Amass
Amass is the OWASP project’s powerful tool for discovering the attack surface of your target organization through subdomain enumeration, passive reconnaissance, and active DNS queries. It integrates with dozens of OSINT data sources and can perform deep ASN enumeration and organization discovery.
Installation
섹션 제목: “Installation”APT (Debian/Ubuntu)
섹션 제목: “APT (Debian/Ubuntu)”apt-get update
apt-get install -y amassSnap
섹션 제목: “Snap”snap install amassHomebrew (macOS)
섹션 제목: “Homebrew (macOS)”brew install amassGo Install
섹션 제목: “Go Install”go install -v github.com/owasp-amass/amass/v4/cmd/amass@latestDocker
섹션 제목: “Docker”docker pull ghcr.io/owasp-amass/amass:latest
docker run -v "$(pwd):/work" ghcr.io/owasp-amass/amass:latest enum -d example.com -o /work/results.txtDownload from GitHub
섹션 제목: “Download from GitHub”Download the latest release from https://github.com/owasp-amass/amass/releases and extract the binary.
Subcommands Overview
섹션 제목: “Subcommands Overview”| Subcommand | Purpose |
|---|---|
enum | Main enumeration command for subdomain discovery |
intel | OSINT and organization intelligence gathering |
db | Database operations to query cached results |
dns | DNS resolution verification and lookups |
track | Track changes and track differences between enumeration runs |
Passive Enumeration
섹션 제목: “Passive Enumeration”Passive enumeration queries OSINT data sources without sending traffic to the target’s DNS servers. No DNS brute-forcing is performed.
Basic Passive Enumeration
섹션 제목: “Basic Passive Enumeration”amass enum -passive -d example.comPassive Enumeration with Output
섹션 제목: “Passive Enumeration with Output”amass enum -passive -d example.com -o results.txtMultiple Domains
섹션 제목: “Multiple Domains”amass enum -passive -d example.com -d example.org -d example.netData Sources Used in Passive Mode
섹션 제목: “Data Sources Used in Passive Mode”Amass queries dozens of passive data sources including:
- Certificate Transparency logs (Crt.sh, Google CT logs)
- DNS records and zone file repositories
- Search engines (Bing)
- OSINT databases (Shodan, Censys)
- DNS history services (SecurityTrails)
- Archive sites and historical records
Passive with Source Filtering
섹션 제목: “Passive with Source Filtering”# List available data sources
amass enum -list
# Use specific sources
amass enum -passive -d example.com -src "Certspotter,Crtsh,Shodan"Active Enumeration
섹션 제목: “Active Enumeration”Active enumeration performs DNS resolution and queries against the target’s infrastructure. This sends traffic to the target’s DNS servers.
Basic Active Enumeration
섹션 제목: “Basic Active Enumeration”amass enum -active -d example.comActive with Zone Transfer Attempts
섹션 제목: “Active with Zone Transfer Attempts”# Zone transfers are attempted automatically during active enumeration
amass enum -active -d example.comCertificate Grabbing
섹션 제목: “Certificate Grabbing”# Grab certificates during active reconnaissance
amass enum -active -d example.comIncreased Timeout for Slow Networks
섹션 제목: “Increased Timeout for Slow Networks”amass enum -active -d example.com -timeout 30Brute Force Subdomain Discovery
섹션 제목: “Brute Force Subdomain Discovery”Brute force DNS enumeration tests potential subdomain names against the target’s nameservers.
