i Amass – Subdomain Enumeration Tool – All things in moderation

# Amass – Subdomain Enumeration Tool

I. What is amass?

Amass is the subdomain enumeration tool with the greatest number of disparate data sources that performs analysis of the resolved names in order to deliver the largest number of quality results.

Amass performs scraping of data sources, recursive brute forcing, crawling of web archives, permuting and altering of names, reverse DNS sweeping, and machine learning to obtain additional subdomain names. The architecture makes it easy to add new subdomain enumeration techniques as they are developed.

DNS name resolution is performed across many public servers so the authoritative server will see traffic coming from different locations.

II. How to Install?

Prebuilt
A precompiled version is available for each release.

If your operating environment supports Snap, you can click here to install, or perform the following from the command-line:

$sudo snap install amass If you would like snap to get you the latest unstable build of amass, type the following command:$ sudo snap install –edge amass

From Source
If you would prefer to build your own binary from the latest version of the source code, make sure you have a correctly configured Go >= 1.10 environment. More information about how to achieve this can be found on the golang website. Then, take the following steps:

$go get -u github.com/caffix/amass At this point, the amass binary should be in$GOPATH/bin.

Several wordlists can be found in the following directory:
$ls$GOPATH/src/github.com/caffix/amass/wordlists/

Now, let’s go.

Install golang:
With ubuntu 14.04LTS:

$sudo apt-get update$ sudo apt-get -y upgrade


$wget https://dl.google.com/go/go1.10.1.linux-amd64.tar.gz  Now extract the downloaded archive and install it to the desired location on the system. $ sudo tar -xvf go1.10.1.linux-amd64.tar.gz
$sudo mv go /usr/local  Setup Go Environment GOROOT is the location where Go package is installed on your system. export GOROOT=/usr/local/go  GOPATH is the location of your work directory. For example my project directory is ~/Projects/Proj. export GOPATH=$HOME/Projects/Proj


Now set the PATH variable to access go binary system wide.

export PATH=$GOPATH/bin:$GOROOT/bin:$PATH  Verify Installation go version  Result: Download amass: go get -u github.com/caffix/amass  III. Using the Tool The most basic use of the tool, which includes reverse DNS lookups and name alterations: $ amass -d example.com


Result:

$amass -d example1.com,example2.com -d example3.com  You can also provide the initial domain names via an input file: $ amass -df domains.txt


Get amass to provide the sources that discovered the subdomain names and print summary information:

$amass -v -d example.com [Google] www.example.com [VirusTotal] ns.example.com ... 13242 names discovered - scrape: 211, dns: 4709, archive: 126, brute: 169, alt: 8027  Have amass print IP addresses with the discovered names: $ amass -ip -d example.com


Have amass write the results to a text file:

$amass -ip -o out.txt -d example.com  Have all the data collected written to a file as individual JSON objects: $ amass -json out.txt -d example.com


Have amass send all the DNS and infrastructure enumerations to the Neo4j graph database:

$amass -neo4j neo4j:[email protected]:7687 -d example.com  Specify your own DNS resolvers on the command-line or from a file: $ amass -v -d example.com -r 8.8.8.8,1.1.1.1


The resolvers file can be provided using the following command-line switch:

$amass -v -d example.com -rf data/resolvers.txt  If you would like to blacklist some subdomains: $ amass -bl blah.example.com -d example.com


The blacklisted subdomains can be specified from a text file as well:

$amass -blf data/blacklist.txt -d example.com  The amass feature that performs alterations on discovered names and attempt resolution can be disabled: $ amass -noalts -d example.com


Use active information gathering techniques to attempt DNS zone transfers on all discovered authoritative name servers and obtain TLS/SSL certificates for discovered hosts on all specified ports:

$amass -active -d example.com net -p 80,443,8080  Caution, this is an active technique that will reveal your IP address to the target organization. Have amass perform brute force subdomain enumeration as well: $ amass -brute -d example.com


By default, amass performs recursive brute forcing on new subdomains; this can be disabled:

$amass -brute -norecursive -d example.com  If you would like to perform recursive brute forcing after enough discoveries have been made: $ amass -brute -min-for-recursive 3 -d example.com


Change the wordlist used during the brute forcing phase of the enumeration:

$amass -brute -w wordlist.txt -d example.com  Throttle the rate of DNS queries by number per minute: $ amass -freq 120 -d example.com


Allow amass to include additional domains in the search using reverse whois information:

$amass -whois -d example.com  You can have amass list all the domains discovered with reverse whois before performing the enumeration: $ amass -whois -l -d example.com


Only the first domain provided is used while performing the reverse whois operation.

Network/Infrastructure Options
Caution: If you use these options without specifying root domain names, amass will attempt to reach out to every IP address within the identified infrastructure and obtain names from TLS certificates. This is “loud” and can reveal your reconnaissance activities to the organization being investigated.

If you do provide root domain names on the command-line, these options will simply serve as constraints to the amass output.

All the flags shown here require the ‘net’ subcommand to be specified first.

To discover all domains hosted within target ASNs, use the following option:

$amass net -asn 13374,14618  To investigate within target CIDRs, use this option: $ amass net -cidr 192.184.113.0/24,104.154.0.0/15


To limit your enumeration to specific IPs or address ranges, use this option:

$amass net -addr 192.168.1.44,192.168.2.1-64  By default, port 443 will be checked for certificates, but the ports can be changed as follows: $ amass net -cidr 192.168.1.0/24 -p 80,443,8080


You can use the tool and tell me your rating or difficulty when using amass. Thanks you.

Reference:
https://github.com