SecLists wordlists
amass enum -brute -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -d example.com
Cartographie et visualisation des réseaux
Découverte du réseau
# Discover network infrastructure
amass enum -d example.com -ip -cidr 192.168.1.0/24
# Include ASN information
amass enum -d example.com -asn
# Discover related networks
amass intel -org "Example Corporation" -cidr 10.0.0.0/8
# Map network relationships
amass enum -d example.com -ip -asn -cidr 192.168.0.0/16
Visualisation
# Generate DOT file for Graphviz
amass viz -d3 -d example.com
# Generate Gephi file
amass viz -gephi -d example.com
# Generate Maltego file
amass viz -maltego -d example.com
# Generate visualization from database
amass viz -d3 -d example.com -db amass.db
Opérations de la base de données graphique
# Import previous results
amass db -import results.json
# Export database results
amass db -export results.json -d example.com
# Show database statistics
amass db -show -d example.com
# List domains in database
amass db -list
# Delete domain from database
amass db -delete -d example.com
Techniques avancées
Énumération récursive
# Recursive subdomain discovery
amass enum -d example.com -recursive
# Set recursion depth
amass enum -d example.com -recursive -max-depth 5
# Minimum subdomain length for recursion
amass enum -d example.com -recursive -min-for-recursive 2
Limite des taux et performance
# Limit DNS queries per minute
amass enum -d example.com -max-dns-queries 500
# Set number of concurrent goroutines
amass enum -d example.com -max-flow 1000
# Adjust timing between requests
amass enum -d example.com -freq 100ms
# Set overall timeout
amass enum -d example.com -timeout 60
Filtrage et portée
# Include subdomains matching pattern
amass enum -d example.com -include ".*\.prod\..*"
# Exclude subdomains matching pattern
amass enum -d example.com -exclude ".*\.test\..*"
# Blacklist specific subdomains
echo -e "test.example.com\ndev.example.com" > blacklist.txt
amass enum -d example.com -blacklist blacklist.txt
# Include only specific TLDs
amass enum -d example.com -include ".*\.com$"
Intégration avec d'autres outils
Intégration Nmap
# Export subdomains for Nmap scanning
amass enum -d example.com -o subdomains.txt
nmap -iL subdomains.txt -p 80,443,8080,8443 --open
# Combine with Nmap for service discovery
amass enum -d example.com -ip|grep -oE "\b([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}\b"|sort -u > ips.txt
nmap -iL ips.txt -sV -sC
Intégration des noyaux
# Use Amass results with Nuclei
amass enum -d example.com -o subdomains.txt
nuclei -l subdomains.txt -t /path/to/nuclei-templates/
# Combine with httpx for live subdomain detection
amass enum -d example.com|httpx -silent|nuclei -t /path/to/nuclei-templates/
Intégration des sous-marins
# Combine Amass with Subfinder
amass enum -passive -d example.com -o amass_results.txt
subfinder -d example.com -o subfinder_results.txt
cat amass_results.txt subfinder_results.txt|sort -u > combined_results.txt
Scripts d'automatisation
Scénario complet de reconnaissance
#!/bin/bash
DOMAIN=$1
OUTPUT_DIR="amass_recon_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 <domain>"
exit 1
fi
mkdir -p $OUTPUT_DIR
echo "[+] Starting comprehensive reconnaissance for $DOMAIN"
# Passive enumeration
echo "[+] Running passive enumeration..."
amass enum -passive -d $DOMAIN -o "$OUTPUT_DIR/passive_subdomains.txt"
# Active enumeration with brute force
echo "[+] Running active enumeration with brute force..."
amass enum -active -brute -d $DOMAIN -o "$OUTPUT_DIR/active_subdomains.txt"
# Intelligence gathering
echo "[+] Gathering intelligence..."
amass intel -d $DOMAIN -o "$OUTPUT_DIR/intelligence.txt"
# Combine results
echo "[+] Combining results..."
cat "$OUTPUT_DIR/passive_subdomains.txt" "$OUTPUT_DIR/active_subdomains.txt"|sort -u > "$OUTPUT_DIR/all_subdomains.txt"
# Generate visualization
echo "[+] Generating visualization..."
amass viz -d3 -d $DOMAIN -o "$OUTPUT_DIR/visualization.html"
# Extract IP addresses
echo "[+] Extracting IP addresses..."
grep -oE "\b([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}\b" "$OUTPUT_DIR/all_subdomains.txt"|sort -u > "$OUTPUT_DIR/ip_addresses.txt"
echo "[+] Reconnaissance complete. Results saved in $OUTPUT_DIR/"
echo "[+] Found $(wc -l ``< "$OUTPUT_DIR/all_subdomains.txt") unique subdomains"
echo "[+] Found $(wc -l < "$OUTPUT_DIR/ip_addresses.txt") unique IP addresses"
Scénario de surveillance continue
#!/bin/bash
DOMAIN=$1
INTERVAL=3600 # 1 hour
BASELINE_FILE="baseline_$DOMAIN.txt"
ALERT_EMAIL="security@company.com"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 <domain>``"
exit 1
fi
# Create baseline if it doesn't exist
if [ ! -f "$BASELINE_FILE" ]; then
echo "[+] Creating baseline for $DOMAIN"
amass enum -passive -d $DOMAIN -o $BASELINE_FILE
fi
while true; do
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
CURRENT_FILE="current_$\\\\{DOMAIN\\\\}_$\\\\{TIMESTAMP\\\\}.txt"
echo "[+] Running enumeration at $(date)"
amass enum -passive -d $DOMAIN -o $CURRENT_FILE
# Compare with baseline
NEW_SUBDOMAINS=$(comm -13 <(sort $BASELINE_FILE) <(sort $CURRENT_FILE))
if [ ! -z "$NEW_SUBDOMAINS" ]; then
echo "[!] New subdomains discovered:"
echo "$NEW_SUBDOMAINS"
# Send alert email
echo "New subdomains discovered for $DOMAIN: $NEW_SUBDOMAINS"|\
mail -s "Amass Alert: New Subdomains for $DOMAIN" $ALERT_EMAIL
# Update baseline
cat $BASELINE_FILE $CURRENT_FILE|sort -u > temp_baseline.txt
mv temp_baseline.txt $BASELINE_FILE
fi
# Clean up
rm $CURRENT_FILE
echo "[+] Sleeping for $INTERVAL seconds..."