Basic Brute Force
섹션 제목: “Basic Brute Force”amass enum -brute -d example.comBrute Force with Custom Wordlist
섹션 제목: “Brute Force with Custom Wordlist”amass enum -brute -d example.com -w /path/to/wordlist.txtBrute Force with Wordlist Mutations
섹션 제목: “Brute Force with Wordlist Mutations”# Apply mutations to wordlist entries
amass enum -brute -d example.com -w /path/to/wordlist.txt -wmLimit DNS Name Length
섹션 제목: “Limit DNS Name Length”# Minimum length of 3, maximum length of 25 characters
amass enum -brute -d example.com -min-for-recursive 3 -max-dns-names 25Performance Tuning
섹션 제목: “Performance Tuning”# Maximum concurrent DNS queries (default: 10000)
amass enum -brute -d example.com -max-dns-queries 5000
# Set timeout for DNS responses
amass enum -brute -d example.com -timeout 15Brute Force Specific Nameservers
섹션 제목: “Brute Force Specific Nameservers”amass enum -brute -d example.com -ns 8.8.8.8 -ns 1.1.1.1Intel Subcommand
섹션 제목: “Intel Subcommand”The intel subcommand gathers organizational intelligence through WHOIS, ASN discovery, and reverse lookups.
Domain Organization Search
섹션 제목: “Domain Organization Search”amass intel -d example.comReverse WHOIS Lookup
섹션 제목: “Reverse WHOIS Lookup”# Find all domains registered to an organization
amass intel -d example.com -whoisOrganization-Based Search
섹션 제목: “Organization-Based Search”# Enumerate all domains for an organization
amass intel -org "Example Corporation"ASN Enumeration
섹션 제목: “ASN Enumeration”# Find ASNs associated with the domain
amass intel -d example.com -asn
# Enumerate all domains in an ASN
amass intel -asn 12345Combined Intel Operations
섹션 제목: “Combined Intel Operations”amass intel -d example.com -whois -asn -o intel_results.txtDNS Subcommand
섹션 제목: “DNS Subcommand”The dns subcommand verifies DNS resolution and performs DNS-specific operations.
DNS Resolution Verification
섹션 제목: “DNS Resolution Verification”amass dns -d example.comResolve a Specific Subdomain
섹션 제목: “Resolve a Specific Subdomain”amass dns -d sub.example.comCustom Nameservers
섹션 제목: “Custom Nameservers”amass dns -d example.com -ns 8.8.8.8 -ns 1.1.1.1Output DNS Records
섹션 제목: “Output DNS Records”amass dns -d example.com -o dns_records.txtTrack Subcommand
섹션 제목: “Track Subcommand”Track changes between enumeration runs to identify newly discovered subdomains.
Track Enumeration Changes
섹션 제목: “Track Enumeration Changes”amass track -d example.comTrack with Previous Database
섹션 제목: “Track with Previous Database”# Compare against previous enumeration stored in database
amass track -d example.comView Tracked Changes
섹션 제목: “View Tracked Changes”amass track -d example.com -showDatabase Subcommand
섹션 제목: “Database Subcommand”Query and manage results stored in Amass’s local database from previous enumerations.
Show All Results for Domain
섹션 제목: “Show All Results for Domain”amass db -show -d example.comList All Discovered Names
섹션 제목: “List All Discovered Names”amass db -show -d example.com -namesList All Discovered IPs
섹션 제목: “List All Discovered IPs”amass db -show -d example.com -ipSummary Statistics
섹션 제목: “Summary Statistics”amass db -show -d example.com -summaryExport from Database
섹션 제목: “Export from Database”amass db -show -d example.com -o exported_results.txtDatabase Location
섹션 제목: “Database Location”By default, the database is stored in the user’s home directory at ~/.config/amass/.
Configuration File
섹션 제목: “Configuration File”Create a config.yaml file to persist settings and API credentials for data sources.
