In-Depth DNS Enumeration and Network Mapping
Clone or download

README.md

OWASP Logo OWASP Amass

GitHub Issues CircleCI Status GitHub Release Go Version License Contribute Yes Chat on Discord Follow on Twitter


The OWASP Amass tool suite obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. Additionally, Amass uses the IP addresses obtained during resolution to discover associated netblocks and ASNs. All the information is then used to build maps of the target networks.


Network graph

How to Install

Prebuilt

A precompiled version is available for each release.

If you are on a distribution such as Kali Linux, and have never used snap previously, follow these steps to access snap packages:

$ sudo apt install snapd

$ sudo systemctl start snapd

Add the snap binaries to your PATH using a method similar to the following:

$ export PATH=$PATH:/snap/bin

If your operating environment supports Snap, you can click here to install, or perform the following from the command-line:

$ sudo snap install amass

If you would like snap to get you the latest unstable build of OWASP Amass, type the following command:

$ sudo snap install --edge amass

Periodically, execute the following command to update all your snap packages:

$ sudo snap refresh

Using Docker

  1. Build the Docker image:
sudo docker build -t amass https://github.com/OWASP/Amass.git
  1. Run the Docker image:
sudo docker run amass --passive -d example.com

From Source

If you would prefer to build your own binary from the latest version of the source code, make sure you have a correctly configured Go >= 1.10 environment. More information about how to achieve this can be found on the golang website. Then, take the following steps:

  1. Download amass:
$ go get -u github.com/OWASP/Amass/...
  1. If you wish to rebuild the binaries from the source code:
$ cd $GOPATH/src/github.com/OWASP/Amass

$ go install ./...

At this point, the binaries should be in $GOPATH/bin.

  1. Several wordlists can be found in the following directory:
$ ls $GOPATH/src/github.com/OWASP/Amass/wordlists/

Using the Tool

The most basic use of the tool, which includes reverse DNS lookups and name alterations:

$ amass -d example.com

The example below is a good place to start with amass:

$ amass -v -ip -brute -min-for-recursive 3 -d example.com
[Google] www.example.com
[VirusTotal] ns.example.com
...
13139 names discovered - archive: 171, cert: 2671, scrape: 6290, brute: 991, dns: 250, alt: 2766

Add some additional domains to the enumeration:

$ amass -d example1.com,example2.com -d example3.com

Switches available through the amass CLI:

Flag Description Example
-active Enable active recon methods amass -active -d example.com net -p 80,443,8080
-bl Blacklist undesired subdomains from the enumeration amass -bl blah.example.com -d example.com
-blf Identify blacklisted subdomains from a file amass -blf data/blacklist.txt -d example.com
-brute Perform brute force subdomain enumeration amass -brute -d example.com
-d Provide a domain name to include in the enumeration amass -d example.com
-df Specify the domains to be enumerated via text file amass -df domains.txt
-do Write all the data operations to a JSON file amass -do data.json -d example.com
-h Show the amass usage information amass -h
-ip Print IP addresses with the discovered names amass -ip -d example.com
-json All discoveries written as individual JSON objects amass -json out.json -d example.com
-l List all the domains to be used during enumeration amass -whois -l -d example.com
-log Log all error messages to a file amass -log amass.log -d example.com
-min-for-recursive Number of subdomain names required for recursive brute forcing to begin amass -brute -min-for-recursive 3 -d example.com
-noalts Disable alterations of discovered names amass -noalts -d example.com
-passive A purely passive mode of execution amass --passive -d example.com
-norecursive Disable recursive brute forcing amass -brute -norecursive -d example.com
-o Write the results to a text file amass -o out.txt -d example.com
-oA Output to all available file formats with prefix amass -oA amass_scan -d example.com
-r Specify your own DNS resolvers amass -r 8.8.8.8,1.1.1.1 -d example.com
-rf Specify DNS resolvers with a file amass -rf data/resolvers.txt -d example.com
-v Output includes data source and summary information amass -v -d example.com
-version Print the version number of amass amass -version
-w Change the wordlist used during brute forcing amass -brute -w wordlist.txt -d example.com
-whois Search using reverse whois information amass -whois -d example.com