sleep $INTERVAL
done
Évaluation multidomaine
#!/bin/bash
DOMAINS_FILE=$1
OUTPUT_BASE="multi_domain_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAINS_FILE" ]; then
echo "Usage: $0 <domains_file>"
exit 1
fi
mkdir -p $OUTPUT_BASE
echo "[+] Starting multi-domain assessment"
while read domain; do
if [ ! -z "$domain" ]; then
echo "[+] Processing $domain"
domain_dir="$OUTPUT_BASE/$domain"
mkdir -p "$domain_dir"
# Passive enumeration
amass enum -passive -d $domain -o "$domain_dir/passive.txt"
# Active enumeration
amass enum -active -d $domain -o "$domain_dir/active.txt"
# Intelligence gathering
amass intel -d $domain -o "$domain_dir/intel.txt"
# Combine results
cat "$domain_dir/passive.txt" "$domain_dir/active.txt"|sort -u > "$domain_dir/all_subdomains.txt"
echo "[+] Found $(wc -l < "$domain_dir/all_subdomains.txt") subdomains for $domain"
fi
done < $DOMAINS_FILE
# Generate summary report
echo "[+] Generating summary report..."
echo "Multi-Domain Assessment Summary" > "$OUTPUT_BASE/summary.txt"
echo "===============================" >> "$OUTPUT_BASE/summary.txt"
echo "" >> "$OUTPUT_BASE/summary.txt"
for domain_dir in $OUTPUT_BASE/*/; do
domain=$(basename "$domain_dir")
if [ -f "$domain_dir/all_subdomains.txt" ]; then
count=$(wc -l < "$domain_dir/all_subdomains.txt")
echo "$domain: $count subdomains" >> "$OUTPUT_BASE/summary.txt"
fi
done
echo "[+] Multi-domain assessment complete. Results in $OUTPUT_BASE/"
Optimisation des performances
Gestion des ressources
# Optimize for large-scale enumeration
amass enum -d example.com -max-dns-queries 2000 -max-flow 2000
# Reduce memory usage
amass enum -d example.com -passive -max-dns-queries 500
# Optimize for speed
amass enum -d example.com -active -brute -max-dns-queries 5000 -timeout 10
Réglage de la configuration
# Create performance-optimized config
cat > ~/.config/amass/config.ini << EOF
[scope]
[scope.domains]
example.com = true
[scope.blacklisted]
test.example.com = true
[bruteforce]
enabled = true
recursive = true
min_for_recursive = 1
[alterations]
enabled = true
minimum = 1
[settings]
max_dns_queries = 2000
max_flow = 2000
EOF
Dépannage
Questions communes
# DNS resolution issues
amass enum -d example.com -r 8.8.8.8,1.1.1.1
# Rate limiting issues
amass enum -d example.com -max-dns-queries 100 -freq 1s
# Memory issues
amass enum -d example.com -passive -max-flow 500
# Timeout issues
amass enum -d example.com -timeout 120
Mode de débogage
# Enable debug output
amass enum -d example.com -debug
# Verbose logging
amass enum -d example.com -v -log debug.log
# Show data sources being used
amass enum -d example.com -src -v
Validation de configuration
# Test configuration file
amass enum -config ~/.config/amass/config.ini -list
# Validate API keys
amass enum -d example.com -src -v|grep -i "api\|key\|auth"
# Check data source availability
amass enum -list|grep -E "(Available|Enabled)"
Meilleures pratiques
Stratégie de reconnaissance
- Démarrer avec le dénombrement passif: Réduire au minimum le risque de détection
- Utiliser plusieurs sources de données : Combiner différentes sources de renseignement
- ** Limite du taux d'exécution**: Éviter les infrastructures cibles écrasantes
- ** Surveillance régulière**: Mettre en place une surveillance continue du sous-domaine
- Résultats de validation : vérifier que les avoirs découverts sont légitimes
Sécurité opérationnelle
# Use VPN or proxy for reconnaissance
export HTTP_PROXY=http://proxy:8080
export HTTPS_PROXY=http://proxy:8080
amass enum -d example.com
# Rotate API keys
# Use different API keys for different assessments
# Implement delays
amass enum -d example.com -freq 2s -max-dns-queries 100
Gestion des données
# Regular database maintenance
amass db -show
amass db -delete -d old_domain.com
# Backup important results
cp ~/.config/amass/amass.db backup_$(date +%Y%m%d).db
# Export results in multiple formats
amass db -export json_results.json -d example.com
amass viz -d3 -d example.com -o visualization.html
Ressources
- [Répertoire GitHub de masse de l'OWASP] (LINK_5)
- [Documentation de masse] (LINK_5)
- Page du projet de masse de l'OWASP
- [Vidéos de tutoriels de masse] (LINK_5)
- [Méthode de Bounty Bug] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation de OWASP AMASS. Assurez-vous toujours d'avoir une autorisation appropriée avant de procéder à la reconnaissance du réseau et à la découverte des biens. *