Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
added and updated informational files
- Loading branch information
Showing
2 changed files
with
113 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| # Subdomain and Host Enumeration | ||
|
|
||
| ### Obtain a large number of names without revealing your location to the target organization | ||
|
|
||
| [](https://github.com/moovweb/gvm) [](https://www.apache.org/licenses/LICENSE-2.0) | ||
|
|
||
|
|
||
| The amass tool does not only search a few Internet data sources and then perform brute force subdomain enumeration, but also searches a web archive, in order to obtain web pages from the target organization without them being aware of it! Searching these web pages reveals additional subdomains and host names not likely to be provided by a namelist file. All three methods can be employed together by amass, and have shown to be complementary. | ||
|
|
||
|
|
||
| ## Install | ||
|
|
||
| 1. Download [amass](https://github.com/caffix/amass): | ||
| ``` | ||
| $ go get -u github.com/caffix/amass | ||
| ``` | ||
|
|
||
|
|
||
| 2. Several wordlists can be found in the following directory: | ||
| ``` | ||
| $ ls $GOPATH/src/github.com/caffix/amass/wordlists | ||
| ``` | ||
|
|
||
|
|
||
| 3. Build the amass binary: | ||
| ``` | ||
| $ go build -o $GOPATH/bin/amass $GOPATH/src/github.com/caffix/amass/main.go | ||
| ``` | ||
|
|
||
|
|
||
| ## Running amass | ||
|
|
||
| The most basic use of the tool: | ||
| ``` | ||
| $ amass example.com | ||
| ``` | ||
|
|
||
|
|
||
| Get amass provide summary information: | ||
| ``` | ||
| $ amass -v example.com | ||
| ``` | ||
|
|
||
|
|
||
| Have amass print IP addresses with the discovered names: | ||
| ``` | ||
| $ amass -ip example.com | ||
| ``` | ||
|
|
||
|
|
||
| Allow amass to included additional domains in the search using reverse whois information: | ||
| ``` | ||
| $ amass -whois example.com | ||
| ``` | ||
|
|
||
|
|
||
| You can have amass list out all the domains discovered with reverse whois before performing the enumeration: | ||
| ``` | ||
| $ amass -whois -list example.com | ||
| ``` | ||
|
|
||
|
|
||
| Have amass perform brute force subdomain enumeration as well: | ||
| ``` | ||
| $ amass -brute wordlist_filepath.txt example.com | ||
| ``` | ||
|
|
||
|
|
||
| Add some additional domains to the search: | ||
| ``` | ||
| $ amass example.com example1.com example2.com | ||
| ``` | ||
|
|
||
| In the above example, the domains example1.com and example2.com are simply appended to the list potentially provided by the reverse whois information. | ||
|
|
||
|
|
||
| All these options can be used together: | ||
| ``` | ||
| $ amass -v -ip -whois -brute wordlist_filepath.txt example.com example1.com | ||
| ``` | ||
|
|
||
| **Be sure that the target domain is the last parameter provided to amass.** | ||
|
|
||
|
|
||
| ## Settings for the amass Maltego Local Transform | ||
|
|
||
| 1. Setup a new local transform within Maltego: | ||
|
|
||
|  | ||
|
|
||
|
|
||
| 2. Configure the local transform to properly execute the go program: | ||
|
|
||
|  | ||
|
|
||
|
|
||
| 3. Go into the Transform Manager, and disable the **debug info** option: | ||
|
|
||
|  | ||
|
|
||
|
|
||
| ## Let me know what you think | ||
|
|
||
| **NOTE: Still under development.** | ||
|
|
||
| **Author: Jeff Foley / @jeff_foley** | ||
|
|
||
| **Company: ClaritySec, Inc. / @claritysecinc** |