If you need Amass to run faster, then you have three choices:

  1. Only use the passive data sources:
$ amass --passive -d example.com
  1. Turn off the subdomain name alteration / permutation service:
$ amass --noalts -d example.com
  1. Increase the maximum number of file descriptors for a process:

The following Linux/Unix command will show you the hard limit for file descriptors used by amass.

$ ulimit -Hn

The superuser can change this hard limit to grant a larger number of file descriptors to running processes. Raising this limit will cause amass to perform more DNS resolutions simultaneously, and allow enumerations to complete faster. On Linux systems, this can usually be accomplished within the /etc/security/limits.conf file.

amass.netdomains

Caution: If you use the amass.netdomains tool, it will attempt to reach out to every IP address within the identified infrastructure and obtain domains names from reverse DNS requests and TLS certificates. This is "loud" and can reveal your reconnaissance activities to the organization being investigated.

Lookup ASNs by searching the descriptions registered by organizations:

$ amass.netdomains -org Facebook
32934, US, ARIN, FACEBOOK - Facebook, Inc., US
54115, US, ARIN, FACEBOOK-CORP - Facebook Inc, US
63293, US, ARIN, FACEBOOK-OFFNET - Facebook, Inc., US

To discover all domains hosted within target ASNs, use the following option:

$ amass.netdomains -asn 13374,14618

To investigate target CIDRs, use this option:

$ amass.netdomains -cidr 192.184.113.0/24,104.154.0.0/15

For specific IPs or address ranges, use this option:

$ amass.netdomains -addr 192.168.1.44,192.168.2.1-64

By default, port 443 will be checked for certificates, but the ports can be changed as follows:

$ amass.netdomains -cidr 192.168.1.0/24 -p 80,443,8080

amass.viz

Create enlightening network graph visualizations that provide structure to the information you gather. This tool requires an input file generated by the amass '-do' flag.

Switches for outputting the DNS and infrastructure findings as a network graph:

Flag Description Example
-d3 Output a D3.js v4 force simulation HTML file amass.viz -d3 net.html -i data_ops.json
-gexf Output to Graph Exchange XML Format (GEXF) amass.viz -gephi net.gexf -i data_ops.json
-graphistry Output Graphistry JSON amass.viz -graphistry net.json -i data_ops.json
-visjs Output HTML that employs VisJS amass.viz -visjs net.html -i data_ops.json

amass.db

Have amass send all the DNS and infrastructure information gathered to a graph database. This tool requires an input file generated by the amass '-do' flag.

$ amass.db -neo4j neo4j:DoNotUseThisPassword@localhost:7687 -i data_ops.json

Integrating OWASP Amass into Your Work

If you are using the amass package within your own Go code, be sure to properly seed the default pseudo-random number generator:

import(
    "fmt"
    "math/rand"
    "time"

    "github.com/OWASP/Amass/amass"
)

func main() {
    rand.Seed(time.Now().UTC().UnixNano())

    enum := amass.NewEnumeration()

    go func() {
        for result := range enum.Output {
            fmt.Println(result.Name)
        }
    }()

    enum.AddDomain("example.com")
    enum.Start()
}

Settings for the OWASP Amass Maltego Local Transform

  1. Setup a new local transform within Maltego:

Maltego setup process

  1. Configure the local transform to properly execute the go program:

Maltego configuration

  1. Go into the Transform Manager, and disable the debug info option:

Disabling debug

Community

  • Discord Server - Discussing OSINT, network recon and developing security tools using Go

Mentions

Example Amass Terminal Capture

Presented at Facebook (and shared publically) for the Sept. 2018 OWASP London Chapter meeting:

asciicast