Basic Configuration Structure
섹션 제목: “Basic Configuration Structure”# Data source API keys
datasources:
credentials:
- name: shodan
keys:
- "YOUR_SHODAN_API_KEY"
- name: censys
keys:
- "YOUR_CENSYS_API_KEY"
- name: securitytrails
keys:
- "YOUR_SECURITYTRAILS_API_KEY"
# Scope definition
scope:
domains:
- example.com
- example.org
# Brute forcing settings
brute_forcing:
enabled: true
wordlist: /path/to/wordlist.txt
minimum_for_recursive: 3
# DNS alterations and mutations
alterations:
enabled: true
flip_words: true
flip_numbers: true
add_words: true
add_numbers: true
# Performance settings
max_dns_queries: 10000Using the Configuration File
섹션 제목: “Using the Configuration File”amass enum -config /path/to/config.yamlData Source Configuration
섹션 제목: “Data Source Configuration”Amass supports integration with multiple OSINT data sources via API keys. Configure these in your config file or environment.
Shodan API Key
섹션 제목: “Shodan API Key”datasources:
credentials:
- name: shodan
keys:
- "YOUR_SHODAN_API_KEY"Censys API Key
섹션 제목: “Censys API Key”datasources:
credentials:
- name: censys
keys:
- "YOUR_CENSYS_API_KEY"SecurityTrails API Key
섹션 제목: “SecurityTrails API Key”datasources:
credentials:
- name: securitytrails
keys:
- "YOUR_SECURITYTRAILS_API_KEY"VirusTotal API Key
섹션 제목: “VirusTotal API Key”datasources:
credentials:
- name: virustotal
keys:
- "YOUR_VIRUSTOTAL_API_KEY"PassiveTotal API Key
섹션 제목: “PassiveTotal API Key”datasources:
credentials:
- name: passivetotal
keys:
- "YOUR_PASSIVETOTAL_API_KEY"Adding Multiple API Keys
섹션 제목: “Adding Multiple API Keys”datasources:
credentials:
- name: shodan
keys:
- "API_KEY_1"
- "API_KEY_2"
- "API_KEY_3"Output Options
섹션 제목: “Output Options”Control how Amass outputs and saves discovered results.
Output to Text File
섹션 제목: “Output to Text File”amass enum -passive -d example.com -o results.txtJSON Output
섹션 제목: “JSON Output”amass enum -passive -d example.com -json -o results.jsonOutput Directory (Multiple Formats)
섹션 제목: “Output Directory (Multiple Formats)”amass enum -passive -d example.com -dir ./output/All Output Formats
섹션 제목: “All Output Formats”# Saves results in all available formats
amass enum -passive -d example.com -oA resultsVerbose Output
섹션 제목: “Verbose Output”amass enum -passive -d example.com -vVery Verbose (Debug)
섹션 제목: “Very Verbose (Debug)”amass enum -passive -d example.com -vvScripting Engine
섹션 제목: “Scripting Engine”Amass supports custom data source scripts written in Lua for extending functionality.
Script Location
섹션 제목: “Script Location”Place custom scripts in ~/.config/amass/scripts/.
Basic Lua Script Template
섹션 제목: “Basic Lua Script Template”name = "CustomSource"
type = "api"
function vertical(ctx, domain)
-- Your custom enumeration logic here
return {}
endUsing Custom Scripts
섹션 제목: “Using Custom Scripts”amass enum -passive -d example.comCustom scripts are automatically loaded and executed alongside built-in data sources.
Scope Management
섹션 제목: “Scope Management”Define and control the scope of your enumeration to include or exclude specific targets.
Include Unresolvable Names
섹션 제목: “Include Unresolvable Names”amass enum -passive -d example.com -include-unresolvableFilter by IP Address Range
섹션 제목: “Filter by IP Address Range”amass enum -passive -d example.com -ip 192.168.0.0/16Specify CIDR Ranges
섹션 제목: “Specify CIDR Ranges”amass enum -passive -d example.com -cidr 10.0.0.0/8Blacklist Domains
섹션 제목: “Blacklist Domains”amass enum -passive -d example.com -bl example-test.com -bl test-env.comBlacklist from File
섹션 제목: “Blacklist from File”# Create a file with one domain per line
amass enum -passive -d example.com -blf /path/to/blacklist.txtWhitelist Domains
섹션 제목: “Whitelist Domains”amass enum -passive -d example.com -include example.com -include app.example.comPerformance Optimization
섹션 제목: “Performance Optimization”Tune Amass performance based on network conditions and target infrastructure.
Maximum DNS Queries
섹션 제목: “Maximum DNS Queries”# Limit concurrent DNS queries (default: 10000)
amass enum -brute -d example.com -max-dns-queries 5000DNS Query Timeout
섹션 제목: “DNS Query Timeout”# Timeout in seconds for DNS responses
amass enum -brute -d example.com -timeout 30Active Concurrency
섹션 제목: “Active Concurrency”# Control concurrent requests during active enumeration
amass enum -active -d example.comMemory-Constrained Environments
섹션 제목: “Memory-Constrained Environments”# Use fewer concurrent operations
amass enum -passive -d example.com -max-dns-queries 500Distributed Enumeration
섹션 제목: “Distributed Enumeration”# Run multiple instances with different wordlist portions
amass enum -brute -d example.com -w wordlist_part1.txt
amass enum -brute -d example.com -w wordlist_part2.txtTroubleshooting
섹션 제목: “Troubleshooting”DNS Resolution Issues
섹션 제목: “DNS Resolution Issues”# Test with custom nameservers
amass enum -passive -d example.com -ns 8.8.8.8API Key Problems
섹션 제목: “API Key Problems”Check that your API keys are correctly set in the config file and have appropriate permissions. Run Amass with verbose output to see which sources are failing.
Rate Limiting
섹션 제목: “Rate Limiting”If you encounter rate limiting, reduce the number of concurrent queries and increase timeouts:
amass enum -brute -d example.com -max-dns-queries 1000 -timeout 30Memory Issues
섹션 제목: “Memory Issues”For large-scale enumerations, reduce data source use or split the enumeration across multiple runs.
Database Corruption
섹션 제목: “Database Corruption”Clear the database and start fresh:
rm -rf ~/.config/amass/
amass enum -passive -d example.comBest Practices
섹션 제목: “Best Practices”-
Start with Passive Enumeration: Always begin with passive techniques to avoid detection. Add active DNS queries only when needed for validation.
-
Use Configuration Files: Store API credentials and scope definitions in a configuration file to maintain consistency across runs and avoid command-line credential exposure.
-
Combine Multiple Data Sources: Leverage multiple OSINT sources (Shodan, Censys, SecurityTrails) to maximize coverage. Each source often reveals different subdomains.
-
Track Changes Over Time: Use the
tracksubcommand to identify newly discovered subdomains and monitor your attack surface changes. -
Implement Scope Management: Use blacklists and whitelists to focus enumeration on relevant targets and avoid noise from unrelated domains.
-
Validate Actively: After passive enumeration, use active DNS resolution to confirm that discovered subdomains actually resolve to IP addresses.
-
Export for Further Analysis: Export results in JSON format for parsing and further processing with other tools or scripts.
-
Monitor Rate Limits: Be aware of API rate limits from data sources. Use API keys when available to increase quotas.
-
Schedule Regular Enumerations: Run periodic enumerations to detect newly registered subdomains and changes in your attack surface.
-
Combine with Other Tools: Use Amass output as input for vulnerability scanning, port scanning, or further reconnaissance with tools like Nmap.
Related Tools
섹션 제목: “Related Tools”| Tool | Purpose |
|---|---|
| Subfinder | Fast passive subdomain enumeration using multiple sources |
| SecurityTrails | Online OSINT database for domain and subdomain history |
| DNSRecon | DNS reconnaissance and enumeration tool |
| Fierce | DNS scanning tool for discovering non-contiguous IP space |
| Sublist3r | Subdomain enumeration using multiple search engines |
| Nmap | Network mapping and port scanning |
| Shodan | Search engine for internet-connected devices |
| Censys | Search engine for internet scanning and certificate